Total
31142 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42347 | 1 Matrix | 1 Matrix-react-sdk | 2024-08-12 | 7.7 High |
| matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-34620 | 1 Samsung | 1 Android | 2024-08-12 | 8.4 High |
| Improper privilege management in SumeNNService prior to SMR Aug-2024 Release 1 allows local attackers to start privileged service. | ||||
| CVE-2024-34619 | 2 Samsung, Samsung Mobile | 2 Android, Samsung Mobile Devices | 2024-08-12 | 7.5 High |
| Improper input validation in librtp.so prior to SMR Aug-2024 Release 1 allows remote attackers to execute arbitrary code with system privilege. User interaction is required for triggering this vulnerability. | ||||
| CVE-2024-42219 | 1 1password | 1 1password | 2024-08-12 | 7 High |
| 1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC inter-process communication validation is insufficient. | ||||
| CVE-2024-42218 | 1 1password | 1 1password | 2024-08-12 | 6.3 Medium |
| 1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by bypassing macOS-specific security mechanisms. | ||||
| CVE-2024-30170 | 2 Privx, Ssh | 2 Privx, Privx | 2024-08-12 | 7.5 High |
| PrivX before 34.0 allows data exfiltration and denial of service via the REST API. This is fixed in minor versions 33.1, 32.3, 31.3, and later, and in major version 34.0 and later, | ||||
| CVE-2024-7529 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2024-08-12 | 8.1 High |
| The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14. | ||||
| CVE-2024-41942 | 1 Jupyter | 1 Jupyterhub | 2024-08-12 | 7.2 High |
| JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue. | ||||
| CVE-2024-41948 | 1 Biscuitsec | 1 Biscuit-java | 2024-08-09 | 3 Low |
| biscuit-java is the java implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. This vulnerability is fixed in 4.0.0. | ||||
| CVE-2024-41949 | 1 Biscuitsec | 1 Biscuit-auth | 2024-08-09 | 3 Low |
| biscuit-rust is the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. | ||||
| CVE-2024-40721 | 1 Changingtec | 2 Servisign, Tcb Servisign | 2024-08-09 | 8.8 High |
| The specific API in TCBServiSign Windows Version from CHANGING Information Technology does not properly validate server-side input. When a user visits a spoofed website, unauthenticated remote attackers can cause the TCBServiSign to load a DLL from an arbitrary path. | ||||
| CVE-2024-40720 | 2 Changinginformationtechnology, Changingtec | 2 Tcbservisign, Tcb Servisign | 2024-08-09 | 8.8 High |
| The specific API in TCBServiSign Windows Version from CHANGING Information Technology does not properly validate server-side input. When a user visits a spoofed website, unauthenticated remote attackers can modify the `HKEY_CURRENT_USER` registry to execute arbitrary commands. | ||||
| CVE-2024-41989 | 2 Djangoproject, Redhat | 4 Django, Ansible Automation Platform, Discovery and 1 more | 2024-08-08 | 7.5 High |
| An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. | ||||
| CVE-2024-41309 | 2 Enjay, Enjayworld | 2 Crm, Enjay Crm | 2024-08-08 | 8.4 High |
| An issue in the Hardware info module of IT Solutions Enjay CRM OS v1.0 allows attackers to escape the restricted terminal environment and gain root-level privileges on the underlying system. | ||||
| CVE-2024-41308 | 2 Enjay, Enjayworld | 2 Crm, Enjay Crm | 2024-08-08 | 8.4 High |
| An issue in the Ping feature of IT Solutions Enjay CRM OS v1.0 allows attackers to escape the restricted terminal environment and gain root-level privileges on the underlying system. | ||||
| CVE-2024-23464 | 1 Zscaler | 1 Client Connector | 2024-08-07 | 7.2 High |
| In certain cases, Zscaler Internet Access (ZIA) can be disabled by PowerShell commands with admin rights. This affects Zscaler Client Connector on Windows <4.2.1 | ||||
| CVE-2024-6995 | 1 Google | 2 Android, Chrome | 2024-08-07 | 8.8 High |
| Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2024-7005 | 1 Google | 1 Chrome | 2024-08-07 | 8.8 High |
| Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low) | ||||
| CVE-2018-17793 | 2023-11-07 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | ||||
| CVE-2012-2639 | 2023-11-07 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4940. Reason: This candidate is a reservation duplicate of CVE-2011-4940. Notes: All CVE users should reference CVE-2011-4940 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | ||||