| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Missing authentication for critical function in Windows StateRepository API allows an authorized attacker to elevate privileges locally. |
| Improper restriction of communication channel to intended endpoints in Windows Hyper-V allows an authorized attacker to execute code locally. |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Storage allows an unauthorized attacker to execute code over a network. |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally. |
| Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. |
| Exposure of sensitive information to an unauthorized actor in Microsoft Failover Cluster Virtual Driver allows an authorized attacker to disclose information locally. |
| Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
| UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement. |
| Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. |
| Uncontrolled resource consumption in Windows Remote Desktop Services allows an unauthorized attacker to deny service over a network. |
| Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. |
| Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. |
| Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. |
| Exposure of sensitive information to an unauthorized actor in Storage Port Driver allows an authorized attacker to disclose information locally. |
| Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. |
| Use after free in Desktop Windows Manager allows an authorized attacker to execute code locally. |
| Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. |
| Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. |
| Allocation of resources without limits or throttling in Windows DirectX allows an authorized attacker to deny service over a network. |
| Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network. |
