Total
2147 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-44114 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-16 | 2 Low |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application. | ||||
| CVE-2024-8011 | 1 Logitech | 1 Options\+ | 2024-09-11 | 5.5 Medium |
| Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera. | ||||
| CVE-2024-41964 | 1 Getkirby | 1 Kirby | 2024-09-06 | 8.1 High |
| Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-7697 | 2 Tecno, Transsion | 2 Com.transsion.carlcare, Carlcare | 2024-09-06 | 7.5 High |
| Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks. | ||||
| CVE-2024-43250 | 1 Bitapps | 1 Bit Form | 2024-09-06 | 7.1 High |
| Incorrect Authorization vulnerability in Bit Apps Bit Form Pro bitformpro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bit Form Pro: from n/a through 2.6.4. | ||||
| CVE-2024-34642 | 1 Samsung | 1 Android | 2024-09-05 | 4.6 Medium |
| Improper authorization in One UI Home prior to SMR Sep-2024 Release 1 allows physical attackers to temporarily access sensitive information. | ||||
| CVE-2024-34650 | 1 Samsung | 1 Android | 2024-09-05 | 4 Medium |
| Incorrect authorization in CocktailbarService prior to SMR Sep-2024 Release 1 allows local attackers to access privileged APIs related to Edge panel. | ||||
| CVE-2024-34651 | 1 Samsung | 1 Android | 2024-09-05 | 6.2 Medium |
| Improper authorization in My Files prior to SMR Sep-2024 Release 1 allows local attackers to access restricted data in My Files. | ||||
| CVE-2024-34652 | 1 Samsung | 1 Android | 2024-09-05 | 4 Medium |
| Incorrect authorization in kperfmon prior to SMR Sep-2024 Release 1 allows local attackers to access information related to performance including app usage. | ||||
| CVE-2024-38868 | 1 Zohocorp | 1 Manageengine Endpoint Central | 2024-09-04 | 7.6 High |
| Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15 | ||||
| CVE-2024-45509 | 1 Misp | 1 Misp | 2024-09-04 | 9.8 Critical |
| In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | ||||
| CVE-2024-45588 | 1 Symphonyfintech | 2 Xts Mobile Trader, Xts Web Trader | 2024-09-04 | 8.1 High |
| This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Preference module of the application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized access and modification of sensitive information belonging to other users. | ||||
| CVE-2024-45587 | 1 Symphonyfintech | 2 Xts Mobile Trader, Xts Web Trader | 2024-09-04 | 8.8 High |
| This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Transaction module of vulnerable application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to compromise of other user accounts. | ||||
| CVE-2024-45586 | 1 Symphonyfintech | 2 Xts Mobile Trader, Xts Web Trader | 2024-09-04 | 8.8 High |
| This vulnerability exists due to improper access controls on APIs in the Authentication module of Symphony XTS Web Trading and Mobile Trading platforms (version 2.0.0.1_P160). An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized account take over belonging to other users. | ||||
| CVE-2024-38869 | 1 Zohocorp | 4 Manageengine Endpoint Central, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2024-08-30 | 8.3 High |
| Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25. | ||||
| CVE-2024-43954 | 1 Themeum | 1 Droip | 2024-08-30 | 6.3 Medium |
| Incorrect Authorization vulnerability in Themeum Droip allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Droip: from n/a through 1.1.1. | ||||
| CVE-2024-43944 | 2024-08-30 | 3.7 Low | ||
| Incorrect Authorization vulnerability in Yassine Idrissi Maintenance & Coming Soon Redirect Animation allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Maintenance & Coming Soon Redirect Animation: from n/a through 2.1.3. | ||||
| CVE-2024-6202 | 1 Haloservicesolutions | 1 Haloitsm | 2024-08-29 | 9.8 Critical |
| HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping (XSW) vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. | ||||
| CVE-2024-45043 | 1 Opentelemetry | 1 Opentelemetry Collector Contrib | 2024-08-29 | 5.3 Medium |
| The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the “alpha” `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the “Contrib” distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It’s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-45037 | 2024-08-28 | 6.4 Medium | ||
| The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using code. Customers use it to create their own applications which are converted to AWS CloudFormation templates during deployment to a customer’s AWS account. CDK contains pre-built components called "constructs" that are higher-level abstractions providing defaults and best practices. This approach enables developers to use familiar programming languages to define complex cloud infrastructure more efficiently than writing raw CloudFormation templates. We identified an issue in AWS Cloud Development Kit (CDK) which, under certain conditions, can result in granting authenticated Amazon Cognito users broader than intended access. Specifically, if a CDK application uses the "RestApi" construct with "CognitoUserPoolAuthorizer" as the authorizer and uses authorization scopes to limit access. This issue does not affect the availability of the specific API resources. Authenticated Cognito users may gain unintended access to protected API resources or methods, leading to potential data disclosure, and modification issues. Impacted versions: >=2.142.0;<=2.148.0. A patch is included in CDK versions >=2.148.1. Users are advised to upgrade their AWS CDK version to 2.148.1 or newer and re-deploy their application(s) to address this issue. | ||||