Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): microsoft
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-26188 |
Microsoft Edge (Chromium-based) Spoofing Vulnerability Published: February 23, 2024; 6:15:09 PM -0500 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2024-21423 |
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Published: February 23, 2024; 5:15:54 PM -0500 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-46241 |
`discourse-microsoft-auth` is a plugin that enables authentication via Microsoft. On sites with the `discourse-microsoft-auth` plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than `Accounts in this organizational directory only (O365 only - Single tenant)` are vulnerable. This vulnerability has been patched in commit c40665f44509724b64938c85def9fb2e79f62ec8 of `discourse-microsoft-auth`. A `microsoft_auth:revoke` rake task has also been added which will deactivate and log out all users that have connected their accounts to Microsoft. User API keys as well as API keys created by those users will also be revoked. The rake task will also remove the connection records to Microsoft for those users. This will allow affected users to re-verify their account emails as well as reconnect their Discourse account to Microsoft for authentication. As a workaround, disable the `discourse-microsoft-auth` plugin by setting the `microsoft_auth_enabled` site setting to `false`. Run the `microsoft_auth:log_out_users` rake task to log out all users with associated Microsoft accounts. Published: February 21, 2024; 11:15:49 AM -0500 |
V4.0:(not available) V3.x:(not available) V2.0:(not available) |
CVE-2024-25618 |
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability. Published: February 14, 2024; 4:15:08 PM -0500 |
V4.0:(not available) V3.x:(not available) V2.0:(not available) |
CVE-2024-21420 |
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Published: February 13, 2024; 1:16:00 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2024-21413 |
Microsoft Outlook Remote Code Execution Vulnerability Published: February 13, 2024; 1:16:00 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2024-21410 |
Microsoft Exchange Server Elevation of Privilege Vulnerability Published: February 13, 2024; 1:15:59 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2024-21405 |
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Published: February 13, 2024; 1:15:59 PM -0500 |
V4.0:(not available) V3.1: 7.0 HIGH V2.0:(not available) |
CVE-2024-21403 |
Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Published: February 13, 2024; 1:15:58 PM -0500 |
V4.0:(not available) V3.1: 9.0 CRITICAL V2.0:(not available) |
CVE-2024-21402 |
Microsoft Outlook Elevation of Privilege Vulnerability Published: February 13, 2024; 1:15:58 PM -0500 |
V4.0:(not available) V3.1: 7.1 HIGH V2.0:(not available) |
CVE-2024-21401 |
Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability Published: February 13, 2024; 1:15:58 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2024-21397 |
Microsoft Azure File Sync Elevation of Privilege Vulnerability Published: February 13, 2024; 1:15:58 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2024-21395 |
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Published: February 13, 2024; 1:15:57 PM -0500 |
V4.0:(not available) V3.1: 8.2 HIGH V2.0:(not available) |
CVE-2024-21393 |
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Published: February 13, 2024; 1:15:57 PM -0500 |
V4.0:(not available) V3.1: 7.6 HIGH V2.0:(not available) |
CVE-2024-21391 |
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Published: February 13, 2024; 1:15:57 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2024-21389 |
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Published: February 13, 2024; 1:15:56 PM -0500 |
V4.0:(not available) V3.1: 7.6 HIGH V2.0:(not available) |
CVE-2024-21384 |
Microsoft Office OneNote Remote Code Execution Vulnerability Published: February 13, 2024; 1:15:56 PM -0500 |
V4.0:(not available) V3.1: 7.8 HIGH V2.0:(not available) |
CVE-2024-21381 |
Microsoft Azure Active Directory B2C Spoofing Vulnerability Published: February 13, 2024; 1:15:56 PM -0500 |
V4.0:(not available) V3.1: 6.8 MEDIUM V2.0:(not available) |
CVE-2024-21380 |
Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability Published: February 13, 2024; 1:15:56 PM -0500 |
V4.0:(not available) V3.1: 8.0 HIGH V2.0:(not available) |
CVE-2024-21379 |
Microsoft Word Remote Code Execution Vulnerability Published: February 13, 2024; 1:15:55 PM -0500 |
V4.0:(not available) V3.1: 7.8 HIGH V2.0:(not available) |