Total
126 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8315 | 2025-03-27 | N/A | N/A | ||
| An Improper Handling of Insufficient Permissions or Privileges vulnerability in scripts used in B&R APROL <4.4-00P5 may allow an authenticated local attacker to read credential information. | |||||
| CVE-2025-0478 | 2025-03-27 | N/A | 7.8 HIGH | ||
| Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform, altering their behaviour. | |||||
| CVE-2024-0015 | 1 Google | 1 Android | 2025-03-14 | N/A | 7.8 HIGH |
| In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-52537 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | 7.5 HIGH |
| Vulnerability of package name verification being bypassed in the HwIms module. Impact: Successful exploitation of this vulnerability will affect availability. | |||||
| CVE-2024-30418 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | 7.5 HIGH |
| Vulnerability of insufficient permission verification in the app management module. Impact: Successful exploitation of this vulnerability will affect availability. | |||||
| CVE-2023-27087 | 1 Xuxueli | 1 Xxl-job | 2025-02-26 | N/A | 7.5 HIGH |
| Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter. | |||||
| CVE-2024-6697 | 2025-02-20 | N/A | 6.5 MEDIUM | ||
| The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service. An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. | |||||
| CVE-2024-24116 | 1 Ruijie | 2 Rg-nbs2009g-p, Rg-nbs2009g-p Firmware | 2025-02-10 | N/A | 9.8 CRITICAL |
| An issue in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release(9736) allows a remote attacker to gain privileges via the system/config_menu.htm. | |||||
| CVE-2025-22395 | 1 Dell | 1 Update Package Framework | 2025-02-04 | N/A | 8.2 HIGH |
| Dell Update Package Framework, versions prior to 22.01.02, contain(s) a Local Privilege Escalation Vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary remote scripts on the server. Exploitation may lead to a denial of service by an attacker. | |||||
| CVE-2024-0560 | 1 Redhat | 2 3scale, Keycloak | 2025-01-21 | N/A | 6.3 MEDIUM |
| A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid. | |||||
| CVE-2024-43705 | 2024-12-28 | N/A | 7.8 HIGH | ||
| Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory. | |||||
| CVE-2024-42194 | 2024-12-17 | N/A | 3.1 LOW | ||
| An improper handling of insufficient permissions or privileges affects HCL BigFix Inventory. An attacker having access via a read-only account can possibly change certain configuration parameters by crafting a specific REST API call. | |||||
| CVE-2024-23704 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
| In onCreate of WifiDialogActivity.java, there is a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-35301 | 1 Jetbrains | 1 Teamcity | 2024-12-16 | N/A | 5.5 MEDIUM |
| In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token | |||||
| CVE-2024-46874 | 1 Ruijienetworks | 1 Reyee Os | 2024-12-10 | N/A | 8.1 HIGH |
| Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. Attackers with device credentials could issue commands to other devices on behalf of Ruijie's cloud. | |||||
| CVE-2024-27837 | 1 Apple | 1 Macos | 2024-12-09 | N/A | 3.3 LOW |
| A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. A local attacker may gain access to Keychain items. | |||||
| CVE-2024-43702 | 2024-12-01 | N/A | 8.1 HIGH | ||
| Software installed and run as a non-privileged user may conduct improper GPU system calls to allow unprivileged access to arbitrary physical memory page. | |||||
| CVE-2024-6302 | 1 Conduit | 1 Conduit | 2024-11-21 | N/A | 8.1 HIGH |
| Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to send redaction events. | |||||
| CVE-2024-5163 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks. | |||||
| CVE-2024-39691 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when determining whether or not to include a truncated version of the original event in the IRC message. Since this value is controlled by external entities, a malicious Matrix homeserver joined to a room in which a matrix-appservice-irc bridge instance (before version 2.0.1) is present can fabricate the timestamp with the intent of tricking the bridge into leaking room messages the homeserver should not have access to. matrix-appservice-irc 2.0.1 drops the reliance on `origin_server_ts` when determining whether or not an event should be visible to a user, instead tracking the event timestamps internally. As a workaround, it's possible to limit the amount of information leaked by setting a reply template that doesn't contain the original message. | |||||