CVEs from 2024
Total
6,593
critical
critical 174
high
high 1,069
medium
medium 2,083
low
low 49
% Critical
2.6%
% with KEV
2.5%
% with exploit
3.4%
Top products
- mbed_tls 15
- operations_analytics_log_analysis 14
- surveillance_station 12
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-21287 | unknown | — | 1.5 | 2y ago | Oracle Agile Product Lifecycle Management (PLM) contains an incorrect authorization vulnerability in the Process Extension component of the Software Development Kit. Successful exploitation of this v… | |||
| CVE-2024-38813 | unknown | — | 1.5 | 2y ago | VMware vCenter contains an improper check for dropped privileges vulnerability. This vulnerability could allow an attacker with network access to the vCenter Server to escalate privileges to root by … | |||
| CVE-2024-38812 | unknown | — | 1.5 | 2y ago | VMware vCenter Server contains a heap-based buffer overflow vulnerability in the implementation of the DCERPC protocol. This vulnerability could allow an attacker with network access to the vCenter S… | |||
| CVE-2024-9465 | unknown | — | 1.5 | 2y ago | Palo Alto Networks Expedition contains a SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configu… | |||
| CVE-2024-9463 | unknown | — | 1.5 | 2y ago | Palo Alto Networks Expedition contains an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of use… | |||
| CVE-2024-49039 | unknown | — | 1.5 | 2y ago | Microsoft Windows Task Scheduler contains a privilege escalation vulnerability that can allow an attacker-provided, local application to escalate privileges outside of its AppContainer, and access pr… | |||
| CVE-2024-43451 | unknown | — | 1.5 | 2y ago | Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a file open operation. The attacker could then leverage this h… | |||
| CVE-2024-43093 | unknown | — | 1.5 | 2y ago | Android Framework contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2024-8957 | unknown | — | 1.5 | 2y ago | PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr param… | |||
| CVE-2024-8956 | unknown | — | 1.5 | 2y ago | PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If comb… | |||
| CVE-2024-20481 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote att… | |||
| CVE-2024-38094 | unknown | — | 1.5 | 2y ago | Microsoft SharePoint contains a deserialization vulnerability that allows for remote code execution. | |||
| CVE-2024-9537 | unknown | — | 1.5 | 2y ago | ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component. | |||
| CVE-2024-40711 | unknown | — | 1.5 | 2y ago | Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution. | |||
| CVE-2024-30088 | unknown | — | 1.5 | 2y ago | Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation. | |||
| CVE-2024-9380 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass … | |||
| CVE-2024-23113 | unknown | — | 1.5 | 2y ago | Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted r… | |||
| CVE-2024-9379 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to r… | |||
| CVE-2024-43573 | unknown | — | 1.5 | 2y ago | Microsoft Windows MSHTML Platform contains an unspecified spoofing vulnerability which can lead to a loss of confidentiality. | |||
| CVE-2024-43572 | unknown | — | 1.5 | 2y ago | Microsoft Windows Management Console contains unspecified vulnerability that allows for remote code execution. | |||
| CVE-2024-43047 | unknown | — | 1.5 | 2y ago | Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory. | |||
| CVE-2024-45519 | unknown | — | 1.5 | 2y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands. | |||
| CVE-2024-8963 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conju… | |||
| CVE-2024-43461 | unknown | — | 1.5 | 2y ago | Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page. This vulnerability was exploited … | |||
| CVE-2024-8190 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass … | |||
| CVE-2024-38226 | unknown | — | 1.5 | 2y ago | Microsoft Publisher contains a protection mechanism failure vulnerability that allows attacker to bypass Office macro policies used to block untrusted or malicious files. | |||
| CVE-2024-38217 | unknown | — | 1.5 | 2y ago | Microsoft Windows Mark of the Web (MOTW) contains a protection mechanism failure vulnerability that allows an attacker to bypass MOTW-based defenses. This can result in a limited loss of integrity an… | |||
| CVE-2024-38014 | unknown | — | 1.5 | 2y ago | Microsoft Windows Installer contains an improper privilege management vulnerability that could allow an attacker to gain SYSTEM privileges. | |||
| CVE-2024-40766 | unknown | — | 1.5 | 2y ago | SonicWall SonicOS contains an improper access control vulnerability that could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash. | |||
| CVE-2024-7262 | unknown | — | 1.5 | 2y ago | Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library. | |||
| CVE-2024-7965 | unknown | — | 1.5 | 2y ago | Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-7971 | unknown | — | 1.5 | 2y ago | Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-39717 | unknown | — | 1.5 | 2y ago | The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privil… | |||
| CVE-2024-28986 | unknown | — | 1.5 | 2y ago | SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution. | |||
| CVE-2024-38178 | unknown | — | 1.5 | 2y ago | Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted URL. | |||
| CVE-2024-38189 | unknown | — | 1.5 | 2y ago | Microsoft Project contains an unspecified vulnerability that allows for remote code execution via a malicious file. | |||
| CVE-2024-38107 | unknown | — | 1.5 | 2y ago | Microsoft Windows Power Dependency Coordinator contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to obtain SYSTEM privileges. | |||
| CVE-2024-38106 | unknown | — | 1.5 | 2y ago | Microsoft Windows Kernel contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. Successful exploitation of this vulnerability… | |||
| CVE-2024-38213 | unknown | — | 1.5 | 2y ago | Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience via a malicious file. | |||
| CVE-2024-37085 | unknown | — | 1.5 | 2y ago | VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to… | |||
| CVE-2024-5217 | unknown | — | 1.5 | 2y ago | ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could explo… | |||
| CVE-2024-39891 | unknown | — | 1.5 | 2y ago | Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about wheth… | |||
| CVE-2024-38112 | unknown | — | 1.5 | 2y ago | Microsoft Windows MSHTML Platform contains a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability. | |||
| CVE-2024-38080 | unknown | — | 1.5 | 2y ago | Microsoft Windows Hyper-V contains a privilege escalation vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges. | |||
| CVE-2024-20399 | unknown | — | 1.5 | 2y ago | Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute commands as root on the underlying operating sy… | |||
| CVE-2024-32896 | unknown | — | 1.5 | 2y ago | Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation. | |||
| CVE-2024-26169 | unknown | — | 1.5 | 2y ago | Microsoft Windows Error Reporting Service contains an improper privilege management vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges. | |||
| CVE-2024-4610 | unknown | — | 1.5 | 2y ago | Arm Bifrost and Valhall GPU kernel drivers contain a use-after-free vulnerability that allows a local, non-privileged user to make improper GPU memory processing operations to gain access to already … | |||
| CVE-2024-4978 | unknown | — | 1.5 | 2y ago | Justice AV Solutions (JAVS) Viewer installer contains a malicious version of ffmpeg.exe, named fffmpeg.exe (SHA256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4). When run, this c… | |||
| CVE-2024-5274 | unknown | — | 1.5 | 2y ago | Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-4947 | unknown | — | 1.5 | 2y ago | Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-4761 | unknown | — | 1.5 | 2y ago | Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-30051 | unknown | — | 1.5 | 2y ago | Microsoft DWM Core Library contains a privilege escalation vulnerability that allows an attacker to gain SYSTEM privileges. | |||
| CVE-2024-30040 | unknown | — | 1.5 | 2y ago | Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for a security feature bypass. | |||
| CVE-2024-4671 | unknown | — | 1.5 | 2y ago | Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. … | |||
| CVE-2024-29988 | unknown | — | 1.5 | 2y ago | Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature. This vulnerability can be chained with CVE-2023-388… | |||
| CVE-2024-20353 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition. | |||
| CVE-2024-20359 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root. | |||
| CVE-2024-3272 | unknown | — | 1.5 | 2y ago | D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contains a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution. | |||
| CVE-2024-3273 | unknown | — | 1.5 | 2y ago | D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution. | |||
| CVE-2024-29745 | unknown | — | 1.5 | 2y ago | Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices. | |||
| CVE-2024-29748 | unknown | — | 1.5 | 2y ago | Android Pixel contains a privilege escalation vulnerability that allows an attacker to interrupt a factory reset triggered by a device admin app. | |||
| CVE-2024-23296 | unknown | — | 1.5 | 2y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections. | |||
| CVE-2024-23225 | unknown | — | 1.5 | 2y ago | Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory … | |||
| CVE-2024-21410 | unknown | — | 1.5 | 2y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2024-21351 | unknown | — | 1.5 | 2y ago | Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, wh… | |||
| CVE-2024-21412 | unknown | — | 1.5 | 2y ago | Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass. | |||
| CVE-2024-21762 | unknown | — | 1.5 | 2y ago | Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests. | |||
| CVE-2024-0519 | unknown | — | 1.5 | 2y ago | Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-51774 | unknown | — | 1.0 | — | qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors. | |||
| CVE-2024-6782 | unknown | — | 1.0 | — | Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. | |||
| CVE-2024-8517 | unknown | — | 1.0 | — | SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipar… | |||
| CVE-2024-7954 | unknown | — | 1.0 | — | The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP … | |||
| CVE-2024-41947 | unknown | — | 1.0 | 2y ago | XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution | |||
| CVE-2024-23334 | unknown | — | 1.0 | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static f… | |||
| CVE-2024-57804 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs The driver, through the SAS transport, exposes a sysfs inte… | |||
| CVE-2024-47688 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: driver core: Fix a potential null-ptr-deref in module_add_driver() Inject fault while probing of-fpga-region, if kasprintf() fail… | |||
| CVE-2024-46771 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls c… | |||
| CVE-2024-53148 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: comedi: Flush partial mappings in error case If some remap_pfn_range() calls succeeded before one failed, we still have buffer pa… | |||
| CVE-2024-10941 | unknown | — | — | — | A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. This vulnerability affects Firefox < 126. | |||
| CVE-2024-25583 | unknown | — | — | — | A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use… | |||
| CVE-2024-30161 | unknown | — | — | — | In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). (Earlier and later versions are unaffected.) | |||
| CVE-2024-5261 | unknown | — | — | — | Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through… | |||
| CVE-2024-50037 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-dma: Only cleanup deferred I/O if necessary Commit 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O if necessary… | |||
| CVE-2024-53079 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: unde… | |||
| CVE-2024-44959 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: tracefs: Use generic inode RCU for synchronizing freeing With structure layout randomization enabled for 'struct inode' we need t… | |||
| CVE-2024-11703 | unknown | — | — | — | On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. This vulnerability affects Firefox < 133. | |||
| CVE-2024-42516 | unknown | — | — | — | HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP re… | |||
| CVE-2024-9391 | unknown | — | — | — | A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no long… | |||
| CVE-2024-9936 | unknown | — | — | — | When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. This vulnerability affects Firefox < 131.0.3. | |||
| CVE-2024-49942 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Prevent null pointer access in xe_migrate_copy xe_migrate_copy designed to copy content of TTM resources. When source res… | |||
| CVE-2024-40794 | unknown | — | — | — | This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authenticati… | |||
| CVE-2024-7531 | unknown | — | — | — | Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header pr… | |||
| CVE-2024-2615 | unknown | — | — | — | Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code… | |||
| CVE-2024-39371 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer der… | |||
| CVE-2024-29511 | unknown | — | — | — | Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLangua… | |||
| CVE-2024-27629 | unknown | — | — | — | An issue in dc2niix before v.1.0.20240202 allows a local attacker to execute arbitrary code via the generated file name is not properly escaped and injected into a system call when certain types of c… | |||
| CVE-2024-56625 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: can: dev: can_set_termination(): allow sleeping GPIOs In commit 6e86a1543c37 ("can: dev: provide optional GPIO based termination … | |||
| CVE-2024-56626 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write An offset from client could be a negative value, It could allows to writ… | |||
| CVE-2024-56627 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read An offset from client could be a negative value, It could lead to an out-o… |