CVEs from 2024
Total
6,686
critical
critical 124
high
high 1,048
medium
medium 2,024
low
low 48
% Critical
1.9%
% with KEV
2.4%
% with exploit
3.3%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-28161 | unknown | — | — | 2y ago | Jenkins Delphix Plugin has SSL/TLS certificate validation disabled by default | |||
| CVE-2024-28162 | unknown | — | — | 2y ago | Jenkins Delphix Plugin has improper SSL/TLS certificate validation | |||
| CVE-2024-28159 | unknown | — | — | 2y ago | Jenkins Subversion Partial Release Manager Plugin missing permission check | |||
| CVE-2024-28158 | unknown | — | — | 2y ago | Jenkins Subversion Partial Release Manager Plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2024-28152 | unknown | — | — | 2y ago | Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests | |||
| CVE-2024-28150 | unknown | — | — | 2y ago | Jenkins HTML Publisher Plugin Stored XSS vulnerability | |||
| CVE-2024-28149 | unknown | — | — | 2y ago | Jenkins HTML Publisher Plugin does not properly sanitize input | |||
| CVE-2024-28151 | unknown | — | — | 2y ago | Jenkins HTML Publisher Plugin Path traversal vulnerability | |||
| CVE-2024-28154 | unknown | — | — | 2y ago | Jenkins MQ Notifier Plugin exposes sensitive information in build logs | |||
| CVE-2024-28157 | unknown | — | — | 2y ago | Jenkins GitBucket Plugin vulnerable to stored Cross-site Scripting | |||
| CVE-2024-28156 | unknown | — | — | 2y ago | Jenkins Build Monitor View Plugin vulnerable to stored Cross-site Scripting | |||
| CVE-2024-28155 | unknown | — | — | 2y ago | Jenkins AppSpider Plugin missing permission checks | |||
| CVE-2024-28153 | unknown | — | — | 2y ago | Jenkins OWASP Dependency-Check Plugin has stored XSS vulnerability | |||
| CVE-2024-26580 | unknown | — | — | 2y ago | Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability | |||
| CVE-2024-2097 | medium | — | — | 2y ago | RHSA-2024:1141: mysql security update (Moderate) | |||
| CVE-2024-27308 | unknown | — | — | 2y ago | Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from… | |||
| CVE-2024-27139 | unknown | — | — | 2y ago | Apache Archiva Incorrect Authorization vulnerability | |||
| CVE-2024-27140 | unknown | — | — | 2y ago | Apache Archiva Reflected Cross-site Scripting vulnerability | |||
| CVE-2024-27138 | unknown | — | — | 2y ago | Apache Archiva Incorrect Authorization vulnerability | |||
| CVE-2024-22871 | unknown | — | — | 2y ago | Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service | |||
| CVE-2024-21742 | unknown | — | — | 2y ago | Apache James MIME4J improper input validation vulnerability | |||
| CVE-2024-22201 | unknown | — | — | 2y ago | Connection leaking on idle timeout when TCP congested | |||
| CVE-2024-1735 | unknown | — | — | 2y ago | Armeria SAML authentication bypass due to missing validation on unsigned SAML messages | |||
| CVE-2024-22371 | unknown | — | — | 2y ago | Apache Camel data exposure vulnerability | |||
| CVE-2024-23320 | unknown | — | — | 2y ago | Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users | |||
| CVE-2024-22243 | unknown | — | — | 2y ago | Spring Web vulnerable to Open Redirect or Server Side Request Forgery | |||
| CVE-2024-26138 | unknown | — | — | 2y ago | XWiki extension license information is public, exposing instance id and license holder details | |||
| CVE-2024-25151 | unknown | — | — | 2y ago | Liferay Portal Calendar module and Liferay DXP vulnerable to Cross-site Scripting, content spoofing | |||
| CVE-2024-25603 | unknown | — | — | 2y ago | Liferay Portal's Dynamic Data Mapping module's DDMForm and Liferay DXP vulnerable to stored Cross-site Scripting | |||
| CVE-2024-26266 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP vulnerable to stored Cross-site Scripting | |||
| CVE-2024-26269 | unknown | — | — | 2y ago | Liferay Portal Frontend JS module's portlet.js and Liferay DXP vulnerable to Cross-site Scripting | |||
| CVE-2024-25147 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting | |||
| CVE-2024-25601 | unknown | — | — | 2y ago | Liferay Portal Expando module and Liferay DXP vulnerable to stored Cross-site Scripting | |||
| CVE-2024-25152 | unknown | — | — | 2y ago | Liferay Portal Message Board widget and Liferay DXP vulnerable to stored Cross-site Scripting | |||
| CVE-2024-25602 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP's Users Admin module vulnerable to stored Cross-site Scripting | |||
| CVE-2024-26140 | unknown | — | — | 2y ago | Cross-site Scripting Vulnerability in Statement Browser | |||
| CVE-2024-22369 | unknown | — | — | 2y ago | Deserialization of Untrusted Data in Apache Camel SQL | |||
| CVE-2024-23114 | unknown | — | — | 2y ago | Deserialization of Untrusted Data in Apache Camel CassandraQL | |||
| CVE-2024-26270 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP vulnerable to theft of hashed password | |||
| CVE-2024-26268 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP User Enumeration Vulnerability | |||
| CVE-2024-25610 | unknown | — | — | 2y ago | Liferay Portal has a Stored XSS with Blog entries (Insecure defaults) | |||
| CVE-2024-26265 | unknown | — | — | 2y ago | Liferay Portal vulnerable to Denial of Service | |||
| CVE-2024-26267 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP HTTP Header Can Expose Versions | |||
| CVE-2024-25607 | unknown | — | — | 2y ago | Liferay Portal defaults to a low work factor for the default password hashing algorithm | |||
| CVE-2024-25609 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Two Forward Slashes | |||
| CVE-2024-25608 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Replacement Character | |||
| CVE-2024-25604 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Allows Authenticated Users with View Permissions to Edit Permissions | |||
| CVE-2024-25606 | unknown | — | — | 2y ago | Liferay Portal has an XXE vulnerability in Java2WsddTask._format | |||
| CVE-2024-25605 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Allows Templates to be Viewed via the UI or API | |||
| CVE-2024-25149 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Does Not Properly Restrict Membership to Child Site Based on Parent Site Options | |||
| CVE-2024-25150 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel | |||
| CVE-2024-22234 | unknown | — | — | 2y ago | Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated | |||
| CVE-2024-1635 | unknown | — | — | 2y ago | Undertow Uncontrolled Resource Consumption Vulnerability | |||
| CVE-2024-26308 | unknown | — | — | 2y ago | Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file | |||
| CVE-2024-25710 | unknown | — | — | 2y ago | Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file | |||
| CVE-2024-20925 | unknown | — | — | 2y ago | Vulnerability affecting the org.openjfx:javafx-media maven component of the OpenJFX project | |||
| CVE-2024-24758 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue ha… | |||
| CVE-2024-24750 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory lea… | |||
| CVE-2024-25125 | unknown | — | — | 2y ago | Absolute path traversal vulnerability in digdag server | |||
| CVE-2024-1459 | unknown | — | — | 2y ago | Undertow Path Traversal vulnerability | |||
| CVE-2024-23833 | unknown | — | — | 2y ago | OpenRefine JDBC Attack Vulnerability | |||
| CVE-2024-21490 | unknown | — | — | 2y ago | angular vulnerable to super-linear runtime due to backtracking | |||
| CVE-2024-23639 | unknown | — | — | 2y ago | Micronaut management endpoints vulnerable to drive-by localhost attack | |||
| CVE-2024-25817 | unknown | — | — | 2y ago | Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components. | |||
| CVE-2024-24113 | unknown | — | — | 2y ago | XXL-JOB vulnerable to Server-Side Request Forgery | |||
| CVE-2024-24821 | unknown | — | — | 2y ago | Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the e… | |||
| CVE-2024-25144 | unknown | — | — | 2y ago | Liferay Portal denial-of-service vulnerability | |||
| CVE-2024-25148 | unknown | — | — | 2y ago | Liferay Portal vulnerable to user impersonation | |||
| CVE-2024-25146 | unknown | — | — | 2y ago | Liferay Portal allows attackers to discover the existence of sites | |||
| CVE-2024-24823 | unknown | — | — | 2y ago | Graylog session fixation vulnerability through cookie injection | |||
| CVE-2024-24824 | unknown | — | — | 2y ago | Graylog vulnerable to instantiation of arbitrary classes triggered by API request | |||
| CVE-2024-25145 | unknown | — | — | 2y ago | Liferay Portal stored cross-site scripting (XSS) vulnerability | |||
| CVE-2024-25143 | unknown | — | — | 2y ago | Liferay Portal denial of service (memory consumption) | |||
| CVE-2024-23673 | unknown | — | — | 2y ago | Apache Sling Servlets Resolver executes malicious code via path traversal | |||
| CVE-2024-22567 | unknown | — | — | 2y ago | mingSoft MCMS File Upload vulnerability | |||
| CVE-2024-23635 | unknown | — | — | 2y ago | Malicious input can provoke XSS when preserving comments | |||
| CVE-2024-1143 | unknown | — | — | 2y ago | Central Dogma Authentication Bypass Vulnerability via Session Leakage | |||
| CVE-2024-22533 | unknown | — | — | 2y ago | Beetl Server-Side Template Injection vulnerability | |||
| CVE-2024-24557 | unknown | — | — | 2y ago | Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to… | |||
| CVE-2024-22236 | unknown | — | — | 2y ago | Spring Cloud Contract vulnerable to local information disclosure | |||
| CVE-2024-24565 | unknown | — | — | 2y ago | CrateDB database has an arbitrary file read vulnerability | |||
| CVE-2024-23829 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must tr… | |||
| CVE-2024-23905 | unknown | — | — | 2y ago | Content-Security-Policy disabled by Red Hat Dependency Analytics Jenkins Plugin | |||
| CVE-2024-23902 | unknown | — | — | 2y ago | CSRF vulnerability in Jenkins GitLab Branch Source Plugin | |||
| CVE-2024-23898 | unknown | — | — | 2y ago | Cross-site WebSocket hijacking vulnerability in the Jenkins CLI | |||
| CVE-2024-23900 | unknown | — | — | 2y ago | Path traversal vulnerability in Jenkins Matrix Project Plugin | |||
| CVE-2024-23901 | unknown | — | — | 2y ago | Shared projects are unconditionally discovered by Jenkins GitLab Branch Source Plugin | |||
| CVE-2024-23904 | unknown | — | — | 2y ago | Arbitrary file read vulnerability in Jenkins Log Command Plugin | |||
| CVE-2024-23903 | unknown | — | — | 2y ago | Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin | |||
| CVE-2024-23899 | unknown | — | — | 2y ago | Arbitrary file read vulnerability in Git server Plugin can lead to RCE | |||
| CVE-2024-22497 | unknown | — | — | 2y ago | Cross-site Scripting in JFinal | |||
| CVE-2024-23636 | unknown | — | — | 2y ago | Remote Command Execution in SOFARPC | |||
| CVE-2024-22496 | unknown | — | — | 2y ago | Cross-site Scripting in JFinal | |||
| CVE-2024-22490 | unknown | — | — | 2y ago | Cross-site Scripting in beetl-bbs | |||
| CVE-2024-22233 | unknown | — | — | 2y ago | Spring Framework server Web DoS Vulnerability | |||
| CVE-2024-23686 | unknown | — | — | 2y ago | Insertion of Sensitive Information into Log File in OWASP DependencyCheck | |||
| CVE-2024-23685 | unknown | — | — | 2y ago | Hard-coded System User Credentials in Folio Data Export Spring module | |||
| CVE-2024-23679 | unknown | — | — | 2y ago | com.enonic.xp:lib-auth vulnerable to Session Fixation | |||
| CVE-2024-23683 | unknown | — | — | 2y ago | Trust Boundary Violation due to Incomplete Blacklist in Test Failure Processing in Ares | |||
| CVE-2024-23689 | unknown | — | — | 2y ago | ClickHouse vulnerable to client certificate password exposure in client exception |