CVEs from 2024
Total
6,632
critical
critical 166
high
high 1,073
medium
medium 2,066
low
low 49
% Critical
2.5%
% with KEV
2.5%
% with exploit
3.4%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- propertyhive 5
- glibc 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-12970 | low | 3.9 | 3.9 | 1y ago | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TUBITAK BILGEM Pardus OS My Computer allows OS Command Injection. This issue affects Pardu… | |||
| CVE-2024-31265 | low | 3.7 | 3.7 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in SumoMe Sumo.This issue affects Sumo: from n/a through 1.34. | |||
| CVE-2024-7083 | low | 3.5 | 3.5 | 2mo ago | The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks… | |||
| CVE-2024-47175 | low | — | 3.5 | 2y ago | Low: cups security update | |||
| CVE-2024-6006 | low | 3.5 | 3.5 | 2y ago | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The … | |||
| CVE-2024-6005 | low | 3.5 | 3.5 | 2y ago | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. … | |||
| CVE-2024-6807 | low | 3.4 | 3.4 | 2y ago | A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /sscdms/cla… | |||
| CVE-2024-50044 | low | 3.3 | 3.3 | 1y ago | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must ne… | |||
| CVE-2024-35935 | low | 3.3 | 3.3 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: send: handle path ref underflow in header iterate_inode_ref() Change BUG_ON to proper error handling if building the path … | |||
| CVE-2024-28085 | low | 3.3 | 3.3 | 2y ago | wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from … | |||
| CVE-2024-42206 | low | 3.1 | 3.1 | 2d ago | HCL iReflection Third party vulnerable and outdated components issue was detected in the web application | |||
| CVE-2024-3932 | low | 3.1 | 3.1 | 2y ago | A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. I… | |||
| CVE-2024-47272 | low | 2.7 | 2.7 | 8d ago | Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to … | |||
| CVE-2024-47270 | low | 2.7 | 2.7 | 8d ago | Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administra… | |||
| CVE-2024-47267 | low | 2.7 | 2.7 | 8d ago | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows … | |||
| CVE-2024-10492 | low | 2.7 | 2.7 | 2y ago | Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path | |||
| CVE-2024-30507 | low | 2.7 | 2.7 | 2y ago | Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7. | |||
| CVE-2024-7399 | unknown | — | 2.5 | 1mo ago | Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority. | |||
| CVE-2024-56433 | low | — | 2.5 | 7mo ago | Low: shadow-utils security update | |||
| CVE-2024-57727 | unknown | — | 2.5 | 1y ago | SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP r… | |||
| CVE-2024-12356 | unknown | — | 2.5 | 2y ago | BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site use… | |||
| CVE-2024-38564 | low | — | 2.5 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enf… | |||
| CVE-2024-56145 | unknown | — | 2.5 | 2y ago | Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled. | |||
| CVE-2024-54677 | low | — | 2.5 | 2y ago | Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.… | |||
| CVE-2024-55956 | unknown | — | 2.5 | 2y ago | Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitra… | |||
| CVE-2024-35250 | unknown | — | 2.5 | 2y ago | Microsoft Windows Kernel-Mode Driver contains an untrusted pointer dereference vulnerability that allows a local attacker to escalate privileges. | |||
| CVE-2024-20767 | unknown | — | 2.5 | 2y ago | Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. | |||
| CVE-2024-7592 | low | — | 2.5 | 2y ago | There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie… | |||
| CVE-2024-49138 | unknown | — | 2.5 | 2y ago | Microsoft Windows Common Log File System (CLFS) driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges. | |||
| CVE-2024-51378 | unknown | — | 2.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property. | |||
| CVE-2024-11680 | unknown | — | 2.5 | 2y ago | ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP re… | |||
| CVE-2024-52800 | low | — | 2.5 | 2y ago | veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability | |||
| CVE-2024-27043 | low | — | 2.5 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several erro… | |||
| CVE-2024-1212 | unknown | — | 2.5 | 2y ago | Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbi… | |||
| CVE-2024-9474 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls … | |||
| CVE-2024-0012 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators. | |||
| CVE-2024-29039 | low | — | 2.5 | 2y ago | Low: tpm2-tools security update | |||
| CVE-2024-29038 | low | — | 2.5 | 2y ago | Low: tpm2-tools security update | |||
| CVE-2024-4741 | low | — | 2.5 | 2y ago | Low: openssl security update | |||
| CVE-2024-4603 | low | — | 2.5 | 2y ago | Low: openssl security update | |||
| CVE-2024-2313 | low | — | 2.5 | 2y ago | RHSA-2024:8830: bpftrace security update (Low) | |||
| CVE-2024-2314 | low | — | 2.5 | 2y ago | RHSA-2024:8831: bcc security update (Low) | |||
| CVE-2024-26461 | low | — | 2.5 | 2y ago | RHSA-2024:3268: krb5 security update (Low) | |||
| CVE-2024-6126 | low | — | 2.5 | 2y ago | A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack. | |||
| CVE-2024-5742 | low | — | 2.5 | 2y ago | RHSA-2024:6986: nano security update (Low) | |||
| CVE-2024-6501 | low | — | 2.5 | 2y ago | Low: NetworkManager security update | |||
| CVE-2024-26458 | low | — | 2.5 | 2y ago | RHSA-2024:3268: krb5 security update (Low) | |||
| CVE-2024-5910 | unknown | — | 2.5 | 2y ago | Palo Alto Networks Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration … | |||
| CVE-2024-51567 | unknown | — | 2.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root. | |||
| CVE-2024-36387 | low | — | 2.5 | 2y ago | Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. | |||
| CVE-2024-37383 | unknown | — | 2.5 | 2y ago | RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code. | |||
| CVE-2024-47575 | unknown | — | 2.5 | 2y ago | Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted re… | |||
| CVE-2024-28987 | unknown | — | 2.5 | 2y ago | SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data. | |||
| CVE-2024-29824 | unknown | — | 2.5 | 2y ago | Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code. | |||
| CVE-2024-6670 | unknown | — | 2.5 | 2y ago | Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user. | |||
| CVE-2024-38856 | unknown | — | 2.5 | 2y ago | Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. | |||
| CVE-2024-38193 | unknown | — | 2.5 | 2y ago | Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. | |||
| CVE-2024-32113 | unknown | — | 2.5 | 2y ago | Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. | |||
| CVE-2024-4879 | unknown | — | 2.5 | 2y ago | ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute … | |||
| CVE-2024-4418 | low | — | 2.5 | 2y ago | RHSA-2024:4351: virt:rhel and virt-devel:rhel security and bug fix update (Low) | |||
| CVE-2024-28995 | unknown | — | 2.5 | 2y ago | SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine. | |||
| CVE-2024-23692 | unknown | — | 2.5 | 2y ago | Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the aff… | |||
| CVE-2024-36401 | unknown | — | 2.5 | 2y ago | OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unau… | |||
| CVE-2024-34102 | unknown | — | 2.5 | 2y ago | Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution. | |||
| CVE-2024-4358 | unknown | — | 2.5 | 2y ago | Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access. | |||
| CVE-2024-4577 | unknown | — | 2.5 | 2y ago | PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823. | |||
| CVE-2024-5629 | low | — | 2.5 | 2y ago | RHSA-2025:8419: python36:3.6 security update (Low) | |||
| CVE-2024-24919 | unknown | — | 2.5 | 2y ago | Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the … | |||
| CVE-2024-35176 | low | — | 2.5 | 2y ago | RHSA-2024:5338: pcs security update (Low) | |||
| CVE-2024-25629 | low | — | 2.5 | 2y ago | RHSA-2024:4249: c-ares security update (Low) | |||
| CVE-2024-4040 | unknown | — | 2.5 | 2y ago | CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS). | |||
| CVE-2024-27348 | unknown | — | 2.5 | 2y ago | Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. | |||
| CVE-2024-3852 | low | — | 2.5 | 2y ago | GetBoundName could return the wrong version of an object when JIT optimizations were applied. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. | |||
| CVE-2024-3854 | low | — | 2.5 | 2y ago | In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 11… | |||
| CVE-2024-3302 | low | — | 2.5 | 2y ago | There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firef… | |||
| CVE-2024-3857 | low | — | 2.5 | 2y ago | The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, … | |||
| CVE-2024-2609 | low | — | 2.5 | 2y ago | The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR … | |||
| CVE-2024-3859 | low | — | 2.5 | 2y ago | On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox E… | |||
| CVE-2024-3861 | low | — | 2.5 | 2y ago | If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 11… | |||
| CVE-2024-3864 | low | — | 2.5 | 2y ago | Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited… | |||
| CVE-2024-3400 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. | |||
| CVE-2024-27198 | unknown | — | 2.5 | 2y ago | JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions. | |||
| CVE-2024-21338 | unknown | — | 2.5 | 2y ago | Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys that allows a local attacker to a… | |||
| CVE-2024-1709 | unknown | — | 2.5 | 2y ago | ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affec… | |||
| CVE-2024-21893 | unknown | — | 2.5 | 2y ago | Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that all… | |||
| CVE-2024-23897 | unknown | — | 2.5 | 2y ago | Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution. | |||
| CVE-2024-21887 | unknown | — | 2.5 | 2y ago | Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an auth… | |||
| CVE-2024-2408 | low | — | 2.5 | 3y ago | RHSA-2023:7877: openssl security update (Low) | |||
| CVE-2024-6344 | low | 2.4 | 2.4 | 2y ago | A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of t… | |||
| CVE-2024-57728 | unknown | — | 1.5 | 1mo ago | SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited… | |||
| CVE-2024-57726 | unknown | — | 1.5 | 1mo ago | SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges … | |||
| CVE-2024-27199 | unknown | — | 1.5 | 2mo ago | JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed. | |||
| CVE-2024-7694 | unknown | — | 1.5 | 4mo ago | TeamT5 ThreatSonar Anti-Ransomware contains an unrestricted upload of file with dangerous type vulnerability. ThreatSonar Anti-Ransomware does not properly validate the content of uploaded files. Rem… | |||
| CVE-2024-43468 | unknown | — | 1.5 | 4mo ago | Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment w… | |||
| CVE-2024-37079 | unknown | — | 1.5 | 4mo ago | Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to … | |||
| CVE-2024-8069 | unknown | — | 1.5 | 9mo ago | Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an au… | |||
| CVE-2024-8068 | unknown | — | 1.5 | 9mo ago | Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user … | |||
| CVE-2024-54085 | unknown | — | 1.5 | 11mo ago | AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integ… | |||
| CVE-2024-0769 | unknown | — | 1.5 | 11mo ago | D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdoc… | |||
| CVE-2024-42009 | unknown | — | 1.5 | 1y ago | RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desan… |