CVE-2024-31316

CVE-2024-31316 affects the Android Framework, specifically the onResult path in AccountManagerService.java. The issue is a parcel mismatch that could allow an arbitrary background activity launch, resulting in local elevation of privilege without requiring additional execution privileges. No user...

CVE-2024-31311

CVE-2024-31311 affects Google Android; the flaw is an out-of-bounds write in the function increment_annotation_count within stats_event.c, caused by a missing bounds check. This can enable local elevation of privilege with no additional execution privileges and without user interaction. Affected ...

CVE-2024-31314

CVE-2024-31314 is a DoS via resource exhaustion in multiple functions of ShortcutService.java. The issue is described across Android/Red Hat/NVD/CVE lists as a local DoS without required user interaction. Affected component is ShortcutService.java, with a persistent denial of service risk due to ...

CVE-2024-31317

CVE-2024-31317 is a Zygote command-injection vulnerability affecting Android 9–13, enabling a non-privileged app with WRITE_SECURE_SETTINGS to trigger code execution in the Zygote process via unsafe deserialization and manipulated Zygote arguments (e.g., runtime-flags, hidden_api_blacklist_exempt...

CVE-2024-31310

CVE-2024-31310 affects Android: in AutofillManagerServiceImpl.newServiceInfoLocked, improper input validation can allow hiding an enabled Autofill service in the Autofill service settings. Impact is local privilege escalation with high confidentiality/integrity/availability implications, requirin...

CVE-2023-21114

CVE-2023-21114 affects Android devices with a local elevation of privilege due to a confused deputy in components referenced in the Android WiFi stack and related platform code. Exploitation requires local access and does not need user interaction. Multiple vendors’ advisories (e.g., Android secu...

CVE-2024-23696

The CVE-2024-23696 issue is tied to the RGXCreateZSBufferKM function in rgxta3d.c, where a use-after-free leads to possible arbitrary code execution and local elevation of privilege in the kernel. Exploitation reportedly requires local access with no extra privileges and no user interaction. Conn...

CVE-2024-23695

CVE-2024-23695 involves the Android/Linux kernel’s CacheOpPMRExec in cache_km.c, with a reported out-of-bounds write caused by an integer overflow. This can lead to local elevation of privilege with no extra execution privileges or user interaction required. The available connected documents do n...

CVE-2024-2177

CVE-2024-2177 affects GitLab CE/EE: vulnerable versions are 16.3 up to but not including 16.11.5, 17.0 up to but not including 17.0.3, and 17.1 up to but not including 17.1.1. The issue is a Cross Window Forgery in the OAuth authentication flow, exploitable via a crafted payload. The connected do...

CVE-2023-3288

CVE-2023-3288 affects Easy!Appointments, where a BOLA flaw on POST /providers allows a low-privileged user to create a privileged provider, enabling privilege escalation. Multiple connected sources (including CVELIST entry Easy!Appointments

CVE-2023-3289

CVE-2023-3289 affects Easy!Appointments (versions prior to 1.5.0). A BOLA in POST /services allows a low-privileged user to create a service for any user (including admin), leading to unauthorized data manipulation. The connected documents provide explicit description of the affected endpoint and...

CVE-2023-3286

CVE-2023-3286 affects Easy!Appointments prior to version 1.5.0. The vulnerability is described as a BOLA issue on POST /secretaries that allows a low-privileged user to create another low-privileged secretary account, enabling unauthorized data manipulation. The connected sources consistently fra...

CVE-2023-3287

Vulnerability details (CVE-2023-3287): Easy!Appointments

CVE-2023-3285

CVE-2023-3285 refers to an Insecure Authorization (BOLA) in the EasyAppointments web app. The vulnerability resides in the POST /appointments endpoint, where a low-privileged user can create an appointment for any user (including administrators), leading to unauthorized data manipulation. Technic...

CVE-2023-50806

CVE-2023-50806 affects Samsung Mobile Processor, Wearable Processor, and Modems (Exynos 9820/9825/980/990/850/1080/2100/2200/1280/1380/1330/9110/W920/W930, Exynos Modem 5123, 5300). Description: an out-of-bounds heap-buffer access in the SIM Proactive Command. Impact and likelihood: CVSSv3.1 base...

CVE-2023-50807

CVE-2023-50807 concerns Samsung Wearable Processor and Modems (Exynos 9110; Exynos Modem 5123; Exynos Modem 5300). The issue is an out-of-bounds write on the heap in 2G, exploitable with no authentication. Multiple connected sources (NVD, Red Hat, CVE list, CNNVD, OSV) corroborate the same descri...

CVE-2024-3651

A vulnerability was identified in the kjd/idna library, specifically within the idna.encode function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This...

CVE-2024-36041

The CVE-2024-36041 issue affects KDE Plasma Workspace (plasma-workspace) prior to 5.27.11.1 and 6.x prior to 6.0.5.1, where KSmserver incorrectly accepts ICE connections from localhost, allowing a local attacker to gain access to the session manager and potentially execute code on the victim at t...

CVE-2024-33871

CVE-2024-33871 affects Artifex Ghostscript prior to 10.03.1. The issue is in contrib/opvp/gdevopvp.c where the Driver parameter for opvp (and oprp) devices can specify an arbitrary dynamic library name, which is then loaded when processing a crafted PostScript document. This allows arbitrary code...

CVE-2024-33870

CVE-2024-33870 affects Artifex Ghostscript up to version 10.03.1. The issue is a path traversal vulnerability in PostScript handling that can reach arbitrary files when the current directory is within permitted paths, e.g., transforming ../../foo to ./../../foo and gaining access if ./ is allowed...