CVSS: 7.8EPSS: 0%CPEs: 24EXPL: 0CVE-2024-43556 – Windows Graphics Component Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2024-43556
Windows Graphics Component Elevation of Privilege Vulnerability This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the win32kfull driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43556 • CWE-416: Use After Free •
CVSS: 8.4EPSS: 0%CPEs: 5EXPL: 1CVE-2024-6769 – Medium to High Integrity Privilege Escalation in Microsoft Windows
https://notcve.org/view.php?id=CVE-2024-6769
A DLL Hijacking caused by drive remapping combined with a poisoning of the activation cache in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated attacker to elevate from a medium integrity process to a high integrity process without the intervention of a UAC prompt. • https://github.com/fortra/CVE-2024-6769 https://www.fortra.com/security/advisories/research/fr-2024-002 • CWE-426: Untrusted Search Path •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47083 – Power Platform Terraform Provider has Improper Masking of Secrets in Logs
https://notcve.org/view.php?id=CVE-2024-47083
Power Platform Terraform Provider allows managing environments and other resources within Power Platform. Versions prior to 3.0.0 have an issue in the Power Platform Terraform Provider where sensitive information, specifically the `client_secret` used in the service principal authentication, may be exposed in logs. This exposure occurs due to an error in the logging code that causes the `client_secret` to not be properly masked when logs are persisted or viewed. Users should upgrade to version 3.0.0 to receive a patched version of the provider that removes all logging of sensitive content. Users who have used this provider with the affected versions should take the following additional steps to mitigate the risk: Immediately rotate the `client_secret` for any service principal that has been configured using this Terraform provider. • https://github.com/microsoft/terraform-provider-power-platform/releases/tag/v3.0.0 https://github.com/microsoft/terraform-provider-power-platform/security/advisories/GHSA-7w3w-pjm5-m36c https://registry.terraform.io/providers/microsoft/power-platform/latest/docs#authenticating-to-power-platform-using-a-service-principal-with-oidc • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43489 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-43489
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43489 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43496 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-43496
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43496 • CWE-787: Out-of-bounds Write •