Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-40661	In mayAdminGrantPermission of AdminRestrictedPermissionsUtils.java, there is a possible way to access the microphone due to a missing permission... Description: In mayAdminGrantPermission of AdminRestrictedPermissionsUtils.java, there is a possible way to access the microphone due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. EPSS Score: 0.04% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-3656	Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities Description: A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. EPSS Score: 0.09% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-34719	In multiple locations, there is a possible permissions bypass due to a missing null check. This could lead to local escalation of privilege with no... Description: In multiple locations, there is a possible permissions bypass due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. EPSS Score: 0.04% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-27140	Apache Archiva: reflected XSS Description: UNSUPPORTED WHEN ASSIGNED Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. EPSS Score: 0.04% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-11079	Ansible-core: unsafe tagging bypass via hostvars object in ansible-core Description: A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks. EPSS Score: 0.05% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-1062	389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr) Description: A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr. EPSS Score: 0.05% Source: CVE December 5th, 2024 (5 months ago)
CVE-2023-6267	Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations. Description: A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security. EPSS Score: 0.12% Source: CVE December 5th, 2024 (5 months ago)
CVE-2023-41175	Libtiff: potential integer overflow in raw2tiff.c Description: A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. EPSS Score: 0.14% Source: CVE December 5th, 2024 (5 months ago)
CVE-2023-40660	Opensc: potential pin bypass when card tracks its own login state Description: A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness. EPSS Score: 0.07% Source: CVE December 5th, 2024 (5 months ago)
	[firepad] Firepad allows insecure document access Description: Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content that has previously been pasted into the document. NOTE: in several similar products, this is the intentional behavior for anyone who knows the full document ID and corresponding URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. References https://nvd.nist.gov/vuln/detail/CVE-2024-51210 https://firebase.blog/posts/2013/04/announcing-firepad-our-open-source https://github.com/FirebaseExtended/firepad/releases/tag/v1.5.11 https://medium.com/@adityaahuja.work/accessing-full-history-of-firepad-users-ddc889e73936 https://github.com/advisories/GHSA-4fh7-m2wx-6wfm Source: Github Advisory Database (NPM) December 4th, 2024 (5 months ago)