CVEs from 2024
Total
9,633
critical
critical 114
high
high 1,043
medium
medium 1,991
low
low 40
% Critical
1.2%
% with KEV
1.7%
% with exploit
1.7%
Top vendors
Top products
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2024-57726 | unknown | — | 1.5 | 1mo ago | SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges … | |
| CVE-2024-57728 | unknown | — | 1.5 | 1mo ago | SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited… | |
| CVE-2024-7399 | unknown | — | 1.5 | 1mo ago | Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority. | |
| CVE-2024-27199 | unknown | — | 1.5 | 1mo ago | JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed. | |
| CVE-2024-7694 | unknown | — | 1.5 | 3mo ago | TeamT5 ThreatSonar Anti-Ransomware contains an unrestricted upload of file with dangerous type vulnerability. ThreatSonar Anti-Ransomware does not properly validate the content of uploaded files. Rem… | |
| CVE-2024-43468 | unknown | — | 1.5 | 4mo ago | Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment w… | |
| CVE-2024-37079 | unknown | — | 1.5 | 4mo ago | Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to … | |
| CVE-2024-8069 | unknown | — | 1.5 | 9mo ago | Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an au… | |
| CVE-2024-8068 | unknown | — | 1.5 | 9mo ago | Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user … | |
| CVE-2024-54085 | unknown | — | 1.5 | 11mo ago | AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integ… | |
| CVE-2024-0769 | unknown | — | 1.5 | 11mo ago | D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdoc… | |
| CVE-2024-42009 | unknown | — | 1.5 | 1y ago | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desani… | |
| CVE-2024-11182 | unknown | — | 1.5 | 1y ago | MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message. | |
| CVE-2024-27443 | unknown | — | 1.5 | 1y ago | Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an … | |
| CVE-2024-12987 | unknown | — | 1.5 | 1y ago | DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web ma… | |
| CVE-2024-6047 | unknown | — | 1.5 | 1y ago | Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be… | |
| CVE-2024-11120 | unknown | — | 1.5 | 1y ago | Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be… | |
| CVE-2024-58136 | unknown | — | 1.5 | 1y ago | Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement… | |
| CVE-2024-20439 | unknown | — | 1.5 | 1y ago | Cisco Smart Licensing Utility contains a static credential vulnerability that allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials. | |
| CVE-2024-48248 | unknown | — | 1.5 | 1y ago | NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files. | |
| CVE-2024-13159 | unknown | — | 1.5 | 1y ago | Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information. | |
| CVE-2024-13160 | unknown | — | 1.5 | 1y ago | Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information. | |
| CVE-2024-57968 | unknown | — | 1.5 | 1y ago | Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx. | |
| CVE-2024-13161 | unknown | — | 1.5 | 1y ago | Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information. | |
| CVE-2024-4885 | unknown | — | 1.5 | 1y ago | Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution. | |
| CVE-2024-49035 | unknown | — | 1.5 | 1y ago | Microsoft Partner Center contains an improper access control vulnerability that allows an attacker to escalate privileges. | |
| CVE-2024-20953 | unknown | — | 1.5 | 1y ago | Oracle Agile Product Lifecycle Management (PLM) contains a deserialization vulnerability that allows a low-privileged attacker with network access via HTTP to compromise the system. | |
| CVE-2024-53704 | unknown | — | 1.5 | 1y ago | SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication. | |
| CVE-2024-57727 | unknown | — | 1.5 | 1y ago | SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP r… | |
| CVE-2024-41710 | unknown | — | 1.5 | 1y ago | Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot… | |
| CVE-2024-40890 | unknown | — | 1.5 | 1y ago | Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP re… | |
| CVE-2024-40891 | unknown | — | 1.5 | 1y ago | Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet. | |
| CVE-2024-21413 | unknown | — | 1.5 | 1y ago | Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an attacker to bypass the Office… | |
| CVE-2024-29059 | unknown | — | 1.5 | 1y ago | Microsoft .NET Framework contains an information disclosure vulnerability that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution. | |
| CVE-2024-45195 | unknown | — | 1.5 | 1y ago | Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access. | |
| CVE-2024-50603 | unknown | — | 1.5 | 1y ago | Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type fo… | |
| CVE-2024-55591 | unknown | — | 1.5 | 1y ago | Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websoc… | |
| CVE-2024-12686 | unknown | — | 1.5 | 1y ago | BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload… | |
| CVE-2024-55550 | unknown | — | 1.5 | 1y ago | Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input saniti… | |
| CVE-2024-41713 | unknown | — | 1.5 | 1y ago | Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allow… | |
| CVE-2024-3393 | unknown | — | 1.5 | 1y ago | Palo Alto Networks PAN-OS contains a vulnerability in parsing and logging malicious DNS packets in the DNS Security feature that, when exploited, allows an unauthenticated attacker to remotely reboot… | |
| CVE-2024-12356 | unknown | — | 1.5 | 2y ago | BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site use… | |
| CVE-2024-56145 | unknown | — | 1.5 | 2y ago | Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled. | |
| CVE-2024-55956 | unknown | — | 1.5 | 2y ago | Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitra… | |
| CVE-2024-20767 | unknown | — | 1.5 | 2y ago | Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. | |
| CVE-2024-35250 | unknown | — | 1.5 | 2y ago | Microsoft Windows Kernel-Mode Driver contains an untrusted pointer dereference vulnerability that allows a local attacker to escalate privileges. | |
| CVE-2024-50623 | unknown | — | 1.5 | 2y ago | Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated priv… | |
| CVE-2024-49138 | unknown | — | 1.5 | 2y ago | Microsoft Windows Common Log File System (CLFS) driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges. | |
| CVE-2024-51378 | unknown | — | 1.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property. | |
| CVE-2024-11667 | unknown | — | 1.5 | 2y ago | Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL. | |
| CVE-2024-11680 | unknown | — | 1.5 | 2y ago | ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP re… | |
| CVE-2024-21287 | unknown | — | 1.5 | 2y ago | Oracle Agile Product Lifecycle Management (PLM) contains an incorrect authorization vulnerability in the Process Extension component of the Software Development Kit. Successful exploitation of this v… | |
| CVE-2024-44308 | unknown | — | 1.5 | 2y ago | Apple iOS, macOS, and other Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to arbitrary code execution. | |
| CVE-2024-38812 | unknown | — | 1.5 | 2y ago | VMware vCenter Server contains a heap-based buffer overflow vulnerability in the implementation of the DCERPC protocol. This vulnerability could allow an attacker with network access to the vCenter S… | |
| CVE-2024-38813 | unknown | — | 1.5 | 2y ago | VMware vCenter contains an improper check for dropped privileges vulnerability. This vulnerability could allow an attacker with network access to the vCenter Server to escalate privileges to root by … | |
| CVE-2024-1212 | unknown | — | 1.5 | 2y ago | Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbi… | |
| CVE-2024-0012 | unknown | — | 1.5 | 2y ago | Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators. | |
| CVE-2024-9474 | unknown | — | 1.5 | 2y ago | Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls … | |
| CVE-2024-9465 | unknown | — | 1.5 | 2y ago | Palo Alto Networks Expedition contains a SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configu… | |
| CVE-2024-9463 | unknown | — | 1.5 | 2y ago | Palo Alto Networks Expedition contains an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of use… | |
| CVE-2024-49039 | unknown | — | 1.5 | 2y ago | Microsoft Windows Task Scheduler contains a privilege escalation vulnerability that can allow an attacker-provided, local application to escalate privileges outside of its AppContainer, and access pr… | |
| CVE-2024-43451 | unknown | — | 1.5 | 2y ago | Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a file open operation. The attacker could then leverage this h… | |
| CVE-2024-5910 | unknown | — | 1.5 | 2y ago | Palo Alto Networks Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration … | |
| CVE-2024-51567 | unknown | — | 1.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root. | |
| CVE-2024-43093 | unknown | — | 1.5 | 2y ago | Android Framework contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2024-8957 | unknown | — | 1.5 | 2y ago | PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr param… | |
| CVE-2024-8956 | unknown | — | 1.5 | 2y ago | PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If comb… | |
| CVE-2024-37383 | unknown | — | 1.5 | 2y ago | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. | |
| CVE-2024-20481 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote att… | |
| CVE-2024-47575 | unknown | — | 1.5 | 2y ago | Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted re… | |
| CVE-2024-38094 | unknown | — | 1.5 | 2y ago | Microsoft SharePoint contains a deserialization vulnerability that allows for remote code execution. | |
| CVE-2024-9537 | unknown | — | 1.5 | 2y ago | ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component. | |
| CVE-2024-40711 | unknown | — | 1.5 | 2y ago | Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution. | |
| CVE-2024-28987 | unknown | — | 1.5 | 2y ago | SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data. | |
| CVE-2024-30088 | unknown | — | 1.5 | 2y ago | Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation. | |
| CVE-2024-23113 | unknown | — | 1.5 | 2y ago | Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted r… | |
| CVE-2024-9380 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass … | |
| CVE-2024-9379 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to r… | |
| CVE-2024-43047 | unknown | — | 1.5 | 2y ago | Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory. | |
| CVE-2024-43573 | unknown | — | 1.5 | 2y ago | Microsoft Windows MSHTML Platform contains an unspecified spoofing vulnerability which can lead to a loss of confidentiality. | |
| CVE-2024-43572 | unknown | — | 1.5 | 2y ago | Microsoft Windows Management Console contains unspecified vulnerability that allows for remote code execution. | |
| CVE-2024-45519 | unknown | — | 1.5 | 2y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands. | |
| CVE-2024-29824 | unknown | — | 1.5 | 2y ago | Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code. | |
| CVE-2024-8963 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conju… | |
| CVE-2024-43461 | unknown | — | 1.5 | 2y ago | Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page. This vulnerability was exploited … | |
| CVE-2024-6670 | unknown | — | 1.5 | 2y ago | Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user. | |
| CVE-2024-8190 | unknown | — | 1.5 | 2y ago | Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass … | |
| CVE-2024-38014 | unknown | — | 1.5 | 2y ago | Microsoft Windows Installer contains an improper privilege management vulnerability that could allow an attacker to gain SYSTEM privileges. | |
| CVE-2024-38217 | unknown | — | 1.5 | 2y ago | Microsoft Windows Mark of the Web (MOTW) contains a protection mechanism failure vulnerability that allows an attacker to bypass MOTW-based defenses. This can result in a limited loss of integrity an… | |
| CVE-2024-38226 | unknown | — | 1.5 | 2y ago | Microsoft Publisher contains a protection mechanism failure vulnerability that allows attacker to bypass Office macro policies used to block untrusted or malicious files. | |
| CVE-2024-40766 | unknown | — | 1.5 | 2y ago | SonicWall SonicOS contains an improper access control vulnerability that could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash. | |
| CVE-2024-7262 | unknown | — | 1.5 | 2y ago | Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library. | |
| CVE-2024-7965 | unknown | — | 1.5 | 2y ago | Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect… | |
| CVE-2024-38856 | unknown | — | 1.5 | 2y ago | Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. | |
| CVE-2024-7971 | unknown | — | 1.5 | 2y ago | Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that… | |
| CVE-2024-39717 | unknown | — | 1.5 | 2y ago | The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privil… | |
| CVE-2024-28986 | unknown | — | 1.5 | 2y ago | SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution. | |
| CVE-2024-38106 | unknown | — | 1.5 | 2y ago | Microsoft Windows Kernel contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. Successful exploitation of this vulnerability… | |
| CVE-2024-38107 | unknown | — | 1.5 | 2y ago | Microsoft Windows Power Dependency Coordinator contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to obtain SYSTEM privileges. | |
| CVE-2024-38178 | unknown | — | 1.5 | 2y ago | Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted URL. |