The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-25518 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the template_id parameter at /WorkFlow/wf_get_fields_approve.aspx. | -- | May 8, 2024 | n/a |
| CVE-2024-25517 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the tbTable argument at /WebUtility/MF.aspx. | -- | May 8, 2024 | n/a |
| CVE-2024-25515 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the sys_file_storage_id parameter at /WorkFlow/wf_work_finish_file_down.aspx. | -- | May 8, 2024 | n/a |
| CVE-2024-25514 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the template_id parameter at /SysManage/wf_template_child_field_list.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-25513 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the file_id parameter at /CorporateCulture/kaizen_download.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-25512 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the attach_id parameter at /Bulletin/AttachDownLoad.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-25511 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the id parameter at /AddressBook/address_public_new.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-25510 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the id parameter at /AddressBook/address_public_show.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-25509 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the sys_file_storage_id parameter at /WorkFlow/wf_file_download.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-25508 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the id parameter at /bulletin/bulletin_template_show.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-25507 | RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the email_attach_id parameter at /LHMail/AttachDown.aspx. | -- | May 7, 2024 | n/a |
| CVE-2024-24908 | Dell PowerProtect DM5500 version 5.15.0.0 and prior contain an Arbitrary File Delete via Path Traversal vulnerability. A remote attacker with high privileges could potentially exploit this vulnerability to deletion of arbitrary files stored on the server filesystem. | -- | May 8, 2024 | n/a |
| CVE-2024-24833 | Missing Authorization vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.10.1. | -- | May 8, 2024 | n/a |
| CVE-2024-24788 | A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | -- | May 8, 2024 | n/a |
| CVE-2024-23808 | in OpenHarmony v4.0.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free or cause DOS through NULL pointer dereference. | -- | May 7, 2024 | n/a |
| CVE-2024-23713 | In migrateNotificationFilter of NotificationManagerService.java, there is a possible failure to persist notifications settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23712 | In multiple functions of AppOpsService.java, there is a possible way to saturate the content of /data/system/appops_accesses.xml due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23710 | In assertPackageWithSharedUserIdIsPrivileged of InstallPackageHelper.java, there is a possible execution of arbitrary app code as a privileged app due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23709 | In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23708 | In multiple functions of NotificationManagerService.java, there is a possible way to not show a toast message when a clipboard message has been accessed. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23707 | In multiple locations, there is a possible permissions bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23706 | In multiple locations, there is a possible bypass of health data permissions due to an improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23705 | In multiple locations, there is a possible failure to persist or enforce user restrictions due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23704 | In onCreate of WifiDialogActivity.java, there is a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | May 8, 2024 | n/a |
| CVE-2024-23551 | Database scanning using username and password stores the credentials in plaintext or encoded format within files at the endpoint. This has been identified as a significant security risk. This will lead to exposure of sensitive information for unauthorized access, potentially leading to severe consequences such as data breaches, unauthorized data manipulation, and compromised system integrity. | -- | May 8, 2024 | n/a |
| CVE-2024-23354 | Memory corruption when the IOCTL call is interrupted by a signal. | -- | May 6, 2024 | n/a |
| CVE-2024-23351 | Memory corruption as GPU registers beyond the last protected range can be accessed through LPAC submissions. | -- | May 6, 2024 | n/a |
| CVE-2024-23193 | E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known. | -- | May 7, 2024 | n/a |
| CVE-2024-23188 | Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding attachment information to the web interface. No publicly available exploits are known. | -- | May 7, 2024 | n/a |
| CVE-2024-23187 | Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the show more option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known. | -- | May 7, 2024 | n/a |
| CVE-2024-23186 | E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding displayname information to the web interface. No publicly available exploits are known. | -- | May 7, 2024 | n/a |
| CVE-2024-22472 | A buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution This issue affects all versions of Silicon Labs 500 Series SDK prior to v6.85.2 running on Silicon Labs 500 series Z-wave devices. | -- | May 7, 2024 | n/a |
| CVE-2024-22460 | Dell PowerProtect DM5500 version 5.15.0.0 and prior contains an insecure deserialization Vulnerability. A remote attacker with high privileges could potentially exploit this vulnerability, leading to arbitrary code execution on the vulnerable application. | -- | May 8, 2024 | n/a |
| CVE-2024-22266 | VMware Avi Load Balancer contains an information disclosure vulnerability. A malicious actor with access to the system logs can view cloud connection credentials in plaintext. | -- | May 8, 2024 | n/a |
| CVE-2024-22264 | VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious actor with admin privileges on VMware Avi Load Balancer can create, modify, execute and delete files as a root user on the host system. | -- | May 8, 2024 | n/a |
| CVE-2024-21793 | An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | -- | May 8, 2024 | n/a |
| CVE-2024-21480 | Memory corruption while playing audio file having large-sized input buffer. | -- | May 6, 2024 | n/a |
| CVE-2024-21477 | Transient DOS while parsing a protected 802.11az Fine Time Measurement (FTM) frame. | -- | May 6, 2024 | n/a |
| CVE-2024-21476 | Memory corruption when the channel ID passed by user is not validated and further used. | -- | May 6, 2024 | n/a |
| CVE-2024-21475 | Memory corruption when the payload received from firmware is not as per the expected protocol size. | -- | May 6, 2024 | n/a |
| CVE-2024-21474 | Memory corruption when size of buffer from previous call is used without validation or re-initialization. | -- | May 6, 2024 | n/a |
| CVE-2024-21471 | Memory corruption when IOMMU unmap of a GPU buffer fails in Linux. | -- | May 6, 2024 | n/a |
| CVE-2024-20872 | Improper handling of insufficient privileges vulnerability in TalkbackSE prior to version Android 14 allows local attackers to modify setting value of TalkbackSE. | -- | May 7, 2024 | n/a |
| CVE-2024-20871 | Improper authorization vulnerability in Samsung Keyboard prior to version One UI 5.1.1 allows physical attackers to partially bypass the factory reset protection. | -- | May 7, 2024 | n/a |
| CVE-2024-20870 | Improper verification of intent by broadcast receiver vulnerability in Galaxy Store prior to version 4.5.71.8 allows local attackers to write arbitrary files with the privilege of Galaxy Store. | -- | May 7, 2024 | n/a |
| CVE-2024-20869 | Improper privilege management vulnerability in Samsung Internet prior to version 25.0.0.41 allows local attackers to bypass protection for cookies. | -- | May 7, 2024 | n/a |
| CVE-2024-20868 | Improper input validation in Samsung Notes prior to version 4.4.15 allows local attackers to delete files with Samsung Notes privilege under certain conditions. | -- | May 7, 2024 | n/a |
| CVE-2024-20867 | Improper privilege management vulnerability in Samsung Email prior to version 6.1.91.14 allows local attackers to access sensitive information. | -- | May 7, 2024 | n/a |
| CVE-2024-20866 | Authentication bypass vulnerability in Setupwizard prior to SMR May-2024 Release 1 allows physical attackers to skip activation step. | -- | May 7, 2024 | n/a |
| CVE-2024-20865 | Authentication bypass in bootloader prior to SMR May-2024 Release 1 allows physical attackers to flash arbitrary images. | -- | May 7, 2024 | n/a |
