CVEs from 2024
Total
6,592
critical
critical 174
high
high 1,069
medium
medium 2,083
low
low 49
% Critical
2.6%
% with KEV
2.5%
% with exploit
3.4%
Top products
- mbed_tls 15
- operations_analytics_log_analysis 14
- surveillance_station 12
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-20399 | unknown | — | 1.5 | 2y ago | Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute commands as root on the underlying operating sy… | |||
| CVE-2024-26169 | unknown | — | 1.5 | 2y ago | Microsoft Windows Error Reporting Service contains an improper privilege management vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges. | |||
| CVE-2024-32896 | unknown | — | 1.5 | 2y ago | Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation. | |||
| CVE-2024-4610 | unknown | — | 1.5 | 2y ago | Arm Bifrost and Valhall GPU kernel drivers contain a use-after-free vulnerability that allows a local, non-privileged user to make improper GPU memory processing operations to gain access to already … | |||
| CVE-2024-4978 | unknown | — | 1.5 | 2y ago | Justice AV Solutions (JAVS) Viewer installer contains a malicious version of ffmpeg.exe, named fffmpeg.exe (SHA256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4). When run, this c… | |||
| CVE-2024-5274 | unknown | — | 1.5 | 2y ago | Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-4947 | unknown | — | 1.5 | 2y ago | Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-4761 | unknown | — | 1.5 | 2y ago | Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-30040 | unknown | — | 1.5 | 2y ago | Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for a security feature bypass. | |||
| CVE-2024-30051 | unknown | — | 1.5 | 2y ago | Microsoft DWM Core Library contains a privilege escalation vulnerability that allows an attacker to gain SYSTEM privileges. | |||
| CVE-2024-4671 | unknown | — | 1.5 | 2y ago | Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. … | |||
| CVE-2024-29988 | unknown | — | 1.5 | 2y ago | Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature. This vulnerability can be chained with CVE-2023-388… | |||
| CVE-2024-20353 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition. | |||
| CVE-2024-20359 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root. | |||
| CVE-2024-3272 | unknown | — | 1.5 | 2y ago | D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contains a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution. | |||
| CVE-2024-3273 | unknown | — | 1.5 | 2y ago | D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution. | |||
| CVE-2024-29745 | unknown | — | 1.5 | 2y ago | Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices. | |||
| CVE-2024-29748 | unknown | — | 1.5 | 2y ago | Android Pixel contains a privilege escalation vulnerability that allows an attacker to interrupt a factory reset triggered by a device admin app. | |||
| CVE-2024-23296 | unknown | — | 1.5 | 2y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections. | |||
| CVE-2024-23225 | unknown | — | 1.5 | 2y ago | Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory … | |||
| CVE-2024-21410 | unknown | — | 1.5 | 2y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2024-21351 | unknown | — | 1.5 | 2y ago | Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, wh… | |||
| CVE-2024-21412 | unknown | — | 1.5 | 2y ago | Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass. | |||
| CVE-2024-21762 | unknown | — | 1.5 | 2y ago | Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests. | |||
| CVE-2024-0519 | unknown | — | 1.5 | 2y ago | Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-47177 | unknown | — | 1.0 | — | ||||
| CVE-2024-6782 | unknown | — | 1.0 | — | Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. | |||
| CVE-2024-48990 | unknown | — | 1.0 | — | Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlle… | |||
| CVE-2024-8517 | unknown | — | 1.0 | — | SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipar… | |||
| CVE-2024-25641 | unknown | — | 1.0 | — | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authe… | |||
| CVE-2024-21111 | unknown | — | 1.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low pr… | |||
| CVE-2024-51774 | unknown | — | 1.0 | — | qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors. | |||
| CVE-2024-30896 | unknown | — | 1.0 | — | InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default org… | |||
| CVE-2024-32019 | unknown | — | 1.0 | — | Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permiss… | |||
| CVE-2024-42327 | unknown | — | 1.0 | — | A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRe… | |||
| CVE-2024-42365 | unknown | — | 1.0 | — | Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an A… | |||
| CVE-2024-7954 | unknown | — | 1.0 | — | The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP … | |||
| CVE-2024-12905 | unknown | — | 1.0 | 1y ago | An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a malic… | |||
| CVE-2024-12029 | unknown | — | 1.0 | 1y ago | A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files… | |||
| CVE-2024-11956 | unknown | — | 1.0 | 1y ago | pimcore/customer-data-framework vulnerable to SQL Injection | |||
| CVE-2024-11954 | unknown | — | 1.0 | 1y ago | Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document | |||
| CVE-2024-47605 | unknown | — | 1.0 | 1y ago | Silverstripe Framework has a XSS via insert media remote file oembed | |||
| CVE-2024-55889 | unknown | — | 1.0 | 2y ago | thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames | |||
| CVE-2024-55661 | unknown | — | 1.0 | 2y ago | Laravel Pulse Allows Remote Code Execution via Unprotected Query Method | |||
| CVE-2024-11392 | unknown | — | 1.0 | 2y ago | Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installat… | |||
| CVE-2024-43425 | unknown | — | 1.0 | 2y ago | Moodle Remote Code Execution vulnerability | |||
| CVE-2024-0132 | unknown | — | 1.0 | 2y ago | NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability in github.com/NVIDIA/nvidia-container-toolkit | |||
| CVE-2024-46528 | unknown | — | 1.0 | 2y ago | KubeSphere IDOR vulnerability in github.com/kubesphere/kubesphere | |||
| CVE-2024-42640 | unknown | — | 1.0 | 2y ago | angular-base64-upload vulnerable to unauthenticated remote code execution | |||
| CVE-2024-46987 | unknown | — | 1.0 | 2y ago | Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183) | |||
| CVE-2024-39205 | unknown | — | 1.0 | 2y ago | pyload-ng vulnerable to RCE with js2py sandbox escape | |||
| CVE-2024-42471 | unknown | — | 1.0 | 2y ago | @actions/artifact has an Arbitrary File Write via artifact extraction | |||
| CVE-2024-45440 | unknown | — | 1.0 | 2y ago | Drupal Full Path Disclosure | |||
| CVE-2024-41947 | unknown | — | 1.0 | 2y ago | XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution | |||
| CVE-2024-39930 | unknown | — | 1.0 | 2y ago | github.com/gogs/gogs affected by CVE-2024-39930 | |||
| CVE-2024-28397 | unknown | — | 1.0 | 2y ago | js2py allows remote code execution | |||
| CVE-2024-3408 | unknown | — | 1.0 | 2y ago | man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in th… | |||
| CVE-2024-37032 | unknown | — | 1.0 | 2y ago | Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama | |||
| CVE-2024-34069 | unknown | — | 1.0 | 2y ago | Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This r… | |||
| CVE-2024-31621 | unknown | — | 1.0 | 2y ago | Flowise vulnerable to code injection via api/v1 | |||
| CVE-2024-31839 | unknown | — | 1.0 | 2y ago | Cross site scripting in github.com/tiagorlampert/CHAOS | |||
| CVE-2024-30850 | unknown | — | 1.0 | 2y ago | Arbitrary code execution in github.com/tiagorlampert/CHAOS | |||
| CVE-2024-31819 | unknown | — | 1.0 | 2y ago | WWBN AVideo Remote Code Execution | |||
| CVE-2024-3116 | unknown | — | 1.0 | 2y ago | pgAdmin Remote Code Execution (RCE) vulnerability | |||
| CVE-2024-22513 | unknown | — | 1.0 | 2y ago | djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing u… | |||
| CVE-2024-2044 | unknown | — | 1.0 | 2y ago | pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user | |||
| CVE-2024-23346 | unknown | — | 1.0 | 2y ago | Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` m… | |||
| CVE-2024-24747 | unknown | — | 1.0 | 2y ago | Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio | |||
| CVE-2024-23334 | unknown | — | 1.0 | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static f… | |||
| CVE-2024-26788 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: init irq after reg initialization Initialize the qDMA irqs after the registers are configured so that interr… | |||
| CVE-2024-38561 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: kunit: Fix kthread reference There is a race condition when a kthread finishes after the deadline and before the call to kthread_… | |||
| CVE-2024-38569 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through… | |||
| CVE-2024-38624 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Use 64 bit variable to avoid 32 bit overflow For example, in the expression: vbo = 2 * vbo + skip | |||
| CVE-2024-38631 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: iio: adc: PAC1934: fix accessing out of bounds array index Fix accessing out of bounds array index for average current and voltag… | |||
| CVE-2024-38637 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: greybus: lights: check return of get_channel_from_mode If channel for the given node is not found we return null from get_channel… | |||
| CVE-2024-38634 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Lock port->lock when calling uart_handle_cts_change() uart_handle_cts_change() has to be called with port lock t… | |||
| CVE-2024-38661 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: s390/ap: Fix crash in AP internal function modify_bitmap() A system crash like this Failing address: 200000cb7df6f000 TEID: 20… | |||
| CVE-2024-46775 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequ… | |||
| CVE-2024-46779 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are sma… | |||
| CVE-2024-46780 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten… | |||
| CVE-2024-46781 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN … | |||
| CVE-2024-46791 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock … | |||
| CVE-2024-46782 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_e… | |||
| CVE-2024-46784 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq clean… | |||
| CVE-2024-46790 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: codetag: debug: mark codetags for poisoned page as empty When PG_hwpoison pages are freed they are treated differently in free_pa… | |||
| CVE-2024-46792 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed … | |||
| CVE-2024-46796 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -E… | |||
| CVE-2024-46794 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM… | |||
| CVE-2024-46795 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.k… | |||
| CVE-2024-46798 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CON… | |||
| CVE-2024-46799 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX If number of TX queues are set to 1 we get a NULL pointer dereferenc… | |||
| CVE-2024-46801 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: libfs: fix get_stashed_dentry() get_stashed_dentry() tries to optimistically retrieve a stashed dentry from a provided location. … | |||
| CVE-2024-46804 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add array index check for hdcp ddc access [Why] Coverity reports OVERRUN warning. Do not check if array index va… | |||
| CVE-2024-46808 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add missing NULL pointer check within dpcd_extend_address_range [Why & How] ASSERT if return NULL from kcalloc. | |||
| CVE-2024-46836 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not … | |||
| CVE-2024-46837 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Restrict high priorities on group_create We were allowing any users to create a high priority group without any perm… | |||
| CVE-2024-46840 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't… | |||
| CVE-2024-46838 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in fi… | |||
| CVE-2024-46843 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel p… | |||
| CVE-2024-46846 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus… |