Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-54466
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma...
Description: An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An encrypted volume may be accessed by a different user without prompting for the password.

CVSS: LOW (0.0)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-54465
A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.
Description: A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.

CVSS: LOW (0.0)

EPSS Score: 0.09%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-54269
WordPress Notibar plugin <= 2.1.4 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Ninja Team Notibar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notibar: from n/a through 2.1.4.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-53845
AES/CBC Constant IV Vulnerability in ESPTouch v2
Description: ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product's lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.

CVSS: MEDIUM (6.6)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-53677
Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks
Description: File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0, which fixes the issue. You can find more details in&nbsp; https://cwiki.apache.org/confluence/display/WW/S2-067

CVSS: CRITICAL (9.5)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-53292
Dell VxVerify, versions prior to x.40.405, contain a Plain-text Password Storage Vulnerability in the shell wrapper. A local high privileged...
Description: Dell VxVerify, versions prior to x.40.405, contain a Plain-text Password Storage Vulnerability in the shell wrapper. A local high privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable component with privileges of the compromised account.

CVSS: HIGH (7.2)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-53290
Dell ThinOS version 2408 contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An...
Description: Dell ThinOS version 2408 contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Command execution

CVSS: HIGH (8.4)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-53289
Dell ThinOS version 2408 contains a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability. A low privileged attacker with local access...
Description: Dell ThinOS version 2408 contains a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

CVSS: HIGH (7.8)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-53274
GHSL-2024-111: Reflected XSS in /home in habitica
Description: Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `register` function in `home.vue` containsa reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability. Arbitrary javascript can be executed by the attacker in the context of the victim’s session. Version 5.28.5 contains a patch.

CVSS: LOW (2.0)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)

CVE-2024-53273
GHSL-2024-110: Reflected XSS in /register in habitica
Description: Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `register` function in `RegisterLoginReset.vue` contains a reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victim’s account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.

CVSS: MEDIUM (5.0)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (5 months ago)