Export limit exceeded: 351254 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8277 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25740 | 1 Mozilla | 1 Firefox | 2025-01-09 | 8.8 High |
| After downloading a Windows <code>.scf</code> script from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 110. | ||||
| CVE-2024-21661 | 2 Argoproj, Redhat | 3 Argo-cd, Argo Cd, Openshift Gitops | 2025-01-09 | 7.5 High |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue. | ||||
| CVE-2023-33963 | 1 Dataease | 1 Dataease | 2025-01-08 | 9.8 Critical |
| DataEase is an open source data visualization and analysis tool. Prior to version 1.18.7, a deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | ||||
| CVE-2023-34092 | 1 Vitejs | 1 Vite | 2025-01-08 | 7.5 High |
| Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16. | ||||
| CVE-2023-22862 | 1 Ibm | 2 Aspera Cargo, Aspera Connect | 2025-01-08 | 5.9 Medium |
| IBM Aspera Connect 4.2.5 and IBM Aspera Cargo 4.2.5 transmits authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. | ||||
| CVE-2024-23328 | 1 Dataease | 1 Dataease | 2025-01-08 | 9.1 Critical |
| Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java.` The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0. | ||||
| CVE-2022-43841 | 1 Ibm | 1 Aspera Console | 2025-01-08 | 4 Medium |
| IBM Aspera Console 3.4.0 through 3.4.2 PL9 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 239078. | ||||
| CVE-2023-27126 | 1 Tp-link | 2 Tapo C200, Tapo C200 Firmware | 2025-01-08 | 4.6 Medium |
| The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 (EU) on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the victim. | ||||
| CVE-2023-34097 | 1 Hoppscotch | 1 Hoppscotch | 2025-01-08 | 7.8 High |
| hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-7233 | 1 Avast | 1 Free Antivirus | 2025-01-08 | 7.8 High |
| Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Avast Service. By creating a symbolic link, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23731. | ||||
| CVE-2024-31899 | 1 Ibm | 1 Cognos Command Center | 2025-01-07 | 4.3 Medium |
| IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device. | ||||
| CVE-2024-49816 | 1 Ibm | 1 Security Guardium Key Lifecycle Manager | 2025-01-07 | 4.9 Medium |
| IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores potentially sensitive information in log files that could be read by a local privileged user. | ||||
| CVE-2024-49817 | 1 Ibm | 1 Security Guardium Key Lifecycle Manager | 2025-01-07 | 4.4 Medium |
| IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user. | ||||
| CVE-2023-33496 | 1 Xxl-rpc Project | 1 Xxl-rpc | 2025-01-07 | 9.8 Critical |
| xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode. | ||||
| CVE-2023-33284 | 1 Marvalglobal | 1 Msm | 2025-01-07 | 8.8 High |
| Marval MSM through 14.19.0.12476 and 15.0 has a Remote Code Execution vulnerability. A remote attacker authenticated as any user is able to execute code in context of the web server. | ||||
| CVE-2023-20888 | 1 Vmware | 1 Vrealize Network Insight | 2025-01-07 | 8.8 High |
| Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution. | ||||
| CVE-2024-10012 | 2 Progress Software, Telerik | 2 Progress Telerik Ui For Wpf Versions, Ui For Wpf | 2025-01-07 | 7.8 High |
| In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1111), a code execution attack is possible through an insecure deserialization vulnerability. | ||||
| CVE-2023-29168 | 1 Ptc | 1 Vuforia Studio | 2025-01-06 | 3.7 Low |
| The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication. | ||||
| CVE-2023-30262 | 1 Mimsoftware | 2 Mim Concurrent License Server, Mim Local Concurrent License Server | 2025-01-06 | 8.8 High |
| An issue found in MIM software Inc MIM License Server and MIMpacs services v.6.9 thru v.7.0 fixed in v.7.0.10 allows a remote unauthenticated attacker to execute arbitrary code via the RMI Registry service. | ||||
| CVE-2024-13043 | 1 Watchguard | 1 Panda Dome | 2025-01-03 | 7.8 High |
| Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Hotspot Shield. By creating a junction, an attacker can abuse the application to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23478. | ||||