CVEs from 2024
Total
6,592
critical
critical 174
high
high 1,069
medium
medium 2,083
low
low 49
% Critical
2.6%
% with KEV
2.5%
% with exploit
3.4%
Top products
- mbed_tls 15
- operations_analytics_log_analysis 14
- surveillance_station 12
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-6763 | unknown | — | — | 2y ago | Eclipse Jetty URI parsing of invalid authority | |||
| CVE-2024-8184 | unknown | — | — | 2y ago | Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks | |||
| CVE-2024-6762 | unknown | — | — | 2y ago | Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks | |||
| CVE-2024-7318 | unknown | — | — | 2y ago | Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity | |||
| CVE-2024-7341 | unknown | — | — | 2y ago | Keycloak has session fixation in Elytron SAML adapters | |||
| CVE-2024-8883 | unknown | — | — | 2y ago | Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect | |||
| CVE-2024-8698 | unknown | — | — | 2y ago | Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak | |||
| CVE-2024-9823 | unknown | — | — | 2y ago | Eclipse Jetty has a denial of service vulnerability on DosFilter | |||
| CVE-2024-21534 | unknown | — | — | 2y ago | JSONPath Plus Remote Code Execution (RCE) Vulnerability | |||
| CVE-2024-4658 | unknown | — | — | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TE Informatics Nova CMS allows SQL Injection. This issue affects Nova CMS: before 5.0. | |||
| CVE-2024-9286 | unknown | — | — | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TRtek Software Distant Education Platform allows SQL Injection, Parameter Injection. This issue … | |||
| CVE-2024-28168 | unknown | — | — | 2y ago | Apache XML Graphics FOP XML External Entity Reference ('XXE') vulnerability | |||
| CVE-2024-9622 | unknown | — | — | 2y ago | HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4 | |||
| CVE-2024-9621 | unknown | — | — | 2y ago | Quarkus CXF logs passwords and other secrets | |||
| CVE-2024-45230 | unknown | — | — | 2y ago | An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via ve… | |||
| CVE-2024-45231 | unknown | — | — | 2y ago | An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to… | |||
| CVE-2024-47211 | unknown | — | — | 2y ago | In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when… | |||
| CVE-2024-47855 | unknown | — | — | 2y ago | JSON-lib mishandles an unbalanced comment string | |||
| CVE-2024-47554 | unknown | — | — | 2y ago | Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader | |||
| CVE-2024-47561 | unknown | — | — | 2y ago | Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) | |||
| CVE-2024-47805 | unknown | — | — | 2y ago | Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission | |||
| CVE-2024-47807 | unknown | — | — | 2y ago | Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation | |||
| CVE-2024-47806 | unknown | — | — | 2y ago | Jenkins OpenId Connect Authentication Plugin lacks audience claim validation | |||
| CVE-2024-47803 | unknown | — | — | 2y ago | Jenkins exposes multi-line secrets through error messages | |||
| CVE-2024-47804 | unknown | — | — | 2y ago | Jenkins item creation restriction bypass vulnerability | |||
| CVE-2024-47534 | unknown | — | — | 2y ago | go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", th… | |||
| CVE-2024-9329 | unknown | — | — | 2y ago | Eclipse Glassfish improperly handles http parameters | |||
| CVE-2024-45772 | unknown | — | — | 2y ago | Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. | |||
| CVE-2024-3373 | unknown | — | — | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RSM Design Website Template allows SQL Injection. This issue affects Website Template: before 1.… | |||
| CVE-2024-47197 | unknown | — | — | 2y ago | Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials | |||
| CVE-2024-4657 | unknown | — | — | 2y ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software BAP Automation allows Stored XSS. This issue affects BAP Automation: befo… | |||
| CVE-2024-23454 | unknown | — | — | 2y ago | Apache Hadoop: Temporary File Local Information Disclosure | |||
| CVE-2024-39928 | unknown | — | — | 2y ago | Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability | |||
| CVE-2024-38809 | unknown | — | — | 2y ago | Spring Framework DoS via conditional HTTP request | |||
| CVE-2024-46985 | unknown | — | — | 2y ago | DataEase has an XML External Entity Reference vulnerability | |||
| CVE-2024-46997 | unknown | — | — | 2y ago | DataEase's H2 datasource has a remote command execution risk | |||
| CVE-2024-7835 | unknown | — | — | 2y ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Exnet Informatics Software Ferry Reservation System allows Reflected XSS. This issue affe… | |||
| CVE-2024-7735 | unknown | — | — | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Exnet Informatics Software Ferry Reservation System allows SQL Injection. This issue affects Fer… | |||
| CVE-2024-46984 | unknown | — | — | 2y ago | Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack | |||
| CVE-2024-46983 | unknown | — | — | 2y ago | SOFA Hessian Remote Command Execution (RCE) Vulnerability | |||
| CVE-2024-7785 | unknown | — | — | 2y ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ece Software Electronic Ticket System allows Reflected XSS, Cross-Site Scripting (XSS). T… | |||
| CVE-2024-7254 | unknown | — | — | 2y ago | protobuf-java has potential Denial of Service issue | |||
| CVE-2024-6878 | unknown | — | — | 2y ago | Files or Directories Accessible to External Parties vulnerability in Eliz Software Panel allows Collect Data from Common Resource Locations. This issue affects Panel: before v2.3.24. | |||
| CVE-2024-46979 | unknown | — | — | 2y ago | org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users | |||
| CVE-2024-46978 | unknown | — | — | 2y ago | org.xwiki.platform:xwiki-platform-notifications-ui is missing checks for notification filter preferences editions | |||
| CVE-2024-6406 | unknown | — | — | 2y ago | Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data. This issue affe… | |||
| CVE-2024-4629 | unknown | — | — | 2y ago | Keycloak Services has a potential bypass of brute force protection | |||
| CVE-2024-45537 | unknown | — | — | 2y ago | Apache Druid: Users can provide MySQL JDBC properties not on allow list | |||
| CVE-2024-45384 | unknown | — | — | 2y ago | druid-pac4j, Apache Druid extension, has Padding Oracle vulnerability | |||
| CVE-2024-7873 | unknown | — | — | 2y ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web… | |||
| CVE-2024-45801 | unknown | — | — | 2y ago | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking ad… | |||
| CVE-2024-46943 | unknown | — | — | 2y ago | OpenDaylight Authentication, Authorization and Accounting (AAA) peer impersonation vulnerability | |||
| CVE-2024-46942 | unknown | — | — | 2y ago | OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) allows follower controller to set up flow entries | |||
| CVE-2024-22399 | unknown | — | — | 2y ago | Apache Seata Deserialization of Untrusted Data vulnerability | |||
| CVE-2024-38816 | unknown | — | — | 2y ago | Path traversal vulnerability in functional web frameworks | |||
| CVE-2024-8646 | unknown | — | — | 2y ago | Eclipse Glassfish URL redirection vulnerability | |||
| CVE-2024-45591 | unknown | — | — | 2y ago | XWiki Platform document history including authors of any page exposed to unauthorized actors | |||
| CVE-2024-7260 | unknown | — | — | 2y ago | Keycloak Open Redirect vulnerability | |||
| CVE-2024-45411 | unknown | — | — | 2y ago | Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability i… | |||
| CVE-2024-45498 | unknown | — | — | 2y ago | Apache Airflow vulnerable to Improper Encoding or Escaping of Output | |||
| CVE-2024-45294 | unknown | — | — | 2y ago | XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` | |||
| CVE-2024-45758 | unknown | — | — | 2y ago | H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL | |||
| CVE-2024-45405 | unknown | — | — | 2y ago | `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a… | |||
| CVE-2024-8391 | unknown | — | — | 2y ago | Vertx gRPC server does not limit the maximum message size | |||
| CVE-2024-8285 | unknown | — | — | 2y ago | Missing hostname validation in Kroxylicious | |||
| CVE-2024-45305 | unknown | — | — | 2y ago | gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation its… | |||
| CVE-2024-43805 | unknown | — | — | 2y ago | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. This vulnerability depends on user interaction by opening a malicious n… | |||
| CVE-2024-43788 | unknown | — | — | 2y ago | Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. Th… | |||
| CVE-2024-38807 | unknown | — | — | 2y ago | Signature forgery in Spring Boot's Loader | |||
| CVE-2024-7885 | unknown | — | — | 2y ago | Undertow vulnerable to Race Condition | |||
| CVE-2024-22281 | unknown | — | — | 2y ago | Apache Helix Front (UI) component contained a hard-coded secret | |||
| CVE-2024-43397 | unknown | — | — | 2y ago | apollo-portal has potential unauthorized access issue | |||
| CVE-2024-43202 | unknown | — | — | 2y ago | Apache Dolphinscheduler Code Injection vulnerability | |||
| CVE-2024-38808 | unknown | — | — | 2y ago | Spring Framework vulnerable to Denial of Service | |||
| CVE-2024-38810 | unknown | — | — | 2y ago | Spring Security Missing Authorization vulnerability | |||
| CVE-2024-43401 | unknown | — | — | 2y ago | In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them | |||
| CVE-2024-43400 | unknown | — | — | 2y ago | XWiki Platform allows XSS through XClass name in string properties | |||
| CVE-2024-44076 | unknown | — | — | 2y ago | Microcks's POST /api/import and POST /api/export endpoints allow non-administrator access | |||
| CVE-2024-42850 | unknown | — | — | 2y ago | Silverpeas vulnerable to password complexity rule bypass | |||
| CVE-2024-42681 | unknown | — | — | 2y ago | Improper Preservation of Permissions in xxl-job | |||
| CVE-2024-29831 | unknown | — | — | 2y ago | Apache DolphinScheduler: RCE by arbitrary js execution | |||
| CVE-2024-30188 | unknown | — | — | 2y ago | Apache DolphinScheduler: Resource File Read And Write Vulnerability | |||
| CVE-2024-6684 | unknown | — | — | 2y ago | Authentication Bypass Using an Alternate Path or Channel vulnerability in GST Electronics inohom Nova Panel N7 allows Authentication Bypass. This issue affects inohom Nova Panel N7: through 1.9.9.6.… | |||
| CVE-2024-42468 | unknown | — | — | 2y ago | CometVisu Backend for openHAB has a path traversal vulnerability | |||
| CVE-2024-42469 | unknown | — | — | 2y ago | CometVisu Backend for openHAB affected by RCE through path traversal | |||
| CVE-2024-42470 | unknown | — | — | 2y ago | CometVisu Backend for openHAB has a sensitive information disclosure vulnerability | |||
| CVE-2024-42467 | unknown | — | — | 2y ago | CometVisu Backend for openHAB affected by SSRF/XSS | |||
| CVE-2024-42367 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.g… | |||
| CVE-2024-43045 | unknown | — | — | 2y ago | Jenkins does not perform a permission check in an HTTP endpoint | |||
| CVE-2024-43044 | unknown | — | — | 2y ago | Jenkins Remoting library arbitrary file read vulnerability | |||
| CVE-2024-42005 | unknown | — | — | 2y ago | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a c… | |||
| CVE-2024-41989 | unknown | — | — | 2y ago | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number i… | |||
| CVE-2024-41990 | unknown | — | — | 2y ago | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs wit… | |||
| CVE-2024-41991 | unknown | — | — | 2y ago | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service… | |||
| CVE-2024-42447 | unknown | — | — | 2y ago | Apache Airflow Providers FAB Insufficient Session Expiration vulnerability | |||
| CVE-2024-36116 | unknown | — | — | 2y ago | Path traversal in Reposilite javadoc file expansion (arbitrary file creation/overwrite) (`GHSL-2024-073`) | |||
| CVE-2024-36115 | unknown | — | — | 2y ago | Reposilite artifacts vulnerable to Stored Cross-site Scripting | |||
| CVE-2024-27182 | unknown | — | — | 2y ago | Apache Linkis arbitrary file deletion vulnerability | |||
| CVE-2024-36268 | unknown | — | — | 2y ago | Apache Inlong Code Injection vulnerability | |||
| CVE-2024-27181 | unknown | — | — | 2y ago | Apache Linkis vulnerable to privilege escalation |