
CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
Microsoft SharePoint Server Information Disclosure Vulnerability
Microsoft SharePoint Server Information Disclosure Vulnerability
microsoftWindows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
microsoftMicrosoft Excel Information Disclosure Vulnerability
Microsoft Excel Information Disclosure Vulnerability
microsoftWindows Bind Filter Driver Information Disclosure Vulnerability
Windows Bind Filter Driver Information Disclosure Vulnerability
microsoftWindows Remote Procedure Call Runtime Security Feature Bypass Vulnerability
Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability
microsoftWindows AD FS Security Feature Bypass Vulnerability
Windows AD FS Security Feature Bypass Vulnerability
microsoftCWE-863Windows Installer Spoofing Vulnerability
Windows Installer Spoofing Vulnerability
microsoftRich Text Edit Control Information Disclosure Vulnerability
Rich Text Edit Control Information Disclosure Vulnerability
microsoftCWE-312Windows exFAT File System Information Disclosure Vulnerability
Windows exFAT File System Information Disclosure Vulnerability
microsoftWindows Fast FAT File System Driver Information Disclosure Vulnerability
Windows Fast FAT File System Driver Information Disclosure Vulnerability
microsoftUnexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr
Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. Zephyr versions >= >=2.4.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p86r-gc4r-4mq3
zephyrprojectCWE-476Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
froxlorCWE-89Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter
Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.
debianredmineElectron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.
electronjsCWE-668CWE-862IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user
IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 209947.
ibmCWE-312An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_C...
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.
os4edCWE-89A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter
A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.
dzzofficeCWE-79A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request)
A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.
debiannetappsambaCWE-476Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 P...
Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
sapCWE-94A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an atta...
A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service. The vulnerability is related to Android implementation methods that are widely used across Android mobile applications, and such methods are embedded into the SAP SuccessFactors mobile application. These Android methods begin executing once the user accesses their profile on the mobile application. While executing, it can also pick up the activities from other Android applications that are running in the background of the users device and are using the same types of methods in the application. Such vulnerability can also lead to phishing attacks that can be used for staging other types of attacks.
sap
Weekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.