Total
1739 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23917 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 9.8 Critical |
| In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible | ||||
| CVE-2024-22513 | 2024-11-21 | 5.5 Medium | ||
| djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method. | ||||
| CVE-2024-22415 | 1 Jupyter | 1 Language Server Protocol Integration | 2024-11-21 | 7.3 High |
| jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp. | ||||
| CVE-2024-22326 | 1 Ibm | 2 Ds8900f Firmware, System Storage Ds8000 Management Console Firmware | 2024-11-21 | 5 Medium |
| IBM System Storage DS8900F 89.22.19.0, 89.30.68.0, 89.32.40.0, 89.33.48.0, 89.40.83.0, and 89.40.93.0 could allow a remote user to create an LDAP connection with a valid username and empty password to establish an anonymous connection. IBM X-Force ID: 279518. | ||||
| CVE-2024-22212 | 1 Nextcloud | 1 Global Site Selector | 2024-11-21 | 9.7 Critical |
| Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue. | ||||
| CVE-2024-21846 | 2024-11-21 | 5.3 Medium | ||
| An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario. | ||||
| CVE-2024-21824 | 2024-11-21 | 5.3 Medium | ||
| Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative user. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | ||||
| CVE-2024-21654 | 1 Rubygems | 1 Rubygems.org | 2024-11-21 | 4.8 Medium |
| Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a. | ||||
| CVE-2024-1491 | 2024-11-21 | 7.5 High | ||
| The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. | ||||
| CVE-2023-6718 | 1 Europeana | 1 Repox | 2024-11-21 | 9.4 Critical |
| An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users. | ||||
| CVE-2023-6595 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 High |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. | ||||
| CVE-2023-6368 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 5.9 Medium |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | ||||
| CVE-2023-5935 | 2024-11-21 | 7.4 High | ||
| When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed. | ||||
| CVE-2023-5881 | 1 Geniecompany | 2 Aladdin Connect Garage Door Opener, Aladdin Connect Garage Door Opener Firmware | 2024-11-21 | 8.2 High |
| Unauthenticated access permitted to web interface page The Genie Company Aladdin Connect (Retrofit-Kit Model ALDCM) "Garage Door Control Module Setup" and modify the Garage door's SSID settings. | ||||
| CVE-2023-50263 | 1 Networktocode | 1 Nautobot | 2024-11-21 | 3.7 Low |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. In the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. Fixes are included in Nautobot 1.6.7 and Nautobot 2.0.6. No known workarounds are available other than applying the patches included in those versions. | ||||
| CVE-2023-4884 | 1 Open5gs | 1 Open5gs | 2024-11-21 | 6.5 Medium |
| An attacker could send an HTTP request to an Open5GS endpoint and retrieve the information stored on the device due to the lack of Authentication. | ||||
| CVE-2023-4857 | 2024-11-21 | 7.5 High | ||
| An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information. | ||||
| CVE-2023-4815 | 1 Answer | 1 Answer | 2024-11-21 | 8.8 High |
| Missing Authentication for Critical Function in GitHub repository answerdev/answer prior to v1.1.3. | ||||
| CVE-2023-4335 | 3 Broadcom, Intel, Linux | 4 Lsi Storage Authority, Raid Controller Web Interface, Raid Web Console 3 and 1 more | 2024-11-21 | 7.5 High |
| Broadcom RAID Controller Web server (nginx) is serving private server-side files without any authentication on Linux | ||||
| CVE-2023-4334 | 1 Broadcom | 1 Raid Controller Web Interface | 2024-11-21 | 7.5 High |
| Broadcom RAID Controller Web server (nginx) is serving private files without any authentication | ||||