Topics

Sort by:
Attacker Value
Moderate

CVE-2024-27199

Disclosure Date: March 04, 2024 (last updated March 05, 2024)
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
2
Attacker Value
Very High

CVE-2024-27198

Disclosure Date: March 04, 2024 (last updated March 06, 2024)
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
Attacker Value
High

CVE-2024-23334

Disclosure Date: January 29, 2024 (last updated February 06, 2024)
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Attacker Value
Unknown

CVE-2024-21423

Disclosure Date: February 23, 2024 (last updated February 24, 2024)
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Attacker Value
Very High

CVE-2023-47218

Disclosure Date: February 13, 2024 (last updated February 13, 2024)
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later
2
Attacker Value
Low

CVE-2024-1548

Disclosure Date: February 20, 2024 (last updated February 21, 2024)
A website could have obscured the fullscreen notification by using a dropdown select input element. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
1
Attacker Value
Very High

CVE-2020-3259

Disclosure Date: May 06, 2020 (last updated February 16, 2024)
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
Attacker Value
Very High

CVE-2024-1709

Disclosure Date: February 21, 2024 (last updated February 23, 2024)
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Attacker Value
Very Low

CVE-2024-20931

Disclosure Date: February 17, 2024 (last updated February 17, 2024)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Attacker Value
Low

CVE-2024-20328

Disclosure Date: March 01, 2024 (last updated March 02, 2024)
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands. ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
1