Export limit exceeded: 352896 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3068 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-25619 | 1 Joinmastodon | 1 Mastodon | 2024-12-18 | 3.1 Low |
| Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability. | ||||
| CVE-2024-25628 | 1 Alf | 1 Alf | 2024-12-18 | 7.6 High |
| Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-25635 | 1 Alf | 1 Alf | 2024-12-18 | 8.8 High |
| alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the provided user ID. This may also expose the API KEY in the username of the user. Version 2.0-M4-2402 fixes this issue. | ||||
| CVE-2024-31319 | 1 Google | 1 Android | 2024-12-17 | 7.8 High |
| In updateNotificationChannelFromPrivilegedListener of NotificationManagerService.java, there is a possible cross-user data leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-31139 | 1 Jetbrains | 1 Teamcity | 2024-12-16 | 5.9 Medium |
| In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector | ||||
| CVE-2023-25926 | 3 Ibm, Linux, Microsoft | 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more | 2024-12-13 | 5.5 Medium |
| IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599. | ||||
| CVE-2024-11668 | 1 Gitlab | 1 Gitlab | 2024-12-12 | 4.2 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results. | ||||
| CVE-2024-11622 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | 7.3 High |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | ||||
| CVE-2024-53674 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | 7.3 High |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | ||||
| CVE-2024-53675 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | 7.3 High |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | ||||
| CVE-2023-35857 | 1 Siren | 1 Investigate | 2024-12-11 | 9.8 Critical |
| In Siren Investigate before 13.2.2, session keys remain active even after logging out. | ||||
| CVE-2024-25606 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-11 | 8 High |
| XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method. | ||||
| CVE-2021-37866 | 1 Mattermost | 1 Mattermost Boards | 2024-12-06 | 4.7 Medium |
| Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization. | ||||
| CVE-2023-2788 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 6.2 Medium |
| Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. | ||||
| CVE-2024-28826 | 1 Checkmk | 1 Checkmk | 2024-12-04 | 8.8 High |
| Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server. | ||||
| CVE-2023-36252 | 1 Ateme | 4 Flamingo Xl, Flamingo Xl Firmware, Flamingo Xs and 1 more | 2024-12-03 | 8.8 High |
| An issue in Ateme Flamingo XL v.3.6.20 and XS v.3.6.5 allows a remote authenticated attacker to execute arbitrary code and cause a denial of service via a the session expiration function. | ||||
| CVE-2023-3113 | 1 Lenovo | 1 Xclarity Administrator | 2024-12-03 | 8.2 High |
| An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. | ||||
| CVE-2018-0100 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2024-12-02 | N/A |
| A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341. | ||||
| CVE-2018-0108 | 1 Cisco | 1 Webex Meetings Server | 2024-12-02 | N/A |
| A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity (XXE) injection. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to the ability of an attacker to perform an out-of-band XXE injection on the system, which could allow an attacker to capture customer files and redirect them to another destination address. An exploit could allow the attacker to discover sensitive customer data. Cisco Bug IDs: CSCvg36996. | ||||
| CVE-2018-0207 | 1 Cisco | 1 Secure Access Control Server Solution Engine | 2024-12-02 | 3.3 Low |
| A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595. | ||||