Total
347 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28191 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2024-12-05 | 5.5 Medium |
| This issue was addressed with improved redaction of sensitive information. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5. An app may be able to bypass Privacy preferences. | ||||
| CVE-2024-45495 | 2024-12-04 | 4.3 Medium | ||
| MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking. | ||||
| CVE-2023-32553 | 3 Microsoft, Trend Micro Inc, Trendmicro | 3 Windows, Trend Micro Apex One, Apex One | 2024-12-04 | 5.3 Medium |
| An Improper access control vulnerability in Trend Micro Apex One and Apex One as a Service could allow an unauthenticated user under certain circumstances to disclose sensitive information on agents. This is similar to, but not identical to CVE-2023-32552. | ||||
| CVE-2023-32223 | 2 D-link, Dlink | 3 Dsl-224 Firmware, Dsl-224, Dsl-224 Firmware | 2024-11-27 | 8.8 High |
| D-Link DSL-224 firmware version 3.0.10 allows post authentication command execution via an unspecified method. | ||||
| CVE-2021-47157 | 1 Kossy | 1 Kossy | 2024-11-25 | 9.8 Critical |
| The Kossy module before 0.60 for Perl allows JSON hijacking because of X-Requested-With mishandling. | ||||
| CVE-2022-21712 | 4 Debian, Fedoraproject, Redhat and 1 more | 4 Debian Linux, Fedora, Openstack and 1 more | 2024-11-25 | 7.5 High |
| twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds. | ||||
| CVE-2014-125071 | 1 Gribbit Project | 1 Gribbit | 2024-11-25 | 5.5 Medium |
| A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716. | ||||
| CVE-2023-40547 | 1 Redhat | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2024-11-24 | 8.3 High |
| A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. | ||||
| CVE-2024-50654 | 1 Pickmall | 1 Lilishop | 2024-11-21 | 7.5 High |
| lilishop <=4.2.4 is vulnerable to Incorrect Access Control, which can allow attackers to obtain coupons beyond the quantity limit by capturing and sending the data packets for coupon collection in high concurrency. | ||||
| CVE-2024-6301 | 1 Conduit | 1 Conduit | 2024-11-21 | 5.3 Medium |
| Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs | ||||
| CVE-2024-5905 | 1 Paloaltonetworks | 1 Cortex Xdr Agent | 2024-11-21 | 4.4 Medium |
| A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local low privileged Windows user to disrupt some functionality of the agent. However, they are not able to disrupt Cortex XDR agent protection mechanisms using this vulnerability. | ||||
| CVE-2024-5549 | 2024-11-21 | N/A | ||
| A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability also enables attackers to perform actions on behalf of the user, such as deleting projects or sending messages. The issue arises from the lack of proper origin validation, allowing unauthorized cross-origin requests to be executed. The vulnerability is present in all versions of the repository, as no fixed version has been specified. | ||||
| CVE-2024-41143 | 1 Skygroup | 1 Skysea Client View | 2024-11-21 | 7.8 High |
| Origin validation error vulnerability exists in SKYSEA Client View Ver.3.013.00 to Ver.19.210.04e. If this vulnerability is exploited, an arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed. | ||||
| CVE-2024-36421 | 1 Flowiseai | 1 Flowise | 2024-11-21 | 7.5 High |
| Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | ||||
| CVE-2024-36303 | 1 Trendmicro | 1 Apex One | 2024-11-21 | 7.8 High |
| An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2024-36302. | ||||
| CVE-2024-36302 | 2024-11-21 | 7.8 High | ||
| An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2024-36303. | ||||
| CVE-2024-32764 | 2024-11-21 | 9.9 Critical | ||
| A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fixed the vulnerability in the following version: myQNAPcloud Link 2.4.51 and later | ||||
| CVE-2024-2377 | 2024-11-21 | 7.6 High | ||
| A vulnerability exists in the too permissive HTTP response header web server settings of the SDM600. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information. | ||||
| CVE-2024-2182 | 1 Redhat | 1 Enterprise Linux | 2024-11-21 | 6.5 Medium |
| A flaw was found in the Open Virtual Network (OVN). In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service. | ||||
| CVE-2024-28883 | 2024-11-21 | 7.4 High | ||
| An origin validation vulnerability exists in BIG-IP APM browser network access VPN client for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||