CVEs from 2024
Total
6,689
critical
critical 124
high
high 1,048
medium
medium 2,023
low
low 48
% Critical
1.9%
% with KEV
2.4%
% with exploit
3.3%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-50340 | unknown | — | — | 2y ago | symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any… | |||
| CVE-2024-51132 | unknown | — | — | 2y ago | HAPI FHIR XML External Entity (XXE) vulnerability | |||
| CVE-2024-36117 | unknown | — | — | 2y ago | Reposilite vulnerable to path traversal while serving javadoc expanded files (arbitrary file read) (`GHSL-2024-074`) | |||
| CVE-2024-51127 | unknown | — | — | 2y ago | hornetq vulnerable to file overwrite, sensitive information disclosure | |||
| CVE-2024-23590 | unknown | — | — | 2y ago | Apache Kylin Session Fixation vulnerability | |||
| CVE-2024-48910 | unknown | — | — | 2y ago | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | |||
| CVE-2024-48307 | unknown | — | — | 2y ago | JeecgBoot SQL Injection vulnerability | |||
| CVE-2024-43382 | unknown | — | — | 2y ago | Snowflake JDBC Security Advisory | |||
| CVE-2024-48063 | unknown | — | — | 2y ago | In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | |||
| CVE-2024-45477 | unknown | — | — | 2y ago | Apache NiFi Cross-site Scripting vulnerability | |||
| CVE-2024-38821 | unknown | — | — | 2y ago | Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications | |||
| CVE-2024-49771 | unknown | — | — | 2y ago | MPXJ has a Potential Path Traversal Vulnerability | |||
| CVE-2024-49760 | unknown | — | — | 2y ago | OpenRefine has a path traversal in LoadLanguageCommand | |||
| CVE-2024-47883 | unknown | — | — | 2y ago | Butterfly has path/URL confusion in resource handling leading to multiple weaknesses | |||
| CVE-2024-47882 | unknown | — | — | 2y ago | OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project | |||
| CVE-2024-47881 | unknown | — | — | 2y ago | OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE) | |||
| CVE-2024-47880 | unknown | — | — | 2y ago | OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand | |||
| CVE-2024-47879 | unknown | — | — | 2y ago | OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF) | |||
| CVE-2024-47878 | unknown | — | — | 2y ago | OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt) | |||
| CVE-2024-45031 | unknown | — | — | 2y ago | Apache Syncope: Stored XSS in Console and Enduser | |||
| CVE-2024-8980 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console | |||
| CVE-2024-38002 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions | |||
| CVE-2024-26273 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the Content Page Editor | |||
| CVE-2024-26272 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the Content Page Editor | |||
| CVE-2024-26271 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the My Account Widget | |||
| CVE-2024-38820 | unknown | — | — | 2y ago | Spring Framework DataBinder Case Sensitive Match Exception | |||
| CVE-2024-49580 | unknown | — | — | 2y ago | JetBrains Ktor information disclosure | |||
| CVE-2024-45216 | unknown | — | — | 2y ago | Improper Authentication vulnerability in Apache Solr | |||
| CVE-2024-45217 | unknown | — | — | 2y ago | Insecure Default Initialization of Resource vulnerability in Apache Solr | |||
| CVE-2024-47874 | unknown | — | — | 2y ago | Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buff… | |||
| CVE-2024-47876 | unknown | — | — | 2y ago | SAK-50571 Sakai Kernel users created with type roleview can login as a normal user | |||
| CVE-2024-6763 | unknown | — | — | 2y ago | Eclipse Jetty URI parsing of invalid authority | |||
| CVE-2024-8184 | unknown | — | — | 2y ago | Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks | |||
| CVE-2024-6762 | unknown | — | — | 2y ago | Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks | |||
| CVE-2024-7318 | unknown | — | — | 2y ago | Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity | |||
| CVE-2024-7341 | unknown | — | — | 2y ago | Keycloak has session fixation in Elytron SAML adapters | |||
| CVE-2024-8883 | unknown | — | — | 2y ago | Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect | |||
| CVE-2024-8698 | unknown | — | — | 2y ago | Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak | |||
| CVE-2024-9823 | unknown | — | — | 2y ago | Eclipse Jetty has a denial of service vulnerability on DosFilter | |||
| CVE-2024-21534 | unknown | — | — | 2y ago | JSONPath Plus Remote Code Execution (RCE) Vulnerability | |||
| CVE-2024-28168 | unknown | — | — | 2y ago | Apache XML Graphics FOP XML External Entity Reference ('XXE') vulnerability | |||
| CVE-2024-9621 | unknown | — | — | 2y ago | Quarkus CXF logs passwords and other secrets | |||
| CVE-2024-9622 | unknown | — | — | 2y ago | HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4 | |||
| CVE-2024-47855 | unknown | — | — | 2y ago | JSON-lib mishandles an unbalanced comment string | |||
| CVE-2024-47561 | unknown | — | — | 2y ago | Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) | |||
| CVE-2024-47554 | unknown | — | — | 2y ago | Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader | |||
| CVE-2024-47803 | unknown | — | — | 2y ago | Jenkins exposes multi-line secrets through error messages | |||
| CVE-2024-47806 | unknown | — | — | 2y ago | Jenkins OpenId Connect Authentication Plugin lacks audience claim validation | |||
| CVE-2024-47804 | unknown | — | — | 2y ago | Jenkins item creation restriction bypass vulnerability | |||
| CVE-2024-47807 | unknown | — | — | 2y ago | Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation | |||
| CVE-2024-47805 | unknown | — | — | 2y ago | Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission | |||
| CVE-2024-47534 | unknown | — | — | 2y ago | go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", th… | |||
| CVE-2024-45772 | unknown | — | — | 2y ago | Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. | |||
| CVE-2024-9329 | unknown | — | — | 2y ago | Eclipse Glassfish improperly handles http parameters | |||
| CVE-2024-47197 | unknown | — | — | 2y ago | Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials | |||
| CVE-2024-23454 | unknown | — | — | 2y ago | Apache Hadoop: Temporary File Local Information Disclosure | |||
| CVE-2024-39928 | unknown | — | — | 2y ago | Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability | |||
| CVE-2024-38809 | unknown | — | — | 2y ago | Spring Framework DoS via conditional HTTP request | |||
| CVE-2024-46985 | unknown | — | — | 2y ago | DataEase has an XML External Entity Reference vulnerability | |||
| CVE-2024-46997 | unknown | — | — | 2y ago | DataEase's H2 datasource has a remote command execution risk | |||
| CVE-2024-46984 | unknown | — | — | 2y ago | Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack | |||
| CVE-2024-46983 | unknown | — | — | 2y ago | SOFA Hessian Remote Command Execution (RCE) Vulnerability | |||
| CVE-2024-7254 | unknown | — | — | 2y ago | protobuf-java has potential Denial of Service issue | |||
| CVE-2024-46979 | unknown | — | — | 2y ago | org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users | |||
| CVE-2024-46978 | unknown | — | — | 2y ago | org.xwiki.platform:xwiki-platform-notifications-ui is missing checks for notification filter preferences editions | |||
| CVE-2024-4629 | unknown | — | — | 2y ago | Keycloak Services has a potential bypass of brute force protection | |||
| CVE-2024-45537 | unknown | — | — | 2y ago | Apache Druid: Users can provide MySQL JDBC properties not on allow list | |||
| CVE-2024-45384 | unknown | — | — | 2y ago | druid-pac4j, Apache Druid extension, has Padding Oracle vulnerability | |||
| CVE-2024-45801 | unknown | — | — | 2y ago | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking ad… | |||
| CVE-2024-22399 | unknown | — | — | 2y ago | Apache Seata Deserialization of Untrusted Data vulnerability | |||
| CVE-2024-46942 | unknown | — | — | 2y ago | OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) allows follower controller to set up flow entries | |||
| CVE-2024-46943 | unknown | — | — | 2y ago | OpenDaylight Authentication, Authorization and Accounting (AAA) peer impersonation vulnerability | |||
| CVE-2024-38816 | unknown | — | — | 2y ago | Path traversal vulnerability in functional web frameworks | |||
| CVE-2024-8646 | unknown | — | — | 2y ago | Eclipse Glassfish URL redirection vulnerability | |||
| CVE-2024-45591 | unknown | — | — | 2y ago | XWiki Platform document history including authors of any page exposed to unauthorized actors | |||
| CVE-2024-7260 | unknown | — | — | 2y ago | Keycloak Open Redirect vulnerability | |||
| CVE-2024-45411 | unknown | — | — | 2y ago | Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability i… | |||
| CVE-2024-45294 | unknown | — | — | 2y ago | XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` | |||
| CVE-2024-45758 | unknown | — | — | 2y ago | H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL | |||
| CVE-2024-8391 | unknown | — | — | 2y ago | Vertx gRPC server does not limit the maximum message size | |||
| CVE-2024-8285 | unknown | — | — | 2y ago | Missing hostname validation in Kroxylicious | |||
| CVE-2024-43805 | unknown | — | — | 2y ago | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. This vulnerability depends on user interaction by opening a malicious n… | |||
| CVE-2024-43788 | unknown | — | — | 2y ago | Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. Th… | |||
| CVE-2024-38807 | unknown | — | — | 2y ago | Signature forgery in Spring Boot's Loader | |||
| CVE-2024-7885 | unknown | — | — | 2y ago | Undertow vulnerable to Race Condition | |||
| CVE-2024-22281 | unknown | — | — | 2y ago | Apache Helix Front (UI) component contained a hard-coded secret | |||
| CVE-2024-43397 | unknown | — | — | 2y ago | apollo-portal has potential unauthorized access issue | |||
| CVE-2024-43202 | unknown | — | — | 2y ago | Apache Dolphinscheduler Code Injection vulnerability | |||
| CVE-2024-38808 | unknown | — | — | 2y ago | Spring Framework vulnerable to Denial of Service | |||
| CVE-2024-38810 | unknown | — | — | 2y ago | Spring Security Missing Authorization vulnerability | |||
| CVE-2024-43401 | unknown | — | — | 2y ago | In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them | |||
| CVE-2024-43400 | unknown | — | — | 2y ago | XWiki Platform allows XSS through XClass name in string properties | |||
| CVE-2024-44076 | unknown | — | — | 2y ago | Microcks's POST /api/import and POST /api/export endpoints allow non-administrator access | |||
| CVE-2024-42850 | unknown | — | — | 2y ago | Silverpeas vulnerable to password complexity rule bypass | |||
| CVE-2024-42681 | unknown | — | — | 2y ago | Improper Preservation of Permissions in xxl-job | |||
| CVE-2024-29831 | unknown | — | — | 2y ago | Apache DolphinScheduler: RCE by arbitrary js execution | |||
| CVE-2024-30188 | unknown | — | — | 2y ago | Apache DolphinScheduler: Resource File Read And Write Vulnerability | |||
| CVE-2024-42468 | unknown | — | — | 2y ago | CometVisu Backend for openHAB has a path traversal vulnerability | |||
| CVE-2024-42469 | unknown | — | — | 2y ago | CometVisu Backend for openHAB affected by RCE through path traversal | |||
| CVE-2024-42470 | unknown | — | — | 2y ago | CometVisu Backend for openHAB has a sensitive information disclosure vulnerability |