Search
CVE Explorer
Search the full tracked CVE corpus across every vendor — by keyword, vendor, severity, CVSS band and publication date. Server-rendered; each filtered view has its own URL.
01
Filters
Submit to refine — state is held in the URL.
02
Results
34,799 matching · page 376/696Each CVE id links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2024-38475(opens NVD record) | Critical | 9.1 | Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. | Jul 1, 2024 |
| CVE-2024-38474(opens NVD record) | Critical | 9.8 | Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. | Jul 1, 2024 |
| CVE-2024-38473(opens NVD record) | High | 8.1 | Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue. | Jul 1, 2024 |
| CVE-2024-38472(opens NVD record) | High | 7.5 | SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing. | Jul 1, 2024 |
| CVE-2024-36387(opens NVD record) | Medium | 5.4 | Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. | Jul 1, 2024 |
| CVE-2024-36991(opens NVD record) | High | 7.5 | In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows. | Jul 1, 2024 |
| CVE-2024-21586(opens NVD record) | High | 7.5 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series and NFX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an affected device receives specific valid traffic destined to the device, it will cause the PFE to crash and restart. Continued receipt and processing of this traffic will create a sustained DoS condition. This issue affects Junos OS on SRX Series: * 21.4 versions before 21.4R3-S7.9, * 22.1 versions before 22.1R3-S5.3, * 22.2 versions before 22.2R3-S4.11, * 22.3 versions before 22.3R3, * 22.4 versions before 22.4R3. This issue affects Junos OS on NFX Series: * 21.4 versions before 21.4R3-S8, * 22.1 versions after 22.1R1, * 22.2 versions before 22.2R3-S5, * 22.3 versions before 22.3R3, * 22.4 versions before 22.4R3. Junos OS versions prior to 21.4R1 are not affected by this issue. | Jul 1, 2024 |
| CVE-2024-20399(opens NVD record) | Medium | 6.0 | A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated user in possession of Administrator credentials to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root. Note: To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. The following Cisco devices already allow administrative users to access the underlying operating system through the bash-shell feature, so, for these devices, this vulnerability does not grant any additional privileges: Nexus 3000 Series Switches Nexus 7000 Series Switches that are running Cisco NX-OS Software releases 8.1(1) and later Nexus 9000 Series Switches in standalone NX-OS mode | Jul 1, 2024 |
| CVE-2024-24749(opens NVD record) | High | 7.5 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the `geoserver.war` file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary). Versions 2.23.5 and 2.24.3 contain a patch for the issue. Some workarounds are available. One may change from a Windows environment to a Linux environment; or change from Apache Tomcat to Jetty application server. One may also disable anonymous access to the embeded GeoWebCache administration and status pages. | Jul 1, 2024 |
| CVE-2024-6387(opens NVD record) | High | 8.1 | A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. | Jul 1, 2024 |
| CVE-2024-28794(opens NVD record) | Medium | 5.4 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 286831. | Jun 30, 2024 |
| CVE-2023-50964(opens NVD record) | Medium | 5.4 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 276102. | Jun 30, 2024 |
| CVE-2024-31898(opens NVD record) | Medium | 5.4 | IBM InfoSphere Information Server 11.7 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references. IBM X-Force ID: 288182. | Jun 30, 2024 |
| CVE-2024-28797(opens NVD record) | Medium | 6.4 | IBM InfoSphere Information Server 11.7 is vulnerable stored to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 287136. | Jun 30, 2024 |
| CVE-2023-50953(opens NVD record) | Medium | 5.4 | IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system. IBM X-Force ID: 275775. | Jun 30, 2024 |
| CVE-2023-50952(opens NVD record) | Medium | 5.4 | IBM InfoSphere Information Server 11.7 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 275774. | Jun 30, 2024 |
| CVE-2024-35119(opens NVD record) | Medium | 5.3 | IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system. IBM X-Force ID: 290342. | Jun 30, 2024 |
| CVE-2024-31902(opens NVD record) | Medium | 4.3 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 289234. | Jun 30, 2024 |
| CVE-2024-28798(opens NVD record) | High | 7.2 | IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 287172. | Jun 30, 2024 |
| CVE-2023-50954(opens NVD record) | Medium | 4.3 | IBM InfoSphere Information Server 11.7 returns sensitive information in URL information that could be used in further attacks against the system. IBM X-Force ID: 275776. | Jun 30, 2024 |
| CVE-2024-28795(opens NVD record) | Medium | 5.4 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 286832. | Jun 30, 2024 |
| CVE-2023-35022(opens NVD record) | Low | 3.3 | IBM InfoSphere Information Server 11.7 could allow a local user to update projects that they do not have the authorization to access. IBM X-Force ID: 258254. | Jun 30, 2024 |
| CVE-2024-25943(opens NVD record) | High | 7.6 | iDRAC9, versions prior to 7.00.00.172 for 14th Generation and 7.10.50.00 for 15th and 16th Generations, contains a session hijacking vulnerability in IPMI. A remote attacker could potentially exploit this vulnerability, leading to arbitrary code execution on the vulnerable application. | Jun 29, 2024 |
| CVE-2024-38322(opens NVD record) | Medium | 5.3 | IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 agent username and password error response discrepancy exposes product to brute force enumeration. IBM X-Force ID: 294869. | Jun 28, 2024 |
| CVE-2024-35156(opens NVD record) | Medium | 6.5 | IBM MQ 9.3 LTS and 9.3 CD could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 292766. | Jun 28, 2024 |
| CVE-2024-35116(opens NVD record) | Medium | 5.9 | IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS, and 9.3 CD is vulnerable to a denial of service attack caused by an error applying configuration changes. IBM X-Force ID: 290335. | Jun 28, 2024 |
| CVE-2024-25053(opens NVD record) | Medium | 5.9 | IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, and 12.0.2 is vulnerable to improper certificate validation when using the IBM Planning Analytics Data Source Connection. This could allow an attacker to spoof a trusted entity by interfering in the communication path between IBM Planning Analytics server and IBM Cognos Analytics server. IBM X-Force ID: 283364. | Jun 28, 2024 |
| CVE-2024-25041(opens NVD record) | Medium | 5.4 | IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, and 12.0.2 is potentially vulnerable to cross site scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Assistant. IBM X-Force ID: 282780. | Jun 28, 2024 |
| CVE-2024-25031(opens NVD record) | Medium | 6.5 | IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 uses an inadequate account lockout setting that could allow an attacker on the network to brute force account credentials. IBM X-Force ID: 281678. | Jun 28, 2024 |
| CVE-2022-38383(opens NVD record) | Medium | 4.0 | IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 233673. | Jun 28, 2024 |
| CVE-2022-27540(opens NVD record) | High | 7.8 | A potential Time-of-Check to Time-of Use (TOCTOU) vulnerability has been identified in the HP BIOS for certain HP PC products, which might allow arbitrary code execution, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate the potential vulnerability. | Jun 28, 2024 |
| CVE-2024-35155(opens NVD record) | Medium | 6.5 | IBM MQ Console 9.3 LTS and 9.3 CD could disclose could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 292765. | Jun 28, 2024 |
| CVE-2024-31919(opens NVD record) | Medium | 5.9 | IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS and 9.3 CD, in certain configurations, is vulnerable to a denial of service attack caused by an error processing messages when an API Exit using MQBUFMH is used. IBM X-Force ID: 290259. | Jun 28, 2024 |
| CVE-2024-31912(opens NVD record) | High | 7.5 | IBM MQ 9.3 LTS and 9.3 CD could allow an authenticated user to escalate their privileges under certain configurations due to incorrect privilege assignment. IBM X-Force ID: 289894. | Jun 28, 2024 |
| CVE-2024-35139(opens NVD record) | Medium | 6.2 | IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from the container due to incorrect default permissions. IBM X-Force ID: 292415. | Jun 28, 2024 |
| CVE-2024-35137(opens NVD record) | Medium | 6.2 | IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: 292413. | Jun 28, 2024 |
| CVE-2024-37137(opens NVD record) | Low | 3.8 | Dell Key Trust Platform, v3.0.6 and prior, contains Use of a Cryptographic Primitive with a Risky Implementation vulnerability. A local privileged attacker could potentially exploit this vulnerability, leading to privileged information disclosure. | Jun 28, 2024 |
| CVE-2024-6127(opens NVD record) | Critical | 9.8 | BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path. | Jun 27, 2024 |
| CVE-2023-38370(opens NVD record) | High | 7.5 | IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1, under certain configurations, could allow a user on the network to install malicious packages. IBM X-Force ID: 261197. | Jun 27, 2024 |
| CVE-2023-38368(opens NVD record) | Medium | 5.5 | IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could disclose sensitive information to a local user to do improper permission controls. IBM X-Force ID: 261195. | Jun 27, 2024 |
| CVE-2023-30998(opens NVD record) | High | 7.8 | IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254649. | Jun 27, 2024 |
| CVE-2023-30997(opens NVD record) | High | 7.8 | IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254638. | Jun 27, 2024 |
| CVE-2024-35260(opens NVD record) | High | 8.0 | An authenticated attacker can exploit an untrusted search path vulnerability in Microsoft Dataverse to execute code over a network. | Jun 27, 2024 |
| CVE-2024-35153(opens NVD record) | Medium | 4.8 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 292640. | Jun 27, 2024 |
| CVE-2024-31916(opens NVD record) | High | 7.5 | IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: 290026. | Jun 27, 2024 |
| CVE-2023-42014(opens NVD record) | Medium | 5.4 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.2.0.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 265511. | Jun 27, 2024 |
| CVE-2023-42011(opens NVD record) | Medium | 4.3 | IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508. | Jun 27, 2024 |
| CVE-2023-38371(opens NVD record) | Medium | 5.9 | IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 261198. | Jun 27, 2024 |
| CVE-2024-31883(opens NVD record) | Medium | 5.3 | IBM Security Verify Access 10.0.0.0 through 10.0.7.1, under certain configurations, could allow an unauthenticated attacker to cause a denial of service due to asymmetric resource consumption. IBM X-Force ID: 287615. | Jun 27, 2024 |
| CVE-2023-30430(opens NVD record) | Medium | 5.5 | IBM Security Verify Access 10.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from trace logs. IBM X-Force ID: 252183. | Jun 27, 2024 |