Total
2299 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-22307 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2024-12-12 | 4.4 Medium |
| IBM Security Guardium 11.3, 11.4, and 11.5 could allow a local user to obtain elevated privileges due to incorrect authorization checks. IBM X-Force ID: 216753. | ||||
| CVE-2024-11669 | 1 Gitlab | 1 Gitlab | 2024-12-12 | 6.5 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes. | ||||
| CVE-2024-44217 | 1 Apple | 3 Ipad Os, Ipados, Iphone Os | 2024-12-12 | 9.1 Critical |
| A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in iOS 18 and iPadOS 18. Password autofill may fill in passwords after failing authentication. | ||||
| CVE-2024-44301 | 1 Apple | 1 Macos | 2024-12-12 | 5.5 Medium |
| The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system. | ||||
| CVE-2024-4006 | 1 Gitlab | 1 Gitlab | 2024-12-12 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions | ||||
| CVE-2023-34161 | 1 Huawei | 1 Emui | 2024-12-12 | 7.5 High |
| nappropriate authorization vulnerability in the SettingsProvider module.Successful exploitation of this vulnerability may cause features to perform abnormally. | ||||
| CVE-2023-35866 | 1 Keepassxc | 1 Keepassxc | 2024-12-11 | 5.5 Medium |
| In KeePassXC through 2.7.5, a local attacker can make changes to the Database security settings, including master password and second-factor authentication, within an authenticated KeePassXC Database session, without the need to authenticate these changes by entering the password and/or second-factor authentication to confirm changes. NOTE: the vendor's position is "asking the user for their password prior to making any changes to the database settings adds no additional protection against a local attacker." | ||||
| CVE-2024-25149 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | 5.4 Medium |
| Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site. | ||||
| CVE-2024-25604 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | 6.5 Medium |
| Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel. | ||||
| CVE-2023-52361 | 1 Huawei | 1 Harmonyos | 2024-12-09 | 7.5 High |
| The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity. | ||||
| CVE-2021-37864 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 2.6 Low |
| Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | ||||
| CVE-2022-2408 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 4.3 Medium |
| The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels. | ||||
| CVE-2023-2515 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 4.7 Medium |
| Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin | ||||
| CVE-2023-35166 | 1 Xwiki | 1 Xwiki | 2024-12-06 | 10 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5. | ||||
| CVE-2023-29708 | 1 Wavlink | 1 Wavrouter App | 2024-12-06 | 7.5 High |
| An issue was discovered in /cgi-bin/adm.cgi in WavLink WavRouter version RPT70HA1.x, allows attackers to force a factory reset via crafted payload. | ||||
| CVE-2023-0971 | 1 Silabs | 1 Z\/ip Gateway Sdk | 2024-12-06 | 9.6 Critical |
| A logic error in SiLabs Z/IP Gateway SDK 7.18.02 and earlier allows authentication to be bypassed, remote administration of Z-Wave controllers, and S0/S2 encryption keys to be recovered. | ||||
| CVE-2023-32353 | 1 Apple | 1 Itunes | 2024-12-05 | 7.8 High |
| A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to elevate privileges. | ||||
| CVE-2023-35165 | 1 Amazon | 1 Aws Cloud Development Kit | 2024-12-05 | 6.6 Medium |
| AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy. The first, referred to as the `CreationRole`, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g `KubernetesManifest`, `HelmChart`, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected. The second, referred to as the `default MastersRole`, is provisioned only if the `mastersRole` property isn't provided and has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected. The issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0. These versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. There is no workaround available for CreationRole. To avoid creating the `default MastersRole`, use the `mastersRole` property to explicitly provide a role. | ||||
| CVE-2021-30205 | 1 Dzzoffice | 1 Dzzoffice | 2024-12-05 | 5.3 Medium |
| Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames. | ||||
| CVE-2023-34923 | 1 Topdesk | 1 Topdesk | 2024-12-04 | 8.1 High |
| XML Signature Wrapping (XSW) in SAML-based Single Sign-on feature in TOPdesk v12.10.12 allows bad actors with credentials to authenticate with the Identity Provider (IP) to impersonate any TOPdesk user via SAML Response manipulation. | ||||