Security Vulnerabilities - Known exploited
CVE-2024-38856
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2024-08-05
CVE-2023-45249
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.
Known exploited
CVSS Score
9.8
EPSS Score
0.597
Published
2024-07-24
CVE-2024-5910
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
Known exploited
CVSS Score
9.8
EPSS Score
0.912
Published
2024-07-10
CVE-2024-4879
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Known exploited
CVSS Score
9.8
EPSS Score
0.943
Published
2024-07-10
CVE-2024-5217
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Known exploited
CVSS Score
9.8
EPSS Score
0.942
Published
2024-07-10
CVE-2024-38112
Windows MSHTML Platform Spoofing Vulnerability
Known exploited
CVSS Score
7.5
EPSS Score
0.91
Published
2024-07-09
CVE-2024-38094
Microsoft SharePoint Remote Code Execution Vulnerability
Known exploited
CVSS Score
7.2
EPSS Score
0.844
Published
2024-07-09
CVE-2024-38080
Windows Hyper-V Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.8
EPSS Score
0.148
Published
2024-07-09
CVE-2024-39891
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
Known exploited
CVSS Score
5.3
EPSS Score
0.181
Published
2024-07-02
CVE-2024-38475
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
Known exploited
CVSS Score
9.1
EPSS Score
0.935
Published
2024-07-01