CVEs from 2024
Total
6,593
critical
critical 174
high
high 1,069
medium
medium 2,083
low
low 49
% Critical
2.6%
% with KEV
2.5%
% with exploit
3.4%
Top products
- mbed_tls 15
- operations_analytics_log_analysis 14
- surveillance_station 12
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-29198 | unknown | — | — | 1y ago | GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost | |||
| CVE-2024-1440 | unknown | — | — | 1y ago | WSO2 is vulnerable to Open Redirect through multi-option URL in its authentication endpoint | |||
| CVE-2024-8008 | unknown | — | — | 1y ago | WSO2 products vulnerable to Cross-site Scripting | |||
| CVE-2024-7096 | unknown | — | — | 1y ago | WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services | |||
| CVE-2024-24780 | unknown | — | — | 1y ago | Apache IoTDB Vulnerable to Remote Code Execution | |||
| CVE-2024-13009 | unknown | — | — | 1y ago | **UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request | |||
| CVE-2024-52979 | unknown | — | — | 1y ago | Elasticsearch Uncontrolled Resource Consumption Vulnerability | |||
| CVE-2024-42699 | unknown | — | — | 1y ago | OpenCMS Cross-Site Scripting vulnerability | |||
| CVE-2024-41446 | unknown | — | — | 1y ago | OpenCMS cross-site scripting (XSS) vulnerability | |||
| CVE-2024-41447 | unknown | — | — | 1y ago | Alkacon OpenCMS stored cross-site scripting (XSS) vulnerability | |||
| CVE-2024-55238 | unknown | — | — | 1y ago | OpenMetadata SQL Injection | |||
| CVE-2024-52981 | unknown | — | — | 1y ago | Elasticsearch Vulnerable to Stack Overflow due to a Large Recursion | |||
| CVE-2024-52980 | unknown | — | — | 1y ago | Elasticsearch Potential Node Crash due to Large Recursion in `innerForbidCircularReferences` Function | |||
| CVE-2024-56325 | unknown | — | — | 1y ago | Apache Pinot Vulnerable to Authentication Bypass | |||
| CVE-2024-6875 | unknown | — | — | 1y ago | Infinispan Potential Out of Memory Error via REST Compare API Buffer API | |||
| CVE-2024-48944 | unknown | — | — | 1y ago | Apache Kylin Server-Side Request Forgery (SSRF) via `/kylin/api/xxx/diag` Endpoint | |||
| CVE-2024-12369 | unknown | — | — | 1y ago | WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack | |||
| CVE-2024-8487 | unknown | — | — | 1y ago | AgentScope Cross-Origin Resource Sharing (CORS) vulnerability | |||
| CVE-2024-8438 | unknown | — | — | 1y ago | AgentScope Path Traversal in /api/file | |||
| CVE-2024-8616 | unknown | — | — | 1y ago | H2O Vulnerable to Arbitrary File Overwrite | |||
| CVE-2024-8501 | unknown | — | — | 1y ago | AgentScope arbitrary file download vulnerability in rpc_agent_client | |||
| CVE-2024-8524 | unknown | — | — | 1y ago | AgentScope directory traversal vulnerability in /read-examples | |||
| CVE-2024-8062 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `HEAD` Request | |||
| CVE-2024-7765 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via Large GZIP Parsing | |||
| CVE-2024-7768 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint | |||
| CVE-2024-6854 | unknown | — | — | 1y ago | H2O Vulnerable to Arbitrary File Overwrite via File Export | |||
| CVE-2024-6863 | unknown | — | — | 1y ago | H2O Vulnerable to Execution of Arbitrary Files | |||
| CVE-2024-10572 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) and File Write | |||
| CVE-2024-10549 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint | |||
| CVE-2024-10550 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint | |||
| CVE-2024-10553 | unknown | — | — | 1y ago | H2O Deserialization of Untrusted Data Vulnerability | |||
| CVE-2024-8063 | unknown | — | — | 1y ago | Ollama Divide by Zero Vulnerability | |||
| CVE-2024-47552 | unknown | — | — | 1y ago | Apache Seata Vulnerable to Deserialization of Untrusted Data | |||
| CVE-2024-54016 | unknown | — | — | 1y ago | Apache Seata Vulnerable to Data Amplification | |||
| CVE-2024-58103 | unknown | — | — | 1y ago | Wire has Uncontrolled Recursion on Nested Groups | |||
| CVE-2024-55532 | unknown | — | — | 1y ago | Apache Ranger Improper Neutralization of Formula Elements vulnerability | |||
| CVE-2024-24778 | unknown | — | — | 1y ago | Apache StreamPipes has improper privilege management in a REST interface | |||
| CVE-2024-2321 | unknown | — | — | 1y ago | WSO2 incorrect authorization vulnerability | |||
| CVE-2024-4028 | unknown | — | — | 1y ago | Keycloak allows cross-site scripting (XSS) | |||
| CVE-2024-56180 | unknown | — | — | 1y ago | Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution | |||
| CVE-2024-52577 | unknown | — | — | 1y ago | Apache Ignite: Possible RCE when deserializing incoming messages by the server node | |||
| CVE-2024-46910 | unknown | — | — | 1y ago | Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user | |||
| CVE-2024-32037 | unknown | — | — | 1y ago | GeoNetwork search end-point information disclosure in response headers | |||
| CVE-2024-52067 | unknown | — | — | 1y ago | Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log | |||
| CVE-2024-27859 | unknown | — | — | 1y ago | The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, visionOS 1.1, watchOS 10.4. Processing web content may lead to ar… | |||
| CVE-2024-57606 | unknown | — | — | 1y ago | SQL injection in JeecgBoot | |||
| CVE-2024-37358 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through the use of IMAP literals | |||
| CVE-2024-45626 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through JMAP HTML to text conversion | |||
| CVE-2024-57699 | unknown | — | — | 1y ago | Netplex Json-smart Uncontrolled Recursion vulnerability | |||
| CVE-2024-10973 | unknown | — | — | 1y ago | Keycloak on Quarkus CLI option for encrypted JGroups ignored | |||
| CVE-2024-36404 | unknown | — | — | 1y ago | GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions | |||
| CVE-2024-27137 | unknown | — | — | 1y ago | Apache Cassandra: unrestricted deserialization of JMX authentication credentials | |||
| CVE-2024-57438 | unknown | — | — | 1y ago | RuoYi has insecure permissions | |||
| CVE-2024-57439 | unknown | — | — | 1y ago | RuoYi vulnerable to Denial of Service by attackers with admin privileges | |||
| CVE-2024-57436 | unknown | — | — | 1y ago | RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring | |||
| CVE-2024-29869 | unknown | — | — | 1y ago | Apache Hive Incorrectly Assigns Permissions for a Critical Resource | |||
| CVE-2024-23953 | unknown | — | — | 1y ago | Apache Hive vulnerable to Observable Timing Discrepancy and Authentication Bypass by Spoofing | |||
| CVE-2024-54519 | unknown | — | — | 1y ago | The issue was resolved by sanitizing logging. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. An app may be able to read sensitive location information. | |||
| CVE-2024-54523 | unknown | — | — | 1y ago | The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, watchOS 11.2. An app may be able to corrupt coprocessor memory. | |||
| CVE-2024-54542 | unknown | — | — | 1y ago | An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, watchOS 11.2. Private Browsing tabs may be acce… | |||
| CVE-2024-54539 | unknown | — | — | 1y ago | This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An app may be able to capture keyboard events from th… | |||
| CVE-2024-54478 | unknown | — | — | 1y ago | An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.4, macOS Sequoia 15.2, macOS Sonoma 14.7.2, tvOS 18.2, visionOS… | |||
| CVE-2024-54507 | unknown | — | — | 1y ago | A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2. An attacker with user privileges may be able to read kernel me… | |||
| CVE-2024-54550 | unknown | — | — | 1y ago | This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2. An app may be able to view autocompleted contact inform… | |||
| CVE-2024-54530 | unknown | — | — | 1y ago | The issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, visionOS 2.2, watchOS 11.2. Password autofill may fill in passwords after failing au… | |||
| CVE-2024-54475 | unknown | — | — | 1y ago | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An app may be able to determi… | |||
| CVE-2024-52012 | unknown | — | — | 1y ago | Apache Solr Relative Path Traversal vulnerability | |||
| CVE-2024-52807 | unknown | — | — | 1y ago | XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher` | |||
| CVE-2024-53299 | unknown | — | — | 1y ago | Apache Wicket: An attacker can intentionally trigger a memory leak | |||
| CVE-2024-56923 | unknown | — | — | 1y ago | Cross site scripting in Silverpeas Core | |||
| CVE-2024-45479 | unknown | — | — | 1y ago | Apache Ranger UI vulnerable to Server Side Request Forgery | |||
| CVE-2024-45478 | unknown | — | — | 1y ago | Apache Ranger has Stored Cross-site Scripting vulnerability in Edit Service Page | |||
| CVE-2024-43709 | unknown | — | — | 1y ago | Elasticsearch allocation of resources without limits or throttling leads to crash | |||
| CVE-2024-5138 | unknown | — | — | 1y ago | The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse … | |||
| CVE-2024-56374 | unknown | — | — | 1y ago | An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a p… | |||
| CVE-2024-45627 | unknown | — | — | 1y ago | Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability | |||
| CVE-2024-11734 | unknown | — | — | 1y ago | Denial of Service in Keycloak Server via Security Headers | |||
| CVE-2024-11736 | unknown | — | — | 1y ago | Keycloak allows unrestricted admin use of system and environment variables | |||
| CVE-2024-55459 | unknown | — | — | 1y ago | keras Path Traversal vulnerability | |||
| CVE-2024-54676 | unknown | — | — | 1y ago | Apache OpenMeetings vulnerable to Deserialization of Untrusted Data | |||
| CVE-2024-8447 | unknown | — | — | 1y ago | Narayana deadlock via multiple join requests sent to LRA Coordinator | |||
| CVE-2024-56512 | unknown | — | — | 2y ago | Apache NiFi: Missing Complete Authorization for Parameter and Service References | |||
| CVE-2024-12744 | unknown | — | — | 2y ago | Amazon Redshift JDBC Driver vulnerable to SQL Injection | |||
| CVE-2024-52046 | unknown | — | — | 2y ago | Apache MINA Deserialization RCE Vulnerability | |||
| CVE-2024-43441 | unknown | — | — | 2y ago | Apache HugeGraph-Server: Fixed JWT Token (Secret) | |||
| CVE-2024-23945 | unknown | — | — | 2y ago | Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails | |||
| CVE-2024-56334 | unknown | — | — | 2y ago | systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` f… | |||
| CVE-2024-38819 | unknown | — | — | 2y ago | Spring Framework Path Traversal vulnerability | |||
| CVE-2024-12801 | unknown | — | — | 2y ago | QOS.CH logback-core Server-Side Request Forgery vulnerability | |||
| CVE-2024-12798 | unknown | — | — | 2y ago | QOS.CH logback-core Expression Language Injection vulnerability | |||
| CVE-2024-45338 | unknown | — | — | 2y ago | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |||
| CVE-2024-56128 | unknown | — | — | 2y ago | Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm | |||
| CVE-2024-11993 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting | |||
| CVE-2024-12539 | unknown | — | — | 2y ago | Elasticsearch Incorrect Authorization vulnerability | |||
| CVE-2024-49194 | unknown | — | — | 2y ago | Databricks JDBC Driver Command Injection vulnerability | |||
| CVE-2024-35230 | unknown | — | — | 2y ago | Welcome and About GeoServer pages communicate version and revision information | |||
| CVE-2024-55887 | unknown | — | — | 2y ago | Ucum-java has an XXE vulnerability in XML parsing | |||
| CVE-2024-55662 | unknown | — | — | 2y ago | XWiki allows remote code execution through the extension sheet | |||
| CVE-2024-55663 | unknown | — | — | 2y ago | XWiki Platform has an SQL injection in getdocuments.vm with sort parameter | |||
| CVE-2024-55875 | unknown | — | — | 2y ago | http4k has a potential XXE (XML External Entity Injection) vulnerability |