VIR Vulnerability Intelligence Relay

CVEs from 2024

9,603 normalized CVEs published or assigned in this year.

Total
9,603
critical
critical 114
high
high 1,043
medium
medium 1,991
low
low 40
% Critical
1.2%
% with KEV
1.7%
% with exploit
1.7%

Top vendors

Top products

  • checkmk 10
  • office 8
  • profilegrid 8
  • office_long_term_servicing_channel 6
  • glibc 5
  • virtual_traffic_manager 5
  • element_pack 5
  • propertyhive 5

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2024-35845 critical 9.1 9.1 2y ago Important: kernel security and bug fix update redhatrockylinuxsusedebian+2
CVE-2024-35960 critical 9.1 9.1 2y ago Important: kernel security and bug fix update redhatrockylinuxsusedebian+2
CVE-2024-34416 critical 9.1 9.1 2y ago Unrestricted Upload of File with Dangerous Type vulnerability in Pk Favicon Manager.This issue affects Pk Favicon Manager: from n/a through 2.1.
CVE-2024-27053 critical 9.1 9.1 2y ago In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix RCU usage in connect path With lockdep enabled, calls to the connect function from cfg802.11 layer lead to th… susedebianlinux
CVE-2024-31266 critical 9.1 9.1 2y ago Improper Control of Generation of Code ('Code Injection') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.This issue affects Advanced Order Export For WooCommer…
CVE-2024-32954 critical 9.1 9.1 2y ago Unrestricted Upload of File with Dangerous Type vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.5.
CVE-2024-32948 critical 9.1 9.1 2y ago Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.28.
CVE-2024-31345 critical 9.1 9.1 2y ago Unrestricted Upload of File with Dangerous Type vulnerability in Sukhchain Singh Auto Poster.This issue affects Auto Poster: from n/a through 1.2.
CVE-2024-31114 critical 9.1 9.1 2y ago Unrestricted Upload of File with Dangerous Type vulnerability in biplob018 Shortcode Addons.This issue affects Shortcode Addons: from n/a through 3.2.5.
CVE-2024-2890 critical 9.1 9.1 2y ago Unrestricted Upload of File with Dangerous Type vulnerability in Tumult Inc. Tumult Hype Animations.This issue affects Tumult Hype Animations: from n/a through 1.9.12.
CVE-2024-3596 critical 9.0 9.0 2y ago Important: freeradius security update redhatrockylinuxdebiansuse
CVE-2024-22144 critical 9.0 9.0 2y ago Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Secu…
CVE-2024-30227 critical 9.0 9.0 2y ago Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4.
CVE-2024-30226 critical 9.0 9.0 2y ago Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3.
CVE-2024-42009 unknown 1.5 1y ago A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desani… debian
CVE-2024-37383 unknown 1.5 2y ago Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. debian
CVE-2024-27348 unknown 1.5 2y ago Apache HugeGraph-Server: Command execution in gremlin java
CVE-2024-57004 unknown Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiti… debian
CVE-2024-42010 unknown mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain… debian
CVE-2024-42008 unknown A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious … debian
CVE-2024-37385 unknown Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-1… debian
CVE-2024-37384 unknown Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. debian
CVE-2024-24510 unknown Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component. debian
CVE-2024-34462 unknown Alinto SOGo through 5.10.0 allows XSS during attachment preview. debian
CVE-2024-11498 unknown There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhau… susedebian
CVE-2024-11403 unknown There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression (i.e. … susedebian
CVE-2024-55532 unknown 1y ago Apache Ranger Improper Neutralization of Formula Elements vulnerability java
CVE-2024-55565 unknown 2y ago nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. debiannpm
CVE-2024-35371 unknown 2y ago Ant-Media-Server vulnerable to Improper Output Neutralization for Logs java
CVE-2024-51755 unknown 2y ago Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property polic… debianphp
CVE-2024-51754 unknown 2y ago Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of … debianphp
CVE-2024-45411 unknown 2y ago Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability i… debianphp
CVE-2024-43202 unknown 2y ago Apache Dolphinscheduler Code Injection vulnerability java
CVE-2024-40647 unknown 2y ago sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the `env={}` setting. In Python's `subp… debianpython
CVE-2024-3656 unknown 2y ago Keycloak's admin API allows low privilege users to use administrative functions java
CVE-2024-37568 unknown 2y ago lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (… susedebianpython
CVE-2024-34145 unknown 2y ago Jenkins Script Security Plugin sandbox bypass vulnerability java
CVE-2024-31982 unknown 2y ago XWiki Platform: Remote code execution as guest via DatabaseSearch java
CVE-2024-28160 unknown 2y ago Jenkins iceScrum Plugin vulnerable to stored Cross-site Scripting java
CVE-2024-27308 unknown 2y ago Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from… debianrust
CVE-2024-26265 unknown 2y ago Liferay Portal vulnerable to Denial of Service java
CVE-2024-26267 unknown 2y ago Liferay Portal and Liferay DXP HTTP Header Can Expose Versions java
CVE-2024-25817 unknown 2y ago Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components. debianrust
CVE-2024-23635 unknown 2y ago Malicious input can provoke XSS when preserving comments debianjava