US-CERT Vulnerability Summary for the Week of September 9, 2024
Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
Primary Vendor — Product | Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
Siemens–Industrial Edge Management Pro | A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validate the device tokens. This could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system. | 2024-09-10 | 10 | CVE-2024-45032 | [email protected] |
SAML-Toolkits–ruby-saml | The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3. | 2024-09-10 | 10 | CVE-2024-45409 | [email protected] [email protected] [email protected] [email protected] |
Baxter–Connex Health Portal | In Connex health portal released before8/30/2024, SQL injection vulnerabilities were found that could have allowed an unauthenticated attacker to gain unauthorized access to Connex portal’s database. An attacker could have submitted a crafted payload to Connex portal that could have resulted in modification and disclosure of database content and/or perform administrative operations including shutting down the database. | 2024-09-09 | 10 | CVE-2024-6795 | [email protected] |
nik00726–video carousel slider with lightbox | The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2024-09-11 | 9.1 | CVE-2019-25212 | [email protected] [email protected] [email protected] |
n/a–n/a | Loftware Spectrum before 4.6 HF14 has Missing Authentication for a Critical Function. | 2024-09-10 | 9.8 | CVE-2023-37226 | [email protected] [email protected] [email protected] |
n/a–n/a | Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. | 2024-09-10 | 9.8 | CVE-2023-37227 | [email protected] [email protected] [email protected] |
n/a–n/a | Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password. | 2024-09-10 | 9.8 | CVE-2023-37231 | [email protected] [email protected] [email protected] |
Simple Online Planning–SO Planning | A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02. | 2024-09-11 | 9.8 | CVE-2024-27114 | [email protected] |
gitlab — gitlab | An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables. | 2024-09-12 | 9.1 | CVE-2024-2743 | [email protected] [email protected] |
SolarWinds–Access Rights Manager | SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution. | 2024-09-12 | 9 | CVE-2024-28991 | [email protected] [email protected] |
ivanti — endpoint_manager | Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | 2024-09-12 | 9.8 | CVE-2024-29847 | [email protected] |
Siemens–SIMATIC Information Server 2022 | A vulnerability has been identified in SIMATIC Information Server 2022 (All versions), SIMATIC Information Server 2024 (All versions), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code. | 2024-09-10 | 9.8 | CVE-2024-33698 | [email protected] |
n/a–n/a | ORDAT FOSS-Online before v2.24.01 was discovered to contain a SQL injection vulnerability via the forgot password function. | 2024-09-12 | 9.3 | CVE-2024-34334 | [email protected] [email protected] [email protected] |
Siemens–SIMATIC BATCH V9.1 | A vulnerability has been identified in SIMATIC BATCH V9.1 (All versions), SIMATIC Information Server 2020 (All versions), SIMATIC Information Server 2022 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC Process Historian 2020 (All versions), SIMATIC Process Historian 2022 (All versions), SIMATIC WinCC Runtime Professional V18 (All versions), SIMATIC WinCC Runtime Professional V19 (All versions), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 18), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products run their DB server with elevated privileges which could allow an authenticated attacker to execute arbitrary OS commands with administrative privileges. | 2024-09-10 | 9.1 | CVE-2024-35783 | [email protected] |
Elastic–Kibana | A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html . | 2024-09-09 | 9.9 | CVE-2024-37288 | [email protected] |
Microsoft–Azure Stack Hub | Azure Stack Hub Elevation of Privilege Vulnerability | 2024-09-10 | 9 | CVE-2024-38220 | [email protected] |
n/a–n/a | No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor’s position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior. | 2024-09-12 | 9.1 | CVE-2024-40457 | [email protected] [email protected] |
laurent22–joplin | Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that “<” followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an “illegal” tag within a tag. | 2024-09-09 | 9.6 | CVE-2024-40643 | [email protected] [email protected] |
Samsung Open Source–Escargot | Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0. | 2024-09-10 | 9.8 | CVE-2024-40754 | [email protected] |
adobe — coldfusion | ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction. | 2024-09-13 | 9.8 | CVE-2024-41874 | [email protected] |
Hewlett Packard Enterprise (HPE)–HPE HP-UX ONCplus | HPE has identified a denial of service vulnerability in HPE HP-UX System’s Network File System (NFSv4) services. | 2024-09-09 | 9.3 | CVE-2024-42500 | [email protected] |
n/a–n/a | Renwoxing Enterprise Intelligent Management System before v3.0 was discovered to contain a SQL injection vulnerability via the parid parameter at /fx/baseinfo/SearchInfo. | 2024-09-10 | 9.1 | CVE-2024-43040 | [email protected] |
microsoft — windows_server_2008 | Windows Remote Desktop Licensing Service Spoofing Vulnerability | 2024-09-10 | 9.8 | CVE-2024-43455 | [email protected] |
microsoft — windows_10_1507 | Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024-KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support. | 2024-09-10 | 9.8 | CVE-2024-43491 | [email protected] |
dlink — di-8300_firmware | D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the upgrade_filter_asp function. | 2024-09-09 | 9.8 | CVE-2024-44410 | [email protected] [email protected] [email protected] |
n/a–n/a | D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function. | 2024-09-09 | 9.8 | CVE-2024-44411 | [email protected] [email protected] [email protected] |
comfast — cf-xr11_firmware | COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter iface. | 2024-09-11 | 9.8 | CVE-2024-44466 | [email protected] |
n/a–n/a | evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the “username” parameter in “/?action=processlogin.” | 2024-09-11 | 9.8 | CVE-2024-44541 | [email protected] [email protected] |
n/a–n/a | eladmin v2.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the DatabaseController.java component. | 2024-09-10 | 9.8 | CVE-2024-44677 | [email protected] [email protected] |
n/a–n/a | SeaCMS v13.1 was discovered to a Server-Side Request Forgery (SSRF) via the url parameter at /admin_reslib.php. | 2024-09-09 | 9.8 | CVE-2024-44721 | [email protected] |
n/a–n/a | Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php. | 2024-09-09 | 9.8 | CVE-2024-44849 | [email protected] [email protected] |
n/a–n/a | An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request. | 2024-09-10 | 9.8 | CVE-2024-44893 | [email protected] |
n/a–n/a | A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | 2024-09-09 | 9.8 | CVE-2024-44902 | [email protected] [email protected] |
NixOS–nix | Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6. | 2024-09-10 | 9 | CVE-2024-45593 | [email protected] [email protected] |
Rockwell Automation–FactoryTalk View Site Edition | CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue. | 2024-09-12 | 9.8 | CVE-2024-45824 | [email protected] |
mindsdb–mindsdb | A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI. | 2024-09-12 | 9 | CVE-2024-45856 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
Endress+Hauser–Echo Curve Viewer | An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context. | 2024-09-10 | 9.8 | CVE-2024-6596 | [email protected] |
GitLab–GitLab | An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances. | 2024-09-12 | 9.9 | CVE-2024-6678 | [email protected] [email protected] |
ivanti — endpoint_manager | SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | 2024-09-10 | 9.8 | CVE-2024-8191 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
villatheme–WooCommerce Photo Reviews Premium | The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user’s identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully. | 2024-09-11 | 9.8 | CVE-2024-8277 | [email protected] [email protected] |
VICIdial–VICIdial | An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database. | 2024-09-10 | 9.8 | CVE-2024-8503 | bbf0bd87-ece2-41be-b873-96928ee8fab9 bbf0bd87-ece2-41be-b873-96928ee8fab9 |
learningdigital — orca_hcm | Orca HCM from LEARNING DIGITAL does not properly restrict access to a specific functionality, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. ( The vendor is currently addressing the vulnerability. Once the fix is completed, we will provide information on the affected versions.) | 2024-09-09 | 9.8 | CVE-2024-8584 | [email protected] [email protected] |
softaculous–Backuply Backup, Restore, Migrate and Clone | The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to SQL Injection via the ‘options’ parameter passed to the backuply_wp_clone_sql() function in all versions up to, and including, 1.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2024-09-14 | 9.1 | CVE-2024-8669 | [email protected] [email protected] [email protected] |
docker — desktop | A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. | 2024-09-12 | 9.8 | CVE-2024-8695 | [email protected] |
docker — desktop | A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. | 2024-09-12 | 9.8 | CVE-2024-8696 | [email protected] |
code-projects — crud_operation_system | A vulnerability was found in code-projects Crud Operation System 1.0. It has been classified as critical. This affects an unknown part of the file /updatedata.php. The manipulation of the argument sid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-09-13 | 9.8 | CVE-2024-8762 | [email protected] [email protected] [email protected] [email protected] [email protected] |
n/a–n/a | Command Injection vulnerability in goform/SetIPTVCfg interface of Tenda AC15 V15.03.05.20 allows remote attackers to run arbitrary commands via crafted POST request. | 2024-09-10 | 8 | CVE-2023-36103 | [email protected] |
n/a–n/a | Loftware Spectrum before 5.1 allows SSRF. | 2024-09-10 | 8.8 | CVE-2023-37229 | [email protected] [email protected] |
n/a–n/a | Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF. | 2024-09-10 | 8.8 | CVE-2023-37230 | [email protected] [email protected] |
n/a–n/a | Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks. | 2024-09-10 | 8.8 | CVE-2023-37233 | [email protected] [email protected] [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the multicast traceroute version 2 (Mtrace2) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust the UDP packet memory of an affected device. This vulnerability exists because the Mtrace2 code does not properly handle packet memory. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to exhaust the incoming UDP packet memory. The affected device would not be able to process higher-level UDP-based protocols packets, possibly causing a denial of service (DoS) condition. Note: This vulnerability can be exploited using IPv4 or IPv6. | 2024-09-11 | 8.6 | CVE-2024-20304 | [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the JSON-RPC API feature in ConfD that is used by the web-based management interfaces of Cisco Crosswork Network Services Orchestrator (NSO), Cisco Optical Site Manager, and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the configuration of an affected application or device. This vulnerability is due to improper authorization checks on the API. An attacker with privileges sufficient to access the affected application or device could exploit this vulnerability by sending malicious requests to the JSON-RPC API. A successful exploit could allow the attacker to make unauthorized modifications to the configuration of the affected application or device, including creating new user accounts or elevating their own privileges on an affected system. | 2024-09-11 | 8.8 | CVE-2024-20381 | [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to obtain read/write file system access on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root. | 2024-09-11 | 8.8 | CVE-2024-20398 | [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the storage method of the PON Controller configuration file could allow an authenticated, local attacker with low privileges to obtain the MongoDB credentials. This vulnerability is due to improper storage of the unencrypted database credentials on the device that is running Cisco IOS XR Software. An attacker could exploit this vulnerability by accessing the configuration files on an affected system. A successful exploit could allow the attacker to view MongoDB credentials. | 2024-09-11 | 8.4 | CVE-2024-20489 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows TCP/IP Remote Code Execution Vulnerability | 2024-09-10 | 8.1 | CVE-2024-21416 | [email protected] |
n/a–dset | Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. | 2024-09-11 | 8.2 | CVE-2024-21529 | [email protected] [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-26186 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-26191 | [email protected] |
Hitachi Vantara–Pentaho Data Integration & Analytics | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when searching metadata injectable fields. | 2024-09-12 | 8.5 | CVE-2024-28981 | [email protected] |
Google–Android | In PVRSRVBridgeRGXKickTA3D2 of server_rgxta3d_bridge.c, there is a possible arbitrary code execution due to improper input validation. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-11 | 8.4 | CVE-2024-31336 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-37335 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-37338 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-37339 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-37340 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Elevation of Privilege Vulnerability | 2024-09-10 | 8.8 | CVE-2024-37341 | [email protected] |
Ivanti–EPM | An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. | 2024-09-12 | 8.2 | CVE-2024-37397 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Elevation of Privilege Vulnerability | 2024-09-10 | 8.8 | CVE-2024-37965 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Elevation of Privilege Vulnerability | 2024-09-10 | 8.8 | CVE-2024-37980 | [email protected] |
Microsoft–Microsoft SharePoint Enterprise Server 2016 | Microsoft SharePoint Server Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-38018 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows TCP/IP Remote Code Execution Vulnerability | 2024-09-10 | 8.1 | CVE-2024-38045 | [email protected] |
Microsoft–Azure Web Apps | An authenticated attacker can exploit an improper authorization vulnerability in Azure Web Apps to elevate privileges over a network. | 2024-09-10 | 8.4 | CVE-2024-38194 | [email protected] |
Microsoft–Azure Stack Hub | Azure Stack Hub Elevation of Privilege Vulnerability | 2024-09-10 | 8.2 | CVE-2024-38216 | [email protected] |
Microsoft–Microsoft Dynamics 365 Business Central 2023 Release Wave 1 | Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | 2024-09-10 | 8.8 | CVE-2024-38225 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | 2024-09-10 | 8.1 | CVE-2024-38240 | [email protected] |
microsoft — windows_11_21h2 | Microsoft Management Console Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-38259 | [email protected] |
microsoft — windows_server_2008 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-38260 | [email protected] |
Dell–PowerScale InsightIQ | Dell PowerScale InsightIQ, versions 5.0 through 5.1, contains a Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2024-09-10 | 8.1 | CVE-2024-39583 | [email protected] |
Siemens–SINUMERIK 828D V4 | A vulnerability has been identified in SINUMERIK 828D V4 (All versions), SINUMERIK 828D V5 (All versions < V5.24), SINUMERIK 840D sl V4 (All versions), SINUMERIK ONE (All versions < V6.24). Affected devices do not properly enforce access restrictions to scripts that are regularly executed by the system with elevated privileges. This could allow an authenticated local attacker to escalate their privileges in the underlying system. | 2024-09-10 | 8.8 | CVE-2024-41171 | [email protected] |
AutomationDirect–DirectLogic H2-DM1E | The session hijacking attack targets the application layer’s control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can inject traffic into an ongoing authenticated session. To successfully achieve this, the attacker also needs to spoof both the IP address and MAC address of the originating host which is typical of a session-based attack. | 2024-09-13 | 8.8 | CVE-2024-43099 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can trigger the execution of arbitrary OS commands as root due to improper neutralization of special elements in the variable PROXY_HTTP_PORT in mGuard devices. | 2024-09-10 | 8.8 | CVE-2024-43385 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can trigger the execution of arbitrary OS commands as root due to improper neutralization of special elements in the variable EMAIL_NOTIFICATION.TO in mGuard devices. | 2024-09-10 | 8.8 | CVE-2024-43386 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can read and write files as root due to improper neutralization of special elements in the variable EMAIL_RELAY_PASSWORD in mGuard devices. | 2024-09-10 | 8.8 | CVE-2024-43387 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker with write permissions can reconfigure the SNMP service due to improper input validation. | 2024-09-10 | 8.8 | CVE-2024-43388 | [email protected] |
Microsoft–Windows 11 Version 24H2 | Windows MSHTML Platform Spoofing Vulnerability | 2024-09-10 | 8.8 | CVE-2024-43461 | [email protected] |
Microsoft–Azure CycleCloud 8.2.0 | Azure CycleCloud Remote Code Execution Vulnerability | 2024-09-10 | 8.8 | CVE-2024-43469 | [email protected] |
microsoft — power_automate | Microsoft Power Automate Desktop Remote Code Execution Vulnerability | 2024-09-10 | 8.5 | CVE-2024-43479 | [email protected] |
Gallagher–Command Centre Server | Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE). This issue affects: Command Centre Server and Command Centre Workstations 9.10 prior to vEL9.10.1530 (MR2), 9.00 prior to vEL9.00.2168 (MR4), 8.90 prior to vEL8.90.2155 (MR5), 8.80 prior to vEL8.80.1938 (MR6), all versions of 8.70 and prior. | 2024-09-11 | 8 | CVE-2024-43690 | [email protected] |
Siemens–Automation License Manager V5 | A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6.0 (All versions), Automation License Manager V6.2 (All versions < V6.2 Upd3). Affected applications do not properly validate certain fields in incoming network packets on port 4410/tcp. This could allow an unauthenticated remote attacker to cause an integer overflow and crash of the application. This denial of service condition could prevent legitimate users from using subsequent products that rely on the affected application for license verification. | 2024-09-10 | 8.6 | CVE-2024-44087 | [email protected] |
Ivanti–Workspace Control | DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. | 2024-09-10 | 8.8 | CVE-2024-44103 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
Ivanti–Workspace Control | An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. | 2024-09-10 | 8.8 | CVE-2024-44104 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
Ivanti–Workspace Control | Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to obtain OS credentials. | 2024-09-10 | 8.2 | CVE-2024-44105 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
Ivanti–Workspace Control | Insufficient server-side controls in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. | 2024-09-10 | 8.8 | CVE-2024-44106 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
Ivanti–Workspace Control | DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges and achieve arbitrary code execution. | 2024-09-10 | 8.8 | CVE-2024-44107 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
n/a–n/a | D-Link DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution. An attacker can achieve arbitrary command execution by sending a carefully crafted malicious string to the CGI function responsible for handling usb_paswd.asp. | 2024-09-09 | 8.8 | CVE-2024-44333 | [email protected] [email protected] |
n/a–n/a | D-Link DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution due to insufficient parameter filtering in the CGI handling function of upgrade_filter.asp. | 2024-09-09 | 8.8 | CVE-2024-44334 | [email protected] [email protected] |
n/a–n/a | D-Link DI-7003G v19.12.24A1, DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution (RCE) via version_upgrade.asp. | 2024-09-09 | 8.8 | CVE-2024-44335 | [email protected] [email protected] |
n/a–n/a | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injection vulnerability via the getParams function in phpinf.php. | 2024-09-11 | 8.8 | CVE-2024-44570 | [email protected] [email protected] |
n/a–n/a | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php. | 2024-09-11 | 8.8 | CVE-2024-44571 | [email protected] [email protected] |
n/a–n/a | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_mgmt function. | 2024-09-11 | 8.8 | CVE-2024-44572 | [email protected] [email protected] |
n/a–n/a | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_conf function. | 2024-09-11 | 8.8 | CVE-2024-44574 | [email protected] [email protected] |
n/a–n/a | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the time_date function. | 2024-09-11 | 8.8 | CVE-2024-44577 | [email protected] [email protected] |
n/a–n/a | Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root shell access. | 2024-09-10 | 8 | CVE-2024-44667 | [email protected] [email protected] |
n/a–n/a | Vulnerability in Hathway Skyworth Router CM5100 v.4.1.1.24 allows a physically proximate attacker to obtain user credentials via SPI flash Firmware W25Q64JV. | 2024-09-10 | 8 | CVE-2024-44815 | [email protected] |
external-secrets–external-secrets | External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has “get/list” verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2. | 2024-09-09 | 8.3 | CVE-2024-45041 | [email protected] [email protected] |
bareos–bareos | Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. “w” for “whoami”) the ACL check did not apply to the full form (i.e. “whoami”) but to the abbreviated form (i.e. “w”). If the command ACL is configured with negative ACL that should forbid using the “whoami” command, you could still use “w” or “who” as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur. | 2024-09-10 | 8.8 | CVE-2024-45044 | [email protected] [email protected] [email protected] |
n/a–n/a | An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70. An improper bounds check allows crafted packets to cause an arbitrary address write, resulting in kernel memory corruption. | 2024-09-12 | 8.8 | CVE-2024-45181 | [email protected] [email protected] |
AutomationDirect–DirectLogic H2-DM1E | The H2-DM1E PLC’s authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there’s an observed anomaly in the H2-DM1E PLC’s protocol execution, namely its acceptance of multiple distinct packets as valid authentication responses. This behavior deviates from standard security practices where a single, specific response or encoding pattern is expected for successful authentication. | 2024-09-13 | 8.8 | CVE-2024-45368 | [email protected] |
twigphp–Twig | Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0. | 2024-09-09 | 8.5 | CVE-2024-45411 | [email protected] [email protected] [email protected] [email protected] |
DamienHarper–auditor-bundle | auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to 6.0.0, there is an unescaped entity property enabling Javascript injection. This is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in 6.0.0. | 2024-09-10 | 8.2 | CVE-2024-45592 | [email protected] [email protected] |
Rockwell Automation–FactoryTalk Batch View | CVE-2024-45823 IMPACT An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication. | 2024-09-12 | 8.1 | CVE-2024-45823 | [email protected] |
mindsdb–mindsdb | An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server. | 2024-09-12 | 8.8 | CVE-2024-45846 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server. | 2024-09-12 | 8.8 | CVE-2024-45847 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaDB engine, the code will be passed to an eval function and executed on the server. | 2024-09-12 | 8.8 | CVE-2024-45848 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server. | 2024-09-12 | 8.8 | CVE-2024-45849 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server. | 2024-09-12 | 8.8 | CVE-2024-45850 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server. | 2024-09-12 | 8.8 | CVE-2024-45851 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. | 2024-09-12 | 8.8 | CVE-2024-45852 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
n/a–n/a | Tenda FH451 v1.0.0.9 has a command injection vulnerability in the formexeCommand function i | 2024-09-13 | 8.8 | CVE-2024-46048 | [email protected] |
zephyrproject-rtos–Zephyr | BT: Encryption procedure host vulnerability | 2024-09-13 | 8.2 | CVE-2024-5754 | [email protected] |
glboy–Login with phone number | The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the ‘lwp_update_password_action’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 – 1.7.49. | 2024-09-14 | 8.8 | CVE-2024-6482 | [email protected] [email protected] [email protected] |
Progress–LoadMaster | Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.0 (inclusive) ? From 7.2.49.0 to 7.2.54.11 (inclusive) ? 7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.11 and all prior versions ECS All prior versions to 7.2.60.0 (inclusive) | 2024-09-12 | 8.4 | CVE-2024-6658 | [email protected] |
Baxter–Connex Health Portal | In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal’s database and/or modify content. | 2024-09-09 | 8.2 | CVE-2024-6796 | [email protected] |
Unknown–Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins | 2024-09-13 | 8.8 | CVE-2024-7129 | [email protected] |
xwp–Stream | The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can lead to DoS or privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2024-09-13 | 8.8 | CVE-2024-7423 | [email protected] [email protected] [email protected] |
wpdelicious–WP Delicious Recipe Plugin for Food Bloggers (formerly Delicious Recipes) | The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php. | 2024-09-11 | 8.1 | CVE-2024-7626 | [email protected] [email protected] [email protected] [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | An low privileged remote attacker can execute OS commands with root privileges due to improper neutralization of special elements in user data. | 2024-09-10 | 8.8 | CVE-2024-7699 | [email protected] |
bitpressadmin–Bit File Manager 100% Free & Open Source File Manager and Code Editor for WordPress | The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘upload’ function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2024-09-10 | 8.8 | CVE-2024-7770 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
Unknown–Favicon Generator (CLOSED) | The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server | 2024-09-13 | 8.1 | CVE-2024-7863 | [email protected] |
svenl77–Post Form Registration Form Profile Form for User Profiles Frontend Content Forms for User Submissions (UGC) | The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators. | 2024-09-14 | 8.8 | CVE-2024-8246 | [email protected] [email protected] |
pickplugins–Post Grid and Gutenberg Blocks | The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator. | 2024-09-11 | 8.8 | CVE-2024-8253 | [email protected] [email protected] [email protected] [email protected] |
vinoth06–Frontend Dashboard | The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user’s passwords. | 2024-09-10 | 8.8 | CVE-2024-8268 | [email protected] [email protected] [email protected] |
ivanti — endpoint_manager | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. | 2024-09-10 | 8.6 | CVE-2024-8321 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
ivanti — endpoint_manager | Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. | 2024-09-10 | 8.8 | CVE-2024-8322 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
VICIdial–VICIdial | An attacker with authenticated access to VICIdial as an “agent” can execute arbitrary shell commands as the “root” user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. | 2024-09-10 | 8.8 | CVE-2024-8504 | bbf0bd87-ece2-41be-b873-96928ee8fab9 bbf0bd87-ece2-41be-b873-96928ee8fab9 |
google — chrome | Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2024-09-11 | 8.8 | CVE-2024-8636 | [email protected] [email protected] |
google — chrome | Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2024-09-11 | 8.8 | CVE-2024-8637 | [email protected] [email protected] |
google — chrome | Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2024-09-11 | 8.8 | CVE-2024-8638 | [email protected] [email protected] |
google — chrome | Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2024-09-11 | 8.8 | CVE-2024-8639 | [email protected] [email protected] |
gitlab — gitlab | An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server. | 2024-09-12 | 8.8 | CVE-2024-8640 | [email protected] [email protected] |
mayurik — best_house_rental_management_system | A vulnerability classified as critical has been found in SourceCodester Best House Rental Management System 1.0. Affected is the function delete_user/save_user of the file /admin_class.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-09-12 | 8.8 | CVE-2024-8709 | [email protected] [email protected] [email protected] [email protected] [email protected] |
code-projects — inventory_management | A vulnerability classified as critical was found in code-projects Inventory Management 1.0. Affected by this vulnerability is an unknown functionality of the file /model/viewProduct.php of the component Products Table Page. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-09-12 | 8.8 | CVE-2024-8710 | [email protected] [email protected] [email protected] [email protected] [email protected] |
Synetics–Idoit pro | SQL injection vulnerability in idoit pro version 28. This vulnerability could allow an attacker to send a specially crafted query to the ID parameter in /var/www/html/src/classes/modules/api/model/cmdb/isys_api_model_cmdb_objects_by_relation.class.php and retrieve all the information stored in the database. | 2024-09-12 | 8.8 | CVE-2024-8749 | [email protected] |
gitlab — gitlab | An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured. | 2024-09-12 | 8.1 | CVE-2024-8754 | [email protected] |
OpenText–eDirectory | Possible NLDAP Denial of Service attack Vulnerability in eDirectory has been discovered in OpenText™ eDirectory before 9.2.4.0000. | 2024-09-12 | 7.6 | CVE-2021-22532 | [email protected] |
OpenText–eDirectory | Possible External Service Interaction attack in eDirectory has been discovered in OpenText™ eDirectory. This impact all version before 9.2.6.0000. | 2024-09-12 | 7.4 | CVE-2021-38133 | [email protected] |
benjaminprojas–WP Editor | The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the ‘current_theme_root’ parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | 2024-09-13 | 7.2 | CVE-2022-2446 | [email protected] [email protected] |
n/a–n/a | Loftware Spectrum through 4.6 exposes Sensitive Information (Logs) to an Unauthorized Actor. | 2024-09-10 | 7.5 | CVE-2023-37232 | [email protected] [email protected] |
n/a–n/a | Loftware Spectrum through 4.6 has unprotected JMX Registry. | 2024-09-10 | 7.5 | CVE-2023-37234 | [email protected] [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the handling of specific Ethernet frames by Cisco IOS XR Software for various Cisco Network Convergence System (NCS) platforms could allow an unauthenticated, adjacent attacker to cause critical priority packets to be dropped, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect classification of certain types of Ethernet frames that are received on an interface. An attacker could exploit this vulnerability by sending specific types of Ethernet frames to or through the affected device. A successful exploit could allow the attacker to cause control plane protocol relationships to fail, resulting in a DoS condition. For more information, see the section of this advisory. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | 2024-09-11 | 7.4 | CVE-2024-20317 | [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the segment routing feature for the Intermediate System-to-Intermediate System (IS-IS) protocol of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation of ingress IS-IS packets. An attacker could exploit this vulnerability by sending specific IS-IS packets to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the IS-IS process on all affected devices that are participating in the Flexible Algorithm to crash and restart, resulting in a DoS condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and must have formed an adjacency. This vulnerability affects segment routing for IS-IS over IPv4 and IPv6 control planes as well as devices that are configured as level 1, level 2, or multi-level routing IS-IS type. | 2024-09-11 | 7.4 | CVE-2024-20406 | [email protected] |
Cisco–Cisco Meraki Systems Manager Agent | A vulnerability in Cisco Meraki Systems Manager (SM) Agent for Windows could allow an authenticated, local attacker to execute arbitrary code with elevated privileges. This vulnerability is due to incorrect handling of directory search paths at runtime. A low-privileged attacker could exploit this vulnerability by placing both malicious configuration files and malicious DLL files on an affected system, which would read and execute the files when Cisco Meraki SM launches on startup. A successful exploit could allow the attacker to execute arbitrary code on the affected system with SYSTEM privileges. | 2024-09-12 | 7.3 | CVE-2024-20430 | [email protected] |
Cisco–Cisco IOS XR Software | Multiple vulnerabilities in Cisco Routed PON Controller Software, which runs as a docker container on hardware that is supported by Cisco IOS XR Software, could allow an authenticated, remote attacker with Administrator-level privileges on the PON Manager or direct access to the PON Manager MongoDB instance to perform command injection attacks on the PON Controller container and execute arbitrary commands as root. These vulnerabilities are due to insufficient validation of arguments that are passed to specific configuration commands. An attacker could exploit these vulnerabilities by including crafted input as the argument of an affected configuration command. A successful exploit could allow the attacker to execute arbitrary commands as root on the PON controller. | 2024-09-11 | 7.2 | CVE-2024-20483 | [email protected] |
Open-Xchange GmbH–OX Dovecot Pro | Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up “full_value” buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn’t matter whether it’s a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot’s vsz_limit. So attackers probably can’t DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known. | 2024-09-10 | 7.5 | CVE-2024-23185 | [email protected] |
Google–Android | In DevmemIntPFNotify of devicemem_server.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-11 | 7.4 | CVE-2024-23716 | [email protected] |
Refuel–autolabel | An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it. | 2024-09-12 | 7.8 | CVE-2024-27320 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
Refuel–autolabel | An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it. | 2024-09-12 | 7.8 | CVE-2024-27321 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
samsung — exynos_980_firmware | An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_get_scan_extra_ies(), there is no input validation check on default_ies coming from userspace, which can lead to a heap overwrite. | 2024-09-09 | 7.8 | CVE-2024-27383 | [email protected] |
samsung — exynos_1080_firmware | An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_rx_range_done_ind(), there is no input validation check on rtt_id coming from userspace, which can lead to a heap overwrite. | 2024-09-09 | 7.8 | CVE-2024-27387 | [email protected] [email protected] |
Microsoft–Windows 11 Version 24H2 | Windows Security Zone Mapping Security Feature Bypass Vulnerability | 2024-09-10 | 7.8 | CVE-2024-30073 | [email protected] |
n/a–n/a | An issue was discovered in Samsung Mobile Processor Exynos 1480, Exynos 2400. The xclipse amdgpu driver has a reference count bug. This can lead to a use after free. | 2024-09-10 | 7.8 | CVE-2024-31960 | [email protected] [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-32840 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-32842 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-32843 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-32845 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-32846 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-32848 | [email protected] |
Fortinet–FortiClientEMS | An improper neutralization of special elements used in a command (‘Command Injection’) vulnerability [CWE-77] in Fortinet FortiClientEMS 7.2.0 through 7.2.4, 7.0.0 through 7.0.12 may allow an unauthenticated attacker to execute limited and temporary operations on the underlying database via crafted requests. | 2024-09-10 | 7.3 | CVE-2024-33508 | [email protected] |
adobe — illustrator | Illustrator versions 28.6, 27.9.5 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-34121 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-34779 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-34783 | [email protected] |
ivanti — endpoint_manager | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 2024-09-12 | 7.2 | CVE-2024-34785 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | 2024-09-10 | 7.1 | CVE-2024-37337 | [email protected] |
Microsoft–Microsoft SQL Server 2019 (CU 28) | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | 2024-09-10 | 7.1 | CVE-2024-37342 | [email protected] |
n/a–n/a | Arbitrary File Read vulnerability in Xi’an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the “Pic/Indexes” interface | 2024-09-10 | 7.5 | CVE-2024-37728 | [email protected] [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | 2024-09-10 | 7.1 | CVE-2024-37966 | [email protected] |
microsoft — windows_10_1507 | Windows Installer Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38014 | [email protected] |
Microsoft–Windows 10 Version 1809 | PowerShell Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38046 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Network Address Translation (NAT) Remote Code Execution Vulnerability | 2024-09-10 | 7.5 | CVE-2024-38119 | [email protected] |
Microsoft–Azure Network Watcher VM Extension | Azure Network Watcher VM Agent Elevation of Privilege Vulnerability | 2024-09-10 | 7.1 | CVE-2024-38188 | [email protected] |
microsoft — office | Microsoft Publisher Security Feature Bypass Vulnerability | 2024-09-10 | 7.3 | CVE-2024-38226 | [email protected] |
Microsoft–Microsoft SharePoint Enterprise Server 2016 | Microsoft SharePoint Server Remote Code Execution Vulnerability | 2024-09-10 | 7.2 | CVE-2024-38227 | [email protected] |
Microsoft–Microsoft SharePoint Enterprise Server 2016 | Microsoft SharePoint Server Remote Code Execution Vulnerability | 2024-09-10 | 7.2 | CVE-2024-38228 | [email protected] |
Microsoft–Windows 10 Version 1607 | Windows Networking Denial of Service Vulnerability | 2024-09-10 | 7.5 | CVE-2024-38232 | [email protected] |
Microsoft–Windows 10 Version 1607 | Windows Networking Denial of Service Vulnerability | 2024-09-10 | 7.5 | CVE-2024-38233 | [email protected] |
Microsoft–Windows Server 2019 | DHCP Server Service Denial of Service Vulnerability | 2024-09-10 | 7.5 | CVE-2024-38236 | [email protected] |
Microsoft–Windows 10 Version 1809 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38237 | [email protected] |
Microsoft–Windows 10 Version 1809 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38238 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Kerberos Elevation of Privilege Vulnerability | 2024-09-10 | 7.2 | CVE-2024-38239 | [email protected] |
Microsoft–Windows 10 Version 1809 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38241 | [email protected] |
Microsoft–Windows 10 Version 1809 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38242 | [email protected] |
Microsoft–Windows 10 Version 1809 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38243 | [email protected] |
Microsoft–Windows 10 Version 1809 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38244 | [email protected] |
Microsoft–Windows 10 Version 1809 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38245 | [email protected] |
Microsoft–Windows Server 2022 | Win32k Elevation of Privilege Vulnerability | 2024-09-10 | 7 | CVE-2024-38246 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Graphics Component Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38247 | [email protected] |
Microsoft–Windows Server 2022 | Windows Storage Elevation of Privilege Vulnerability | 2024-09-10 | 7 | CVE-2024-38248 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Graphics Component Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38249 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Graphics Component Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38250 | [email protected] |
microsoft — windows_10_1607 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38252 | [email protected] |
microsoft — windows_11_21h2 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-38253 | [email protected] |
microsoft — windows_10_1607 | Microsoft AllJoyn API Information Disclosure Vulnerability | 2024-09-10 | 7.5 | CVE-2024-38257 | [email protected] |
microsoft — windows_server_2008 | Windows Remote Desktop Licensing Service Information Disclosure Vulnerability | 2024-09-10 | 7.5 | CVE-2024-38258 | [email protected] |
microsoft — windows_server_2008 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | 2024-09-10 | 7.5 | CVE-2024-38263 | [email protected] |
Spring–Spring | Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty | 2024-09-13 | 7.5 | CVE-2024-38816 | [email protected] |
adobe — media_encoder | Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-39377 | [email protected] |
Adobe–Audition | Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-11 | 7.8 | CVE-2024-39378 | [email protected] |
adobe — after_effects | After Effects versions 23.6.6, 24.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-39380 | [email protected] |
adobe — after_effects | After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-39381 | [email protected] |
Adobe–Premiere Pro | Premiere Pro versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-39384 | [email protected] |
Dell–PowerScale InsightIQ | Dell PowerScale InsightIQ, versions 5.0 through 5.1, contains a File or Directories Accessible to External Parties vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to read, modify, and delete arbitrary files. | 2024-09-10 | 7.3 | CVE-2024-39581 | [email protected] |
n/a–n/a | An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period. | 2024-09-13 | 7.5 | CVE-2024-39924 | [email protected] [email protected] |
n/a–n/a | An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data. | 2024-09-13 | 7.5 | CVE-2024-39925 | [email protected] [email protected] |
n/a–n/a | An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator’s browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact. | 2024-09-13 | 7.5 | CVE-2024-39926 | [email protected] [email protected] |
Google–Android | In wifi_item_edit_content of styles.xml , there is a possible FRP bypass due to Missing check for FRP state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-11 | 7.8 | CVE-2024-40650 | [email protected] [email protected] |
Google–Android | In onCreate of SettingsHomepageActivity.java, there is a possible way to access the Settings app while the device is provisioning due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2024-09-11 | 7.3 | CVE-2024-40652 | [email protected] [email protected] |
Google–Android | In bindAndGetCallIdentification of CallScreeningServiceHelper.java, there is a possible way to maintain a while-in-use permission in the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2024-09-11 | 7.8 | CVE-2024-40655 | [email protected] [email protected] |
Google–Android | In addPreferencesForType of AccountTypePreferenceLoader.java, there is a possible way to disable apps for other users due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-11 | 7.8 | CVE-2024-40657 | [email protected] [email protected] |
Google–Android | In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-11 | 7.8 | CVE-2024-40658 | [email protected] [email protected] |
Google–Android | In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-11 | 7.8 | CVE-2024-40662 | [email protected] [email protected] |
Siemens–Tecnomatix Plant Simulation V2302 | A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0015), Tecnomatix Plant Simulation V2404 (All versions < V2404.0004). The affected applications contain a stack based overflow vulnerability while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. | 2024-09-10 | 7.8 | CVE-2024-41170 | [email protected] |
Adobe–Illustrator | Illustrator versions 28.6, 27.9.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-41857 | [email protected] |
adobe — after_effects | After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-41859 | [email protected] |
Adobe–Acrobat Reader | Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-41869 | [email protected] |
adobe — media_encoder | Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-41871 | [email protected] |
Dell–Wyse Proprietary OS (Modern ThinOS) | Dell ThinOS versions 2402 and 2405, contains an Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2024-09-10 | 7.6 | CVE-2024-42427 | [email protected] |
n/a–n/a | SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote attacker to obtain sensitive information via the /api/mob/instrucao/conta/destinatarios component. | 2024-09-11 | 7.5 | CVE-2024-42760 | [email protected] [email protected] |
microsoft — windows_server_2008 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | 2024-09-10 | 7.1 | CVE-2024-43454 | [email protected] |
Microsoft–Windows 11 Version 24H2 | Windows Setup and Deployment Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-43457 | [email protected] |
Microsoft–Windows 10 Version 1607 | Windows Networking Information Disclosure Vulnerability | 2024-09-10 | 7.7 | CVE-2024-43458 | [email protected] |
Microsoft–Microsoft Office 2019 | Microsoft Office Visio Remote Code Execution Vulnerability | 2024-09-10 | 7.8 | CVE-2024-43463 | [email protected] |
microsoft — sharepoint_server | Microsoft SharePoint Server Remote Code Execution Vulnerability | 2024-09-10 | 7.2 | CVE-2024-43464 | [email protected] |
microsoft — 365_apps | Microsoft Excel Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-43465 | [email protected] |
microsoft — sharepoint_server | Microsoft SharePoint Server Denial of Service Vulnerability | 2024-09-10 | 7.5 | CVE-2024-43466 | [email protected] |
Microsoft–Windows Server 2019 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | 2024-09-10 | 7.5 | CVE-2024-43467 | [email protected] |
Microsoft–Azure Network Watcher VM Extension | Azure Network Watcher VM Agent Elevation of Privilege Vulnerability | 2024-09-10 | 7.3 | CVE-2024-43470 | [email protected] |
Microsoft–Microsoft SQL Server 2017 (GDR) | Microsoft SQL Server Information Disclosure Vulnerability | 2024-09-10 | 7.6 | CVE-2024-43474 | [email protected] |
microsoft — windows_server_2008 | Microsoft Windows Admin Center Information Disclosure Vulnerability | 2024-09-10 | 7.3 | CVE-2024-43475 | [email protected] |
Microsoft–Microsoft AutoUpdate for Mac | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | 2024-09-10 | 7.8 | CVE-2024-43492 | [email protected] |
Microsoft–Windows 11 version 22H2 | Windows libarchive Remote Code Execution Vulnerability | 2024-09-10 | 7.3 | CVE-2024-43495 | [email protected] |
Siemens–SIMATIC S7-200 SMART CPU CR40 | A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA1) (All versions), SIMATIC S7-200 SMART CPU SR30 (6ES7288-1SR30-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR30 (6ES7288-1SR30-0AA1) (All versions), SIMATIC S7-200 SMART CPU SR40 (6ES7288-1SR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR40 (6ES7288-1SR40-0AA1) (All versions), SIMATIC S7-200 SMART CPU SR60 (6ES7288-1SR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR60 (6ES7288-1SR60-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST20 (6ES7288-1ST20-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST20 (6ES7288-1ST20-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST30 (6ES7288-1ST30-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST30 (6ES7288-1ST30-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST40 (6ES7288-1ST40-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST40 (6ES7288-1ST40-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST60 (6ES7288-1ST60-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST60 (6ES7288-1ST60-0AA1) (All versions). Affected devices do not properly handle TCP packets with an incorrect structure. This could allow an unauthenticated remote attacker to cause a denial of service condition. To restore normal operations, the network cable of the device needs to be unplugged and re-plugged. | 2024-09-10 | 7.5 | CVE-2024-43647 | [email protected] |
adobe — photoshop | Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-43756 | [email protected] |
adobe — illustrator | Illustrator versions 28.6, 27.9.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-43758 | [email protected] |
adobe — photoshop | Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-43760 | [email protected] |
Mohammad Arif–Opor Ayam | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Mohammad Arif Opor Ayam allows Reflected XSS.This issue affects Opor Ayam: from n/a through 1.8. | 2024-09-15 | 7.1 | CVE-2024-44053 | [email protected] |
Jennifer Hall–Filmix | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Jennifer Hall Filmix allows Reflected XSS.This issue affects Filmix: from n/a through 1.1. | 2024-09-15 | 7.1 | CVE-2024-44060 | [email protected] |
n/a–n/a | SeaCMS v13.1 was discovered to an arbitrary file read vulnerability via the component admin_safe.php. | 2024-09-09 | 7.5 | CVE-2024-44720 | [email protected] |
n/a–n/a | AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsite_url parameter at /admin/site_add.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted value. | 2024-09-09 | 7.2 | CVE-2024-44724 | [email protected] |
n/a–n/a | AutoCMS v5.4 was discovered to contain a SQL injection vulnerability via the sidebar parameter at /admin/robot.php. | 2024-09-09 | 7.2 | CVE-2024-44725 | [email protected] |
n/a–n/a | phpok v3.0 was discovered to contain an arbitrary file read vulnerability via the component /autoload/file.php. | 2024-09-10 | 7.5 | CVE-2024-44867 | [email protected] [email protected] |
mozilo — mozilocms | An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file. | 2024-09-10 | 7.2 | CVE-2024-44871 | [email protected] [email protected] |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix data corruption for degraded array with slow disk read_balance() will avoid reading from slow disks as much as possible, however, if valid data only lands in slow disks, and a new normal disk is still in recovery, unrecovered data can be read: raid1_read_request read_balance raid1_should_read_first -> return false choose_best_rdev -> normal disk is not recovered, return -1 choose_bb_rdev -> missing the checking of recovery, return the normal disk -> read unrecovered data Root cause is that the checking of recovery is missing in choose_bb_rdev(). Hence add such checking to fix the problem. Also fix similar problem in choose_slow_rdev(). | 2024-09-11 | 7.1 | CVE-2024-45023 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error recovery leading to data corruption on ESE devices Extent Space Efficient (ESE) or thin provisioned volumes need to be formatted on demand during usual IO processing. The dasd_ese_needs_format function checks for error codes that signal the non existence of a proper track format. The check for incorrect length is to imprecise since other error cases leading to transport of insufficient data also have this flag set. This might lead to data corruption in certain error cases for example during a storage server warmstart. Fix by removing the check for incorrect length and replacing by explicitly checking for invalid track format in transport mode. Also remove the check for file protected since this is not a valid ESE handling case. | 2024-09-11 | 7.8 | CVE-2024-45026 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
adobe — photoshop | Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-45108 | [email protected] |
adobe — photoshop | Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-45109 | [email protected] |
Adobe–Acrobat Reader | Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Type Confusion vulnerability that could result in arbitrary code execution in the context of the current user. This issue occurs when a resource is accessed using a type that is not compatible with the actual object type, leading to a logic error that an attacker could exploit. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 7.8 | CVE-2024-45112 | [email protected] |
adobe — coldfusion | ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access and affect the integrity of the application. Exploitation of this issue does not require user interaction. | 2024-09-13 | 7.5 | CVE-2024-45113 | [email protected] |
pillarjs–path-to-regexp | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0. | 2024-09-09 | 7.5 | CVE-2024-45296 | [email protected] [email protected] [email protected] |
Fortinet–FortiSOAR | An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests. | 2024-09-11 | 7.5 | CVE-2024-45327 | [email protected] |
Spiffy Plugins–Spiffy Calendar | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Spiffy Plugins Spiffy Calendar allows Reflected XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13. | 2024-09-15 | 7.1 | CVE-2024-45458 | [email protected] |
PickPlugins–Product Slider for WooCommerce | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in PickPlugins Product Slider for WooCommerce allows Reflected XSS.This issue affects Product Slider for WooCommerce: from n/a through 1.13.50. | 2024-09-15 | 7.1 | CVE-2024-45459 | [email protected] |
expressjs–body-parser | body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3. | 2024-09-10 | 7.5 | CVE-2024-45590 | [email protected] [email protected] |
directus–directus | Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0. | 2024-09-10 | 7.4 | CVE-2024-45596 | [email protected] [email protected] [email protected] |
PgPool Global Development Group–Pgpool-II | Exposure of sensitive information due to incompatible policies issue exists in Pgpool-II. If a database user accesses a query cache, table data unauthorized for the user may be retrieved. | 2024-09-12 | 7.5 | CVE-2024-45624 | [email protected] [email protected] |
Rockwell Automation–5015-U8IHFT | CVE-2024-45825 IMPACT A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service. | 2024-09-12 | 7.5 | CVE-2024-45825 | [email protected] |
mindsdb–mindsdb | Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. | 2024-09-12 | 7.1 | CVE-2024-45853 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. | 2024-09-12 | 7.1 | CVE-2024-45854 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
mindsdb–mindsdb | Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. | 2024-09-12 | 7.1 | CVE-2024-45855 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
Cleanlab–cleanlab | Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded. | 2024-09-12 | 7.8 | CVE-2024-45857 | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
gitlab — gitlab | An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. | 2024-09-12 | 7.5 | CVE-2024-4660 | [email protected] [email protected] |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: scsi: aacraid: Fix double-free on probe failure aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but does not clear that member. After the hardware-specific init function returns an error, aac_probe_one() goes down an error path that frees the memory pointed to by aac_dev::queues, resulting.in a double-free. | 2024-09-13 | 7.8 | CVE-2024-46673 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thus error path “undo_platform_dev_alloc” is entirely bogus. It drops the reference count from the platform device being probed. If error path is triggered, this will lead to unbalanced device reference counts and premature release of device resources, thus possible use-after-free when releasing remaining devm-managed resources. | 2024-09-13 | 7.8 | CVE-2024-46674 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: drm/xe: prevent UAF around preempt fence The fence lock is part of the queue, therefore in the current design anything locking the fence should then also hold a ref to the queue to prevent the queue from being freed. However, currently it looks like we signal the fence and then drop the queue ref, but if something is waiting on the fence, the waiter is kicked to wake up at some later point, where upon waking up it first grabs the lock before checking the fence state. But if we have already dropped the queue ref, then the lock might already be freed as part of the queue, leading to uaf. To prevent this, move the fence lock into the fence itself so we don’t run into lifetime issues. Alternative might be to have device level lock, or only release the queue in the fence release callback, however that might require pushing to another worker to avoid locking issues. References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020 (cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b) | 2024-09-13 | 7.8 | CVE-2024-46683 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() [BUG] There is an internal report that KASAN is reporting use-after-free, with the following backtrace: BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x5e/0x2f0 print_report+0x118/0x216 kasan_report+0x11d/0x1f0 btrfs_check_read_bio+0xa68/0xb70 [btrfs] process_one_work+0xce0/0x12a0 worker_thread+0x717/0x1250 kthread+0x2e3/0x3c0 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 Allocated by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x7d/0x80 kmem_cache_alloc_noprof+0x16e/0x3e0 mempool_alloc_noprof+0x12e/0x310 bio_alloc_bioset+0x3f0/0x7a0 btrfs_bio_alloc+0x2e/0x50 [btrfs] submit_extent_page+0x4d1/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x4b/0x60 kmem_cache_free+0x214/0x5d0 bio_free+0xed/0x180 end_bbio_data_read+0x1cc/0x580 [btrfs] btrfs_submit_chunk+0x98d/0x1880 [btrfs] btrfs_submit_bio+0x33/0x70 [btrfs] submit_one_bio+0xd4/0x130 [btrfs] submit_extent_page+0x3ea/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [CAUSE] Although I cannot reproduce the error, the report itself is good enough to pin down the cause. The call trace is the regular endio workqueue context, but the free-by-task trace is showing that during btrfs_submit_chunk() we already hit a critical error, and is calling btrfs_bio_end_io() to error out. And the original endio function called bio_put() to free the whole bio. This means a double freeing thus causing use-after-free, e.g.: 1. Enter btrfs_submit_bio() with a read bio The read bio length is 128K, crossing two 64K stripes. 2. The first run of btrfs_submit_chunk() 2.1 Call btrfs_map_block(), which returns 64K 2.2 Call btrfs_split_bio() Now there are two bios, one referring to the first 64K, the other referring to the second 64K. 2.3 The first half is submitted. 3. The second run of btrfs_submit_chunk() 3.1 Call btrfs_map_block(), which by somehow failed Now we call btrfs_bio_end_io() to handle the error 3.2 btrfs_bio_end_io() calls the original endio function Which is end_bbio_data_read(), and it calls bio_put() for the original bio. Now the original bio is freed. 4. The submitted first 64K bio finished Now we call into btrfs_check_read_bio() and tries to advance the bio iter. But since the original bio (thus its iter) is already freed, we trigger the above use-after free. And even if the memory is not poisoned/corrupted, we will later call the original endio function, causing a double freeing. [FIX] Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(), which has the extra check on split bios and do the pr —truncated— | 2024-09-13 | 7.8 | CVE-2024-46687 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix potential UAF in nfsd4_cb_getattr_release Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last. | 2024-09-13 | 7.8 | CVE-2024-46696 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable preemption while updating GPU stats We forgot to disable preemption around the write_seqcount_begin/end() pair while updating GPU stats: [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched] <…snip…> [ ] Call trace: [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d] [ ] v3d_bin_job_run+0x23c/0x388 [v3d] [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched] [ ] process_one_work+0x62c/0xb48 [ ] worker_thread+0x468/0x5b0 [ ] kthread+0x1c4/0x1e0 [ ] ret_from_fork+0x10/0x20 Fix it. | 2024-09-13 | 7.8 | CVE-2024-46699 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/mes: fix mes ring buffer overflow wait memory room until enough before writing mes packets to avoid ring buffer overflow. v2: squash in sched_hw_submission fix (cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13) | 2024-09-13 | 7.8 | CVE-2024-46700 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
samsung — universal_print_driver | The Samsung Universal Print Driver for Windows is potentially vulnerable to escalation of privilege allowing the creation of a reverse shell in the tool. This is only applicable for products in the application released or manufactured before 2018. | 2024-09-11 | 7.8 | CVE-2024-5760 | [email protected] |
zephyrproject-rtos–Zephyr | BT:Classic: Multiple missing buf length checks | 2024-09-13 | 7.6 | CVE-2024-6135 | [email protected] |
zephyrproject-rtos–Zephyr | BT: Classic: SDP OOB access in get_att_search_list | 2024-09-13 | 7.6 | CVE-2024-6137 | [email protected] |
zephyrproject-rtos–Zephyr | BT: HCI: adv_ext_report Improper discarding in adv_ext_report | 2024-09-13 | 7.6 | CVE-2024-6259 | [email protected] |
AVG–Internet Security | Local Privilege Escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM-Hijacking. | 2024-09-12 | 7.8 | CVE-2024-6510 | a341c0d1-ebf7-493f-a84e-38cf86618674 |
Checkmk GmbH–Checkmk | Improper host key checking in active check ‘Check SFTP Service’ and special agent ‘VNX quotas and filesystem’ in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic | 2024-09-09 | 7.4 | CVE-2024-6572 | [email protected] |
Red Hat–Red Hat Build of Keycloak | A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. | 2024-09-09 | 7.1 | CVE-2024-7341 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
Unknown–Adicon Server | The Adicon Server WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | 2024-09-12 | 7.2 | CVE-2024-7766 | [email protected] |
Ivanti–Workspace Control | An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. | 2024-09-10 | 7.8 | CVE-2024-8012 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
gitlab — gitlab | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a large `glm_source` parameter. | 2024-09-12 | 7.5 | CVE-2024-8124 | [email protected] [email protected] |
Ivanti–CSA (Cloud Services Appliance) | An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability. | 2024-09-10 | 7.2 | CVE-2024-8190 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
iniNet Solutions GmbH–SpiderControl SCADA Web Server | SpiderControl SCADA Web Server has a vulnerability that could allow an attacker to upload specially crafted malicious files without authentication. | 2024-09-10 | 7.5 | CVE-2024-8232 | [email protected] |
inspireui–MStore API Create Native Android & iOS Apps On The Cloud | The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated. | 2024-09-13 | 7.3 | CVE-2024-8269 | [email protected] [email protected] [email protected] [email protected] |
realmag777–FOX Currency Switcher Professional for WooCommerce | The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the ‘woocs_get_custom_price_html’ function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2024-09-14 | 7.3 | CVE-2024-8271 | [email protected] [email protected] [email protected] |
Lenovo–HX5530 Appliance (ThinkAgile) XCC | A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. | 2024-09-13 | 7.2 | CVE-2024-8278 | [email protected] |
Lenovo–HX5530 Appliance (ThinkAgile) XCC | A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. | 2024-09-13 | 7.2 | CVE-2024-8279 | [email protected] |
Lenovo–HX5530 Appliance (ThinkAgile) XCC | An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection or cause a recoverable denial of service using a specially crafted file. | 2024-09-13 | 7.2 | CVE-2024-8280 | [email protected] |
Lenovo–HX5530 Appliance (ThinkAgile) XCC | An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection through specially crafted command line input in the XCC SSH captive shell. | 2024-09-13 | 7.2 | CVE-2024-8281 | [email protected] |
Schneider Electric–Vijeo Designer | CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries. | 2024-09-11 | 7.8 | CVE-2024-8306 | [email protected] |
worschtebrot–Affiliate Super Assistent | The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the ‘Parse comments’ option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2024-09-10 | 7.3 | CVE-2024-8478 | [email protected] [email protected] [email protected] |
webliberty–Simple Spoiler | The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter(‘comment_text’, ‘do_shortcode’); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2024-09-14 | 7.3 | CVE-2024-8479 | [email protected] [email protected] [email protected] |
thimpress — learnpress | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘c_only_fields’ parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2024-09-12 | 7.5 | CVE-2024-8522 | [email protected] [email protected] [email protected] |
thimpress — learnpress | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘c_fields’ parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2024-09-12 | 7.5 | CVE-2024-8529 | [email protected] [email protected] |
gitlab — gitlab | A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles. | 2024-09-12 | 7.2 | CVE-2024-8631 | [email protected] [email protected] |
oretnom23 — food_ordering_management_system | A vulnerability, which was classified as problematic, has been found in SourceCodester Food Ordering Management System 1.0. Affected by this issue is some unknown functionality of the file /includes/. The manipulation leads to exposure of information through directory listing. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-09-12 | 7.5 | CVE-2024-8711 | [email protected] [email protected] [email protected] [email protected] [email protected] |
SICK AG–SICK MSC800 | A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP address over Sopas ET. This can lead to Denial of Service. Users are recommended to upgrade both MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue. | 2024-09-12 | 7.5 | CVE-2024-8751 | [email protected] [email protected] [email protected] [email protected] [email protected] |
h2oai–h2o-3 | A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-14 | 7.3 | CVE-2024-8862 | [email protected] [email protected] [email protected] [email protected] |
code-projects–Crud Operation System | A vulnerability was found in code-projects Crud Operation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file savedata.php. The manipulation of the argument sname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-09-15 | 7.3 | CVE-2024-8868 | [email protected] [email protected] [email protected] [email protected] [email protected] |
Medium Vulnerabilities
Primary Vendor — Product | Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
OpenText–eDirectory | Possible Insertion of Sensitive Information into Log File Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.4.0000. | 2024-09-12 | 6.5 | CVE-2021-22533 | [email protected] |
n/a–n/a | ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446. | 2024-09-09 | 6.1 | CVE-2023-50883 | [email protected] [email protected] [email protected] |
Red Hat–Red Hat build of Quarkus | A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. | 2024-09-10 | 6.5 | CVE-2023-6841 | [email protected] [email protected] |
Gallagher–Controller 6000 and Controller 7000 | Improper Neutralization of Input During Web Page Generation (CWE-79) in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator’s session. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior. | 2024-09-11 | 6.1 | CVE-2024-23906 | [email protected] |
Gallagher–Controller 6000 and Controller 7000 | Buffer Copy without Checking Size of Input (CWE-120) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authorised and authenticated operator to reboot the Controller, causing a Denial of Service. Gallagher recommend the diagnostic web page is not enabled (default is off) unless advised by Gallagher Technical support. This interface is intended only for diagnostic purposes. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior. | 2024-09-11 | 6.5 | CVE-2024-24972 | [email protected] |
SolarWinds–Access Rights Manager | SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. | 2024-09-12 | 6.3 | CVE-2024-28990 | [email protected] [email protected] |
Lenovo–100w Gen 3 Laptop (Lenovo) BIOS | A potential buffer overflow vulnerability was reported in some Lenovo Notebook products that could allow a local attacker with elevated privileges to execute arbitrary code. | 2024-09-13 | 6.7 | CVE-2024-3100 | [email protected] |
Eaton–Foreseer | The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the input fields for this feature in the Eaton Foreseer software lacked proper input sanitization on the server-side, which could lead to injection and execution of malicious scripts when abused by bad actors. | 2024-09-13 | 6.7 | CVE-2024-31414 | [email protected] |
Eaton–Foreseer | The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration. | 2024-09-13 | 6.3 | CVE-2024-31415 | [email protected] |
Fortinet–FortiClientMac | AAn improper certificate validation vulnerability [CWE-295] in FortiClientWindows 7.2.0 through 7.2.2, 7.0.0 through 7.0.11, FortiClientLinux 7.2.0, 7.0.0 through 7.0.11 and FortiClientMac 7.0.0 through 7.0.11, 7.2.0 through 7.2.4 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiGate and the FortiClient during the ZTNA tunnel creation | 2024-09-10 | 6.8 | CVE-2024-31489 | [email protected] |
n/a–n/a | ORDAT FOSS-Online before version 2.24.01 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login page. | 2024-09-12 | 6.1 | CVE-2024-34335 | [email protected] [email protected] [email protected] |
n/a–n/a | cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component. | 2024-09-10 | 6.1 | CVE-2024-34831 | [email protected] |
Siemens–SIMATIC Reader RF610R CMIIT | A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected applications contain configuration files which can be modified. An attacker with privilege access can modify these files and enable features that are not released for this device. | 2024-09-10 | 6.5 | CVE-2024-37990 | [email protected] |
Microsoft–Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | 2024-09-12 | 6.5 | CVE-2024-38222 | [email protected] |
Microsoft–Windows Server 2019 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | 2024-09-10 | 6.5 | CVE-2024-38230 | [email protected] |
Microsoft–Windows Server 2019 | Windows Remote Desktop Licensing Service Denial of Service Vulnerability | 2024-09-10 | 6.5 | CVE-2024-38231 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Networking Denial of Service Vulnerability | 2024-09-10 | 6.5 | CVE-2024-38234 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Hyper-V Denial of Service Vulnerability | 2024-09-10 | 6.5 | CVE-2024-38235 | [email protected] |
microsoft — windows_10_1507 | Windows Authentication Information Disclosure Vulnerability | 2024-09-10 | 6.2 | CVE-2024-38254 | [email protected] |
Dell–PowerScale InsightIQ | Dell PowerScale InsightIQ, version 5.1, contain an Improper Privilege Management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service. | 2024-09-10 | 6.7 | CVE-2024-39574 | [email protected] |
Dell–PowerScale InsightIQ | Dell PowerScale InsightIQ, versions 5.0 through 5.1, contains an Improper Access Control vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2024-09-10 | 6.7 | CVE-2024-39580 | [email protected] |
SAP_SE–SAP S/4HANA eProcurement | Due to weak encoding of user-controlled inputs, eProcurement on SAP S/4HANA allows malicious scripts to be executed in the application, potentially leading to a Reflected Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity. | 2024-09-10 | 6.1 | CVE-2024-42378 | [email protected] [email protected] |
Dell–Wyse Proprietary OS (Modern ThinOS) | Citrix Workspace App version 23.9.0.24.4 on Dell ThinOS 2311 contains an Incorrect Authorization vulnerability when Citrix CEB is enabled for WebLogin. A local unauthenticated user with low privileges may potentially exploit this vulnerability to bypass existing controls and perform unauthorized actions leading to information disclosure and tampering. | 2024-09-10 | 6.1 | CVE-2024-42423 | [email protected] |
espressif–esp-now | ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2. | 2024-09-12 | 6.5 | CVE-2024-42483 | [email protected] [email protected] |
espressif–esp-now | ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An Out-of-Bound (OOB) vulnerability was discovered in the implementation of the ESP-NOW group type message because there is no check for the addrs_num field of the group type message. This can result in memory corruption related attacks. Normally there are two fields in the group information that need to be checked, i.e., the addrs_num field and the addrs_list fileld. Since we only checked the addrs_list field, an attacker can send a group type message with an invalid addrs_num field, which will cause the message handled by the firmware to be much larger than the current buffer, thus causing a memory corruption issue that goes beyond the payload length. | 2024-09-12 | 6.5 | CVE-2024-42484 | [email protected] [email protected] |
n/a–n/a | An issue in Ellevo v.6.2.0.38160 allows a remote attacker to escalate privileges via the /api/usuario/cadastrodesuplente endpoint. | 2024-09-09 | 6.3 | CVE-2024-42759 | [email protected] [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can perform configuration changes of the ospf service through OSPF_INTERFACE.SIMPLE_KEY, OSPF_INTERFACE.DIGEST_KEY environment variables which can lead to a DoS. | 2024-09-10 | 6.5 | CVE-2024-43389 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can perform configuration changes of the firewall services, including packet forwarding or NAT through the FW_NAT.IN_IP environment variable which can lead to a DoS. | 2024-09-10 | 6.5 | CVE-2024-43390 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_PORTFORWARDING.SRC_IP environment variable which can lead to a DoS. | 2024-09-10 | 6.5 | CVE-2024-43391 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW_OUTGOING.IN_IP environment variable which can lead to a DoS. | 2024-09-10 | 6.5 | CVE-2024-43392 | [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW_OUTGOING.IN_IP FW_RULESETS.FROM_IP FW_RULESETS.IN_IP environment variable which can lead to a DoS. | 2024-09-10 | 6.5 | CVE-2024-43393 | [email protected] |
Microsoft–Outlook for iOS | Microsoft Outlook for iOS Information Disclosure Vulnerability | 2024-09-10 | 6.5 | CVE-2024-43482 | [email protected] |
Microsoft–Windows 10 Version 1809 | Windows Mark of the Web Security Feature Bypass Vulnerability | 2024-09-10 | 6.5 | CVE-2024-43487 | [email protected] |
halo-dev–halo | Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user’s browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0. | 2024-09-11 | 6.3 | CVE-2024-43793 | [email protected] |
CryoutCreations–Fluida | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Fluida allows Stored XSS.This issue affects Fluida: from n/a through 1.8.8. | 2024-09-15 | 6.5 | CVE-2024-44054 | [email protected] |
CryoutCreations–Mantra | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Mantra allows Stored XSS.This issue affects Mantra: from n/a through 3.3.2. | 2024-09-15 | 6.5 | CVE-2024-44056 | [email protected] |
CryoutCreations–Nirvana | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Nirvana allows Stored XSS.This issue affects Nirvana: from n/a through 1.6.3. | 2024-09-15 | 6.5 | CVE-2024-44057 | [email protected] |
CryoutCreations–Parabola | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Parabola allows Stored XSS.This issue affects Parabola: from n/a through 2.4.1. | 2024-09-15 | 6.5 | CVE-2024-44058 | [email protected] |
MediaRon LLC–Custom Query Blocks | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in MediaRon LLC Custom Query Blocks allows Stored XSS.This issue affects Custom Query Blocks: from n/a through 5.3.1. | 2024-09-15 | 6.5 | CVE-2024-44059 | [email protected] |
Hiroaki Miyashita–Custom Field Template | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6.5. | 2024-09-15 | 6.5 | CVE-2024-44062 | [email protected] |
Happyforms–Happyforms | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Happyforms allows Stored XSS.This issue affects Happyforms: from n/a through 1.26.0. | 2024-09-15 | 6.5 | CVE-2024-44063 | [email protected] |
n/a–n/a | ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression (IIFE) for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883. | 2024-09-09 | 6.1 | CVE-2024-44085 | [email protected] [email protected] [email protected] |
Nozomi Networks–Guardian | An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. | 2024-09-11 | 6 | CVE-2024-4465 | [email protected] |
n/a–n/a | eladmin v2.7 and before is vulnerable to Cross Site Scripting (XSS) which allows an attacker to execute arbitrary code via LocalStoreController. java. | 2024-09-10 | 6.1 | CVE-2024-44676 | [email protected] [email protected] |
n/a–n/a | phpgurukul Bus Pass Management System 1.0 is vulnerable to Cross-site scripting (XSS) in /admin/pass-bwdates-reports-details.php via fromdate and todate parameters. | 2024-09-13 | 6.3 | CVE-2024-44798 | [email protected] |
mozilo — mozilocms | A reflected cross-site scripting (XSS) vulnerability in moziloCMS v3.0 allows attackers to execute arbitrary code in the context of a user’s browser via injecting a crafted payload. | 2024-09-10 | 6.1 | CVE-2024-44872 | [email protected] [email protected] |
Lenovo–XClarity Administrator | A privilege escalation vulnerability was discovered when Single Sign On (SSO) is enabled that could allow an attacker to intercept a valid, authenticated LXCA user’s XCC session if they can convince the user to click on a specially crafted URL. | 2024-09-13 | 6.8 | CVE-2024-45101 | [email protected] |
Lenovo–XClarity Administrator | A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call. | 2024-09-13 | 6.3 | CVE-2024-45104 | [email protected] |
Lenovo–HX5530 Appliance (ThinkAgile) BIOS | An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code. | 2024-09-13 | 6.7 | CVE-2024-45105 | [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel) | Due to insufficient input validation, CRM Blueprint Application Builder Panel of SAP NetWeaver Application Server for ABAP allows an unauthenticated attacker to craft a URL link which could embed a malicious JavaScript. When a victim clicks on this link, the script will be executed in the victim’s browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. | 2024-09-10 | 6.1 | CVE-2024-45279 | [email protected] [email protected] |
SAP_SE–SAP NetWeaver AS for Java (Destination Service) | SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data. | 2024-09-10 | 6 | CVE-2024-45283 | [email protected] [email protected] |
SAP_SE–SAP Production and Revenue Accounting (Tobin interface) | Due to lack of proper authorization checks when calling user, a function module in obsolete Tobin interface in SAP Production and Revenue Accounting allows unauthorized access that could lead to disclosure of highly sensitive data. There is no impact on integrity or availability. | 2024-09-10 | 6.5 | CVE-2024-45286 | [email protected] [email protected] |
discourse–discourse-calendar | Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin. | 2024-09-12 | 6.1 | CVE-2024-45303 | [email protected] [email protected] |
cvat-ai–cvat | Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, typically including full details about the object on which an action was performed (such as the task for an “update:task” event), and the user who performed the action. In addition, the attacker can redeliver any past delivery of any webhook, and trigger a ping event for any webhook. Upgrade to CVAT 2.18.0 or any later version. | 2024-09-10 | 6.4 | CVE-2024-45393 | [email protected] [email protected] |
LizardByte–Sunshine | Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker. | 2024-09-10 | 6.5 | CVE-2024-45407 | [email protected] [email protected] [email protected] |
JoomUnited–WP Meta SEO | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in JoomUnited WP Meta SEO allows Stored XSS.This issue affects WP Meta SEO: from n/a through 4.5.13. | 2024-09-15 | 6.5 | CVE-2024-45456 | [email protected] |
Spiffy Plugins–Spiffy Calendar | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Spiffy Plugins Spiffy Calendar allows Stored XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13. | 2024-09-15 | 6.5 | CVE-2024-45457 | [email protected] |
Lenovo–P360 Workstation (ThinkStation) BIOS | A potential buffer overflow vulnerability was reported in some Lenovo ThinkSystem and ThinkStation products that could allow a local attacker with elevated privileges to execute arbitrary code. | 2024-09-13 | 6.7 | CVE-2024-4550 | [email protected] |
man-group–dtale | D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the “Custom Filter” input is turned off by default. | 2024-09-10 | 6.1 | CVE-2024-45595 | [email protected] [email protected] [email protected] |
incsub — forminator | Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator. | 2024-09-09 | 6.1 | CVE-2024-45625 | [email protected] [email protected] [email protected] [email protected] |
Rockwell Automation–ThinManager | CVE-2024-45826 IMPACT Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file. | 2024-09-12 | 6.8 | CVE-2024-45826 | [email protected] |
n/a–n/a | Tenda FH451 v1.0.0.9 has a stack overflow vulnerability located in the RouteStatic function. | 2024-09-13 | 6.5 | CVE-2024-46046 | [email protected] |
n/a–n/a | Tenda FH451 v1.0.0.9 has a stack overflow vulnerability in the fromDhcpListClient function. | 2024-09-13 | 6.5 | CVE-2024-46047 | [email protected] |
gitlab — gitlab | An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. | 2024-09-12 | 6.1 | CVE-2024-4612 | [email protected] [email protected] |
gitlab — gitlab | An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration. | 2024-09-12 | 6.5 | CVE-2024-5435 | [email protected] [email protected] |
MuffinGroup–Betheme | The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2024-09-13 | 6.4 | CVE-2024-5567 | [email protected] [email protected] [email protected] |
themefusion–Fusion Builder | The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version 3.11.10. | 2024-09-13 | 6.4 | CVE-2024-5628 | [email protected] [email protected] [email protected] |
Towfiq I.–Triton Lite | The Triton Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the theme’s Button shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-13 | 6.4 | CVE-2024-5789 | [email protected] [email protected] |
nattywp–Delicate | The Delicate theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme’s Button shortcode in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-13 | 6.4 | CVE-2024-5867 | [email protected] [email protected] |
arnoldgoodway–Neighborly | The Neighborly theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme’s Button shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-13 | 6.4 | CVE-2024-5869 | [email protected] [email protected] |
arnoldgoodway–Tweaker5 | The Tweaker5 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme’s Button shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-13 | 6.4 | CVE-2024-5870 | [email protected] [email protected] |
allprices–Beauty | The Beauty theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tpl_featured_cat_id’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-13 | 6.4 | CVE-2024-5884 | [email protected] [email protected] |
zephyrproject-rtos–Zephyr | BT: Unchecked user input in bap_broadcast_assistant | 2024-09-13 | 6.3 | CVE-2024-5931 | [email protected] |
scriptonite — music_request_manager | The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | 2024-09-12 | 6.1 | CVE-2024-6017 | [email protected] |
scriptonite — music_request_manager | The Music Request Manager WordPress plugin through 1.3 does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 2024-09-12 | 6.1 | CVE-2024-6018 | [email protected] |
scriptonite — music_request_manager | The Music Request Manager WordPress plugin through 1.3 does not sanitise and escape incoming music requests, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators | 2024-09-12 | 6.1 | CVE-2024-6019 | [email protected] |
Axis Communications AB–AXIS OS | 51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | 2024-09-10 | 6.5 | CVE-2024-6173 | [email protected] |
zephyrproject-rtos–Zephyr | BT: Missing length checks of net_buf in rfcomm_handle_data | 2024-09-13 | 6.8 | CVE-2024-6258 | [email protected] |
Axis Communications AB–AXIS OS | Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | 2024-09-10 | 6.5 | CVE-2024-6509 | [email protected] |
Red Hat–Red Hat Ansible Automation Platform 2.4 for RHEL 8 | An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account. | 2024-09-12 | 6.6 | CVE-2024-6840 | [email protected] [email protected] [email protected] |
Axis Communications AB–AXIS OS | Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | 2024-09-10 | 6.8 | CVE-2024-6979 | [email protected] |
payara — payara | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50. | 2024-09-11 | 6.1 | CVE-2024-7312 | 769c9ae7-73c3-4e47-ae19-903170fc3eb8 769c9ae7-73c3-4e47-ae19-903170fc3eb8 |
Unknown–AZIndex | The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-09 | 6.1 | CVE-2024-7687 | [email protected] |
Unknown–AZIndex | The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack | 2024-09-09 | 6.5 | CVE-2024-7688 | [email protected] |
Lenovo–10w (Type 82ST, 82SU) Laptop (Lenovo) BIOS | A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell. | 2024-09-13 | 6.8 | CVE-2024-7756 | [email protected] |
Axis Communications AB–AXIS OS | During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis’ knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | 2024-09-10 | 6.1 | CVE-2024-7784 | [email protected] |
Unknown–Gixaw Chat | The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-12 | 6.1 | CVE-2024-7816 | [email protected] |
Unknown–Misiek Photo Album | The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack | 2024-09-12 | 6.5 | CVE-2024-7817 | [email protected] |
Unknown–Misiek Photo Album | The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-12 | 6.1 | CVE-2024-7818 | [email protected] |
Unknown–Quick Code | The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-12 | 6.1 | CVE-2024-7822 | [email protected] |
Unknown–Visual Sound | The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 2024-09-12 | 6.5 | CVE-2024-7859 | [email protected] |
Unknown–Simple Headline Rotator | The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-12 | 6.1 | CVE-2024-7860 | [email protected] |
Unknown–Misiek Paypal | The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-12 | 6.1 | CVE-2024-7861 | [email protected] |
Unknown–Favicon Generator (CLOSED) | The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server | 2024-09-13 | 6.5 | CVE-2024-7864 | [email protected] |
techlabpro1–Classified Listing Classified ads & Business Directory Plugin | The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings. | 2024-09-13 | 6.3 | CVE-2024-7888 | [email protected] [email protected] [email protected] |
nko–Advanced WordPress Backgrounds | The Advanced WordPress Backgrounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘imageTag’ parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-11 | 6.4 | CVE-2024-8045 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
Unknown–MM-Breaking News | The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-12 | 6.1 | CVE-2024-8054 | [email protected] |
Unknown–MM-Breaking News | The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 2024-09-12 | 6.1 | CVE-2024-8056 | [email protected] |
curl–curl | When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than ‘revoked’ (like for example ‘unauthorized’) it is not treated as a bad certficate. | 2024-09-11 | 6.5 | CVE-2024-8096 | 2499f714-1537-4658-8207-48ae4bb9eae9 2499f714-1537-4658-8207-48ae4bb9eae9 2499f714-1537-4658-8207-48ae4bb9eae9 |
pixelgrade–Nova Blocks by Pixelgrade | The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute of the ‘wp:separator’ Gutenberg block in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-10 | 6.4 | CVE-2024-8241 | [email protected] [email protected] [email protected] [email protected] |
GitLab–GitLab | An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template. | 2024-09-12 | 6.5 | CVE-2024-8311 | [email protected] |
wpdevteam–Essential Addons for Elementor Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders | The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-11 | 6.4 | CVE-2024-8440 | [email protected] [email protected] [email protected] [email protected] |
ivanti — endpoint_manager | An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM. | 2024-09-10 | 6.7 | CVE-2024-8441 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
hardwaremaster–Slider comparison image before and after | The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-10 | 6.4 | CVE-2024-8543 | [email protected] [email protected] |
learningdigital — orca_hcm | Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files. | 2024-09-09 | 6.5 | CVE-2024-8585 | [email protected] [email protected] |
Uniong–WebITR | WebITR from Uniong has an Open Redirect vulnerability, which allows unauthorized remote attackers to exploit this vulnerability to forge URLs. Users, believing they are accessing a trusted domain, can be redirected to another page, potentially leading to phishing attacks. | 2024-09-09 | 6.1 | CVE-2024-8586 | [email protected] [email protected] |
online_food_ordering_system_project — online_food_ordering_system | A vulnerability classified as problematic has been found in SourceCodester Online Food Ordering System 2.0. This affects an unknown part of the file index.php of the component Create an Account Page. The manipulation of the argument First Name/Last Name leads to cross site scripting. It is possible to initiate the attack remotely. | 2024-09-09 | 6.1 | CVE-2024-8604 | [email protected] [email protected] [email protected] [email protected] |
itsourcecode–Tailoring Management System | A vulnerability classified as critical was found in itsourcecode Tailoring Management System 1.0. Affected by this vulnerability is an unknown functionality of the file ssms.php. The manipulation of the argument customer leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-09-09 | 6.3 | CVE-2024-8611 | [email protected] [email protected] [email protected] [email protected] [email protected] |
martynasma–amCharts: Charts and Maps | The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘amcharts_javascript’ parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-12 | 6.1 | CVE-2024-8622 | [email protected] [email protected] [email protected] |
gitlab — gitlab | A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL | 2024-09-12 | 6.5 | CVE-2024-8635 | [email protected] |
GitLab–GitLab | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim’s CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim. | 2024-09-12 | 6.7 | CVE-2024-8641 | [email protected] [email protected] |
Eclipse Foundation–Eclipse Glassfish | In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context (‘/’). | 2024-09-11 | 6.1 | CVE-2024-8646 | [email protected] [email protected] [email protected] [email protected] |
algoritmika–WPFactory Helper | The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8656 | [email protected] [email protected] [email protected] |
murgroland–WP Simple Booking Calendar | The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8663 | [email protected] [email protected] [email protected] [email protected] |
boopathi0001–WP Test Email | The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8664 | [email protected] [email protected] [email protected] |
yithemes–YITH Custom Login | The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8665 | [email protected] [email protected] [email protected] [email protected] |
Shandong Star Measurement and Control Equipment–Heating Network Wireless Monitoring System | A vulnerability was found in Shandong Star Measurement and Control Equipment Heating Network Wireless Monitoring System 5.6.2 and classified as critical. Affected by this issue is the function GetDataKindByType of the file /DataSrvs/UCCGSrv.asmx. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-09-11 | 6.3 | CVE-2024-8705 | [email protected] [email protected] [email protected] [email protected] |
iovamihai–WordPress Affiliates Plugin SliceWP Affiliates | The WordPress Affiliates Plugin – SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8714 | [email protected] [email protected] [email protected] [email protected] [email protected] |
xootix–Waitlist Woocommerce ( Back in stock notifier ) | The Waitlist Woocommerce ( Back in stock notifier ) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-14 | 6.1 | CVE-2024-8724 | [email protected] [email protected] [email protected] |
cvscvstechcom–Exit Notifier | The Exit Notifier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8730 | [email protected] [email protected] |
arielhr1987–Cron Jobs | The Cron Jobs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8731 | [email protected] [email protected] |
arielhr1987–Roles & Capabilities | The Roles & Capabilities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8732 | [email protected] [email protected] [email protected] |
lucasstad–Lucas String Replace | The Lucas String Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8734 | [email protected] [email protected] |
kubiq–PDF Thumbnail Generator | The PDF Thumbnail Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-13 | 6.1 | CVE-2024-8737 | [email protected] [email protected] [email protected] |
wpdevteam–Essential Addons for Elementor Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders | The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-13 | 6.4 | CVE-2024-8742 | [email protected] [email protected] [email protected] [email protected] |
khromov–Email Obfuscate Shortcode | The Email Obfuscate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ’email-obfuscate’ shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-09-13 | 6.4 | CVE-2024-8747 | [email protected] [email protected] |
n/a–JFinalCMS | A vulnerability was found in JFinalCMS up to 1.0. It has been rated as critical. This issue affects the function delete of the file /admin/template/edit. The manipulation of the argument name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-09-13 | 6.3 | CVE-2024-8782 | [email protected] [email protected] [email protected] [email protected] [email protected] |
QDocs–Smart School Management System | A vulnerability classified as critical was found in QDocs Smart School Management System 7.0.0. Affected by this vulnerability is an unknown functionality of the file /user/chat/mynewuser of the component Chat. The manipulation of the argument users[] with the input 1’+AND+(SELECT+3220+FROM+(SELECT(SLEEP(5)))ZNun)+AND+’WwBM’%3d’WwBM as part of POST Request Parameter leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.1 is able to address this issue. It is recommended to upgrade the affected component. | 2024-09-13 | 6.3 | CVE-2024-8784 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
murgroland–WP Booking System Booking Calendar | The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.19.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-09-14 | 6.1 | CVE-2024-8797 | [email protected] [email protected] [email protected] |
OpenText–eDirectory | Possible Improper Neutralization of Input During Web Page Generation Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.3.0000. | 2024-09-12 | 5.4 | CVE-2021-22503 | [email protected] |
OpenText–Identity Manager AzureAD Driver | A vulnerability identified in OpenText™ Identity Manager AzureAD Driver that allows logging of sensitive information into log file. This impacts all versions before 5.1.4.0 | 2024-09-12 | 5.8 | CVE-2021-22518 | [email protected] |
OpenText–eDirectory | Possible Cross-Site Scripting (XSS) Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.5.0000. | 2024-09-12 | 5.4 | CVE-2021-38131 | [email protected] |
OpenText–eDirectory | Possible External Service Interaction attack in eDirectory has been discovered in OpenText™ eDirectory. This impact all version before 9.2.6.0000. | 2024-09-12 | 5.3 | CVE-2021-38132 | [email protected] |
ankitpokhrel–WooCommerce Multiple Free Gift | The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated attackers to add non-gift items to their cart as a gift. | 2024-09-14 | 5.3 | CVE-2022-3459 | [email protected] [email protected] |
Siemens–SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) | A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-7 LTE (All versions < V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions < V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions < V2.4.8). The web server of the affected devices do not properly handle certain requests, causing a timeout in the watchdog, which could lead to the clean up of pointers. This could allow a remote attacker to cause a denial of service condition in the system. | 2024-09-10 | 5.9 | CVE-2023-28827 | [email protected] |
Siemens–SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) | A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-7 LTE (All versions < V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions < V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions < V2.4.8). The web server of the affected devices do not properly handle certain errors when using the Expect HTTP request header, resulting in NULL dereference. This could allow a remote attacker with no privileges to cause a denial of service condition in the system. | 2024-09-10 | 5.9 | CVE-2023-30756 | [email protected] |
Bricks Builder–Bricks | The Bricks theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customTag’ attribute in versions up to, and including, 1.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Bricks Builder (admin-only by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This becomes more of an issue when Bricks Builder access is granted to lower-privileged users. | 2024-09-14 | 5.4 | CVE-2023-3410 | [email protected] [email protected] [email protected] |
Fortinet–FortiAnalyzer | An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request. | 2024-09-10 | 5 | CVE-2023-44254 | [email protected] |
Siemens–Mendix Runtime V10 | A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.31 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames. | 2024-09-10 | 5.3 | CVE-2023-49069 | [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to read any file in the file system of the underlying Linux operating system. The attacker must have valid credentials on the affected device. This vulnerability is due to incorrect validation of the arguments that are passed to a specific CLI command. An attacker could exploit this vulnerability by logging in to an affected device with low-privileged credentials and using the affected command. A successful exploit could allow the attacker access files in read-only mode on the Linux file system. | 2024-09-11 | 5.5 | CVE-2024-20343 | [email protected] |
Cisco–Cisco IOS XR Software | A vulnerability in the Dedicated XML Agent feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on XML TCP listen port 38751. This vulnerability is due to a lack of proper error validation of ingress XML packets. An attacker could exploit this vulnerability by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could allow the attacker to cause XML TCP port 38751 to become unreachable while the attack traffic persists. | 2024-09-11 | 5.3 | CVE-2024-20390 | [email protected] |
n/a–node-gettext | All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization. | 2024-09-10 | 5.9 | CVE-2024-21528 | [email protected] [email protected] |
Fortinet–FortiClientEMS | A improper limitation of a pathname to a restricted directory (‘path traversal’) in Fortinet FortiClientEMS versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.13, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8, 1.2.1 through 1.2.5 allows attacker to perform a denial of service, read or write a limited number of files via specially crafted HTTP requests | 2024-09-10 | 5.5 | CVE-2024-21753 | [email protected] |
Open-Xchange GmbH–OX Dovecot Pro | Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known. | 2024-09-10 | 5 | CVE-2024-23184 | [email protected] |
n/a–n/a | An issue was discovered in Samsung Semiconductor Mobile Processor, Automotive Processor, and Modem Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check a pointer specified by the CC (Call Control module), which can lead to Denial of Service (Untrusted Pointer Dereference). | 2024-09-10 | 5.9 | CVE-2024-25073 | [email protected] [email protected] |
n/a–n/a | An issue was discovered in Samsung Semiconductor Mobile Processor, Automotive Processor, and Modem Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check a pointer specified by the SM (Session Management module), which can lead to Denial of Service (Untrusted Pointer Dereference). | 2024-09-10 | 5.9 | CVE-2024-25074 | [email protected] [email protected] |
samsung — exynos_980_firmware | An issue was discovered in Mobile Processor, Wearable Processor Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_roamed_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read. | 2024-09-09 | 5.5 | CVE-2024-27364 | [email protected] [email protected] |
samsung — exynos_980_firmware | An issue was discovered in Samsung Mobile Processor, Wearable Processor Exynos Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_scan_done_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read. | 2024-09-09 | 5.5 | CVE-2024-27366 | [email protected] [email protected] |
samsung — exynos_980_firmware | An issue was discovered in Samsung Mobile Processor Exynos Wearable Processor Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_scan_ind(), there is no input validation check on a length coming from userspace, which can lead to integer overflow and a potential heap over-read. | 2024-09-09 | 5.5 | CVE-2024-27367 | [email protected] [email protected] |
samsung — exynos_980_firmware | An issue was discovered in Samsung Mobile Processor Exynos Mobile Processor, Wearable Processor Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_received_frame_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read. | 2024-09-09 | 5.5 | CVE-2024-27368 | [email protected] |
Eaton–Foreseer | The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the tool like alarms, reports, etc. Some of these input fields were not checking the length and bounds of the entered value. The exploit of this security flaw by a bad actor may result in excessive memory consumption or integer overflow. | 2024-09-13 | 5.6 | CVE-2024-31416 | [email protected] |
n/a–n/a | User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality. | 2024-09-12 | 5.3 | CVE-2024-34336 | [email protected] [email protected] [email protected] |
Siemens–SIMATIC Reader RF610R CMIIT | A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The service log files of the affected application can be accessed without proper authentication. This could allow an unauthenticated attacker to get access to sensitive information. | 2024-09-10 | 5.3 | CVE-2024-37991 | [email protected] |
Siemens–SIMATIC Reader RF610R CMIIT | A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected applications do not authenticated the creation of Ajax2App instances. This could allow an unauthenticated attacker to cause a denial of service condition. | 2024-09-10 | 5.3 | CVE-2024-37993 | [email protected] |
microsoft — windows_10_1507 | Windows Mark of the Web Security Feature Bypass Vulnerability | 2024-09-10 | 5.4 | CVE-2024-38217 | [email protected] |
microsoft — windows_10_1507 | Windows Kernel-Mode Driver Information Disclosure Vulnerability | 2024-09-10 | 5.5 | CVE-2024-38256 | [email protected] |
Zyxel–GS1900-10HP firmware | An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive. | 2024-09-10 | 5.3 | CVE-2024-38270 | [email protected] |
adobe — after_effects | After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-39382 | [email protected] |
Adobe–Premiere Pro | Premiere Pro versions 24.5, 23.6.8 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-39385 | [email protected] |
ti — fusion_digital_power_designer | An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials | 2024-09-12 | 5.5 | CVE-2024-41629 | [email protected] |
adobe — after_effects | After Effects versions 23.6.6, 24.5 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could lead to arbitrary file system write operations. An attacker could leverage this vulnerability to modify or corrupt files, potentially leading to a compromise of system integrity. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-41867 | [email protected] |
Adobe–Audition | Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-11 | 5.5 | CVE-2024-41868 | [email protected] |
adobe — media_encoder | Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-41870 | [email protected] |
adobe — media_encoder | Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-41872 | [email protected] |
adobe — media_encoder | Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-41873 | [email protected] |
siemens — sinema_remote_connect_client | A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application inserts sensitive information into a log file which is readable by all legitimate users of the underlying system. This could allow an authenticated attacker to compromise the confidentiality of other users’ configuration data. | 2024-09-10 | 5.5 | CVE-2024-42344 | [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | The RFC enabled function module allows a low privileged user to delete the workplace favourites of any user. This vulnerability could be utilized to identify usernames and access information about targeted user’s workplaces and nodes. There is low impact on integrity and availability of the application. | 2024-09-10 | 5.4 | CVE-2024-42371 | [email protected] [email protected] |
Dell–Dell Precision Rack BIOS | Dell Precision Rack, 14G Intel BIOS versions prior to 2.22.2, contains an Improper Input Validation vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2024-09-10 | 5.3 | CVE-2024-42424 | [email protected] |
microsoft — dynamics_365 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | 2024-09-10 | 5.4 | CVE-2024-43476 | [email protected] |
adobe — illustrator | Illustrator versions 28.6, 27.9.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a DoS condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-43759 | [email protected] |
Siemens–SINUMERIK 828D V4 | A vulnerability has been identified in SINUMERIK 828D V4 (All versions < V4.95 SP3), SINUMERIK 840D sl V4 (All versions < V4.95 SP3 in connection with using Create MyConfig (CMC) <= V4.8 SP1 HF6), SINUMERIK ONE (All versions < V6.23 in connection with using Create MyConfig (CMC) <= V6.6), SINUMERIK ONE (All versions < V6.15 SP4 in connection with using Create MyConfig (CMC) <= V6.6). Affected systems, that have been provisioned with Create MyConfig (CMC), contain a Insertion of Sensitive Information into Log File vulnerability. This could allow a local authenticated user with low privileges to read sensitive information and thus circumvent access restrictions. | 2024-09-10 | 5.5 | CVE-2024-43781 | [email protected] |
expressjs–express | Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input – even after sanitizing it – to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. | 2024-09-10 | 5 | CVE-2024-43796 | [email protected] [email protected] |
pillarjs–send | Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. | 2024-09-10 | 5 | CVE-2024-43799 | [email protected] [email protected] |
expressjs–serve-static | serve-static serves static files. serve-static passes untrusted user input – even after sanitizing it – to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0. | 2024-09-10 | 5 | CVE-2024-43800 | [email protected] [email protected] [email protected] |
BUFFALO INC.–WHR-1166DHP2 | OS command injection vulnerability exists in BUFFALO wireless LAN routers and wireless LAN repeaters. If a user logs in to the management page and sends a specially crafted request to the affected product from the product’s specific management page, an arbitrary OS command may be executed. | 2024-09-10 | 5.7 | CVE-2024-44072 | [email protected] [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | The RFC enabled function module allows a low privileged user to perform various actions, such as modifying the URLs of any user’s favourite nodes and workbook ID. There is low impact on integrity and availability of the application. | 2024-09-10 | 5.4 | CVE-2024-44117 | [email protected] [email protected] |
n/a–n/a | Titan SFTP and Titan MFT Server 2.0.25.2426 and earlier have a vulnerability a vulnerability where sensitive information, including passwords, is exposed in clear text within the JSON response when configuring SMTP settings via the Web UI. | 2024-09-13 | 5 | CVE-2024-44685 | [email protected] [email protected] |
perfexcrm — perfex_crm | A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter. | 2024-09-11 | 5.4 | CVE-2024-44851 | [email protected] [email protected] |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only decrement add_addr_accepted for MPJ req Adding the following warning … WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) … before decrementing the add_addr_accepted counter helped to find a bug when running the “remove single subflow” subtest from the mptcp_join.sh selftest. Removing a ‘subflow’ endpoint will first trigger a RM_ADDR, then the subflow closure. Before this patch, and upon the reception of the RM_ADDR, the other peer will then try to decrement this add_addr_accepted. That’s not correct because the attached subflows have not been created upon the reception of an ADD_ADDR. A way to solve that is to decrement the counter only if the attached subflow was an MP_JOIN to a remote id that was not 0, and initiated by the host receiving the RM_ADDR. | 2024-09-11 | 5.5 | CVE-2024-45009 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark ‘subflow’ endp as available Adding the following warning … WARN_ON_ONCE(msk->pm.local_addr_used == 0) … before decrementing the local_addr_used counter helped to find a bug when running the “remove single address” subtest from the mptcp_join.sh selftests. Removing a ‘signal’ endpoint will trigger the removal of all subflows linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used counter, which is wrong in this case because this counter is linked to ‘subflow’ endpoints, and here it is a ‘signal’ endpoint that is being removed. Now, the counter is decremented, only if the ID is being used outside of mptcp_pm_nl_rm_addr_or_subflow(), only for ‘subflow’ endpoints, and if the ID is not 0 — local_addr_used is not taking into account these ones. This marking of the ID as being available, and the decrement is done no matter if a subflow using this ID is currently available, because the subflow could have been closed before. | 2024-09-11 | 5.5 | CVE-2024-45010 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Check USB endpoints when probing device Ensure, as the driver probes the device, that all endpoints that the driver may attempt to access exist and are of the correct type. All XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at address 1. This is verified in xillyusb_setup_base_eps(). On top of that, a XillyUSB device may have additional Bulk OUT endpoints. The information about these endpoints’ addresses is deduced from a data structure (the IDT) that the driver fetches from the device while probing it. These endpoints are checked in setup_channels(). A XillyUSB device never has more than one IN endpoint, as all data towards the host is multiplexed in this single Bulk IN endpoint. This is why setup_channels() only checks OUT endpoints. | 2024-09-11 | 5.5 | CVE-2024-45011 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: use dma non-coherent allocator Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a BUG() on startup, when the iommu is enabled: kernel BUG at include/linux/scatterlist.h:187! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30 Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019 RIP: 0010:sg_init_one+0x85/0xa0 Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00 RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000 RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508 R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018 FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0 Call Trace: <TASK> ? die+0x36/0x90 ? do_trap+0xdd/0x100 ? sg_init_one+0x85/0xa0 ? do_error_trap+0x65/0x80 ? sg_init_one+0x85/0xa0 ? exc_invalid_op+0x50/0x70 ? sg_init_one+0x85/0xa0 ? asm_exc_invalid_op+0x1a/0x20 ? sg_init_one+0x85/0xa0 nvkm_firmware_ctor+0x14a/0x250 [nouveau] nvkm_falcon_fw_ctor+0x42/0x70 [nouveau] ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau] r535_gsp_oneinit+0xb3/0x15f0 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? nvkm_udevice_new+0x95/0x140 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? ktime_get+0x47/0xb0 Fix this by using the non-coherent allocator instead, I think there might be a better answer to this, but it involve ripping up some of APIs using sg lists. | 2024-09-11 | 5.5 | CVE-2024-45012 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: nvme: move stopping keep-alive into nvme_uninit_ctrl() Commit 4733b65d82bd (“nvme: start keep-alive after admin queue setup”) moves starting keep-alive from nvme_start_ctrl() into nvme_init_ctrl_finish(), but don’t move stopping keep-alive into nvme_uninit_ctrl(), so keep-alive work can be started and keep pending after failing to start controller, finally use-after-free is triggered if nvme host driver is unloaded. This patch fixes kernel panic when running nvme/004 in case that connection failure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl(). This way is reasonable because keep-alive is now started in nvme_init_ctrl_finish(). | 2024-09-11 | 5.5 | CVE-2024-45013 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: s390/boot: Avoid possible physmem_info segment corruption When physical memory for the kernel image is allocated it does not consider extra memory required for offsetting the image start to match it with the lower 20 bits of KASLR virtual base address. That might lead to kernel access beyond its memory range. | 2024-09-11 | 5.5 | CVE-2024-45014 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: move dpu_encoder’s connector assignment to atomic_enable() For cases where the crtc’s connectors_changed was set without enable/active getting toggled , there is an atomic_enable() call followed by an atomic_disable() but without an atomic_mode_set(). This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in the atomic_enable() as the dpu_encoder’s connector was cleared in the atomic_disable() but not re-assigned as there was no atomic_mode_set() call. Fix the NULL ptr access by moving the assignment for atomic_enable() and also use drm_atomic_get_new_connector_for_encoder() to get the connector from the atomic_state. Patchwork: https://patchwork.freedesktop.org/patch/606729/ | 2024-09-11 | 5.5 | CVE-2024-45015 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (“net: netem: fix skb length BUG_ON in __skb_to_sgvec”) that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc’s q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: – If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. – If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS. | 2024-09-11 | 5.5 | CVE-2024-45016 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec RoCE MPV trace call Prevent the call trace below from happening, by not allowing IPsec creation over a slave, if master device doesn’t support IPsec. WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94 Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci] CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2 Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021 Workqueue: events xfrm_state_gc_task RIP: 0010:down_read+0x75/0x94 Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0 RSP: 0018:ffffb26387773da8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000 RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540 R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905 FS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0 Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] ? down_read+0x75/0x94 ? __warn+0x80/0x113 ? down_read+0x75/0x94 ? report_bug+0xa4/0x11d ? handle_bug+0x35/0x8b ? exc_invalid_op+0x14/0x75 ? asm_exc_invalid_op+0x16/0x1b ? down_read+0x75/0x94 ? down_read+0xe/0x94 mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core] tx_destroy+0x1b/0xc0 [mlx5_core] tx_ft_put+0x53/0xc0 [mlx5_core] mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core] ___xfrm_state_destroy+0x10f/0x1a2 xfrm_state_gc_task+0x81/0xa9 process_one_work+0x1f1/0x3c6 worker_thread+0x53/0x3e4 ? process_one_work.cold+0x46/0x3c kthread+0x127/0x144 ? set_kthread_struct+0x60/0x52 ret_from_fork+0x22/0x2d </TASK> —[ end trace 5ef7896144d398e1 ]— | 2024-09-11 | 5.5 | CVE-2024-45017 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: initialise extack before use Fix missing initialisation of extack in flow offload. | 2024-09-11 | 5.5 | CVE-2024-45018 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Take state lock during tx timeout reporter mlx5e_safe_reopen_channels() requires the state lock taken. The referenced changed in the Fixes tag removed the lock to fix another issue. This patch adds it back but at a later point (when calling mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the Fixes tag. | 2024-09-11 | 5.5 | CVE-2024-45019 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a kernel verifier crash in stacksafe() Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The ‘i’ iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add ‘i >= cur->allocated_stack’ check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. | 2024-09-11 | 5.5 | CVE-2024-45020 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: memcg_write_event_control(): fix a user-triggerable oops we are *not* guaranteed that anything past the terminating NUL is mapped (let alone initialized with anything sane). | 2024-09-11 | 5.5 | CVE-2024-45021 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e (“mm, vmalloc: fix high order __GFP_NOFAIL allocations”), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) —> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) —-> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. | 2024-09-11 | 5.5 | CVE-2024-45022 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb vs. core-mm PT locking We recently made GUP’s common page table walking code to also walk hugetlb VMAs without most hugetlb special-casing, preparing for the future of having less hugetlb-specific page table walking code in the codebase. Turns out that we missed one page table locking detail: page table locking for hugetlb folios that are not mapped using a single PMD/PUD. Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB hugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the page tables, will perform a pte_offset_map_lock() to grab the PTE table lock. However, hugetlb that concurrently modifies these page tables would actually grab the mm->page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the locks would differ. Something similar can happen right now with hugetlb folios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS. This issue can be reproduced [1], for example triggering: [ 3105.936100] ————[ cut here ]———— [ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188 [ 3105.944634] Modules linked in: […] [ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1 [ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024 [ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 3105.991108] pc : try_grab_folio+0x11c/0x188 [ 3105.994013] lr : follow_page_pte+0xd8/0x430 [ 3105.996986] sp : ffff80008eafb8f0 [ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43 [ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48 [ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978 [ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001 [ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000 [ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000 [ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0 [ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080 [ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000 [ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000 [ 3106.047957] Call trace: [ 3106.049522] try_grab_folio+0x11c/0x188 [ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0 [ 3106.055527] follow_page_mask+0x1a0/0x2b8 [ 3106.058118] __get_user_pages+0xf0/0x348 [ 3106.060647] faultin_page_range+0xb0/0x360 [ 3106.063651] do_madvise+0x340/0x598 Let’s make huge_pte_lockptr() effectively use the same PT locks as any core-mm page table walker would. Add ptep_lockptr() to obtain the PTE page table lock using a pte pointer — unfortunately we cannot convert pte_lockptr() because virt_to_page() doesn’t work with kmap’ed page tables we can have with CONFIG_HIGHPTE. Handle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such that when e.g., CONFIG_PGTABLE_LEVELS==2 with PGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected. Document why that works. There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb folio being mapped using two PTE page tables. While hugetlb wants to take the PMD table lock, core-mm would grab the PTE table lock of one of both PTE page tables. In such corner cases, we have to make sure that both locks match, which is (fortunately!) currently guaranteed for 8xx as it does not support SMP and consequently doesn’t use split PT locks. [1] https://lore.kernel.org/all/[email protected]/ | 2024-09-11 | 5.5 | CVE-2024-45024 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE copy_fd_bitmaps(new, old, count) is expected to copy the first count/BITS_PER_LONG bits from old->full_fds_bits[] and fill the rest with zeroes. What it does is copying enough words (BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest. That works fine, *if* all bits past the cutoff point are clear. Otherwise we are risking garbage from the last word we’d copied. For most of the callers that is true – expand_fdtable() has count equal to old->max_fds, so there’s no open descriptors past count, let alone fully occupied words in ->open_fds[], which is what bits in ->full_fds_bits[] correspond to. The other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds), which is the smallest multiple of BITS_PER_LONG that covers all opened descriptors below max_fds. In the common case (copying on fork()) max_fds is ~0U, so all opened descriptors will be below it and we are fine, by the same reasons why the call in expand_fdtable() is safe. Unfortunately, there is a case where max_fds is less than that and where we might, indeed, end up with junk in ->full_fds_bits[] – close_range(from, to, CLOSE_RANGE_UNSHARE) with * descriptor table being currently shared * ‘to’ being above the current capacity of descriptor table * ‘from’ being just under some chunk of opened descriptors. In that case we end up with observably wrong behaviour – e.g. spawn a child with CLONE_FILES, get all descriptors in range 0..127 open, then close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending up with descriptor #128, despite #64 being observably not open. The minimally invasive fix would be to deal with that in dup_fd(). If this proves to add measurable overhead, we can go that way, but let’s try to fix copy_fd_bitmaps() first. * new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size). * make copy_fd_bitmaps() take the bitmap size in words, rather than bits; it’s ‘count’ argument is always a multiple of BITS_PER_LONG, so we are not losing any information, and that way we can use the same helper for all three bitmaps – compiler will see that count is a multiple of BITS_PER_LONG for the large ones, so it’ll generate plain memcpy()+memset(). Reproducer added to tools/testing/selftests/core/close_range_test.c | 2024-09-11 | 5.5 | CVE-2024-45025 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop up the damage. If it fails early enough, before xhci->interrupters is allocated but after xhci->max_interrupters has been set, which happens in most (all?) cases, things get uglier, as xhci_mem_cleanup() unconditionally derefences xhci->interrupters. With prejudice. Gate the interrupt freeing loop with a check on xhci->interrupters being non-NULL. Found while debugging a DMA allocation issue that led the XHCI driver on this exact path. | 2024-09-11 | 5.5 | CVE-2024-45027 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: mmc: mmc_test: Fix NULL dereference on allocation failure If the “test->highmem = alloc_pages()” allocation fails then calling __free_pages(test->highmem) will result in a NULL dereference. Also change the error code to -ENOMEM instead of returning success. | 2024-09-11 | 5.5 | CVE-2024-45028 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: Do not mark ACPI devices as irq safe On ACPI machines, the tegra i2c module encounters an issue due to a mutex being called inside a spinlock. This leads to the following bug: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 … Call trace: __might_sleep __mutex_lock_common mutex_lock_nested acpi_subsys_runtime_resume rpm_resume tegra_i2c_xfer The problem arises because during __pm_runtime_resume(), the spinlock &dev->power.lock is acquired before rpm_resume() is called. Later, rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on mutexes, triggering the error. To address this issue, devices on ACPI are now marked as not IRQ-safe, considering the dependency of acpi_subsys_runtime_resume() on mutexes. | 2024-09-11 | 5.5 | CVE-2024-45029 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: igb: cope with large MAX_SKB_FRAGS Sabrina reports that the igb driver does not cope well with large MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload corruption on TX. An easy reproducer is to run ssh to connect to the machine. With MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has been reported originally in https://bugzilla.redhat.com/show_bug.cgi?id=2265320 The root cause of the issue is that the driver does not take into account properly the (possibly large) shared info size when selecting the ring layout, and will try to fit two packets inside the same 4K page even when the 1st fraglist will trump over the 2nd head. Address the issue by checking if 2K buffers are insufficient. | 2024-09-11 | 5.5 | CVE-2024-45030 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
adobe — illustrator | Illustrator versions 28.6, 27.9.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-09-13 | 5.5 | CVE-2024-45111 | [email protected] |
SAP_SE–SAP BusinessObjects Business Intelligence Platform | SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application. | 2024-09-10 | 5.8 | CVE-2024-45281 | [email protected] [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | The RFC enabled function module allows a low privileged user to perform denial of service on any user and also change or delete favourite nodes. By sending a crafted packet in the function module targeting specific parameters, the specific targeted user will no longer have access to any functionality of SAP GUI. There is low impact on integrity and availability of the application. | 2024-09-10 | 5.4 | CVE-2024-45285 | [email protected] [email protected] |
Microsoft–HDAudBus.sys | A mishandling of IRP requests vulnerability exists in the HDAudBus_DMA interface of Microsoft High Definition Audio Bus Driver 10.0.19041.3636 (WinBuild.160101.0800). A specially crafted application can issue multiple IRP Complete requests which leads to a local denial-of-service. An attacker can execute malicious script/application to trigger this vulnerability. | 2024-09-12 | 5 | CVE-2024-45383 | [email protected] |
yeti-platform–yeti | Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (?), or U+2105 (?) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11. | 2024-09-10 | 5.3 | CVE-2024-45412 | [email protected] [email protected] [email protected] |
JoomUnited–WP Meta SEO | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in JoomUnited WP Meta SEO allows Stored XSS.This issue affects WP Meta SEO: from n/a through 4.5.13. | 2024-09-15 | 5.9 | CVE-2024-45455 | [email protected] |
Manu225–Flipping Cards | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Manu225 Flipping Cards allows Stored XSS.This issue affects Flipping Cards: from n/a through 1.30. | 2024-09-15 | 5.9 | CVE-2024-45460 | [email protected] |
xwiki–xwiki-platform | XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1. | 2024-09-10 | 5.3 | CVE-2024-45591 | [email protected] [email protected] [email protected] [email protected] |
PlutoLang–Pluto | Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table. | 2024-09-10 | 5.3 | CVE-2024-45597 | [email protected] [email protected] |
Secreto31126–whatsapp-api-js | whatsapp-api-js is a TypeScript server agnostic Whatsapp’s Official API framework. It’s possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. This vulnerability is fixed in 4.0.3. | 2024-09-12 | 5.8 | CVE-2024-45607 | [email protected] [email protected] [email protected] |
n/a–n/a | CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the fromqossetting function. | 2024-09-13 | 5.7 | CVE-2024-46044 | [email protected] |
n/a–n/a | Tenda CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the frmL7PlotForm function. | 2024-09-13 | 5.7 | CVE-2024-46045 | [email protected] |
n/a–n/a | Tenda O6 V3.0 firmware V1.0.0.7(2054) contains a stack overflow vulnerability in the formexeCommand function. | 2024-09-13 | 5.7 | CVE-2024-46049 | [email protected] |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion wpa_supplicant 2.11 sends since 1efdba5fdc2c (“Handle PMKSA flush in the driver for SAE/OWE offload cases”) SSID based PMKSA del commands. brcmfmac is not prepared and tries to dereference the NULL bssid and pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based updates so copy the SSID. | 2024-09-11 | 5.5 | CVE-2024-46672 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: gtp: fix a potential NULL pointer dereference When sockfd_lookup() fails, gtp_encap_enable_socket() returns a NULL pointer, but its callers only check for error pointers thus miss the NULL pointer case. Fix it by returning an error pointer with the error code carried from sockfd_lookup(). (I found this bug during code inspection.) | 2024-09-13 | 5.5 | CVE-2024-46677 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open Prior to commit 3f29cc82a84c (“nfsd: split sc_status out of sc_type”) states_show() relied on sc_type field to be of valid type before calling into a subfunction to show content of a particular stateid. From that commit, we split the validity of the stateid into sc_status and no longer changed sc_type to 0 while unhashing the stateid. This resulted in kernel oopsing for nfsv4.0 opens that stay around and in nfs4_show_open() would derefence sc_file which was NULL. Instead, for closed open stateids forgo displaying information that relies of having a valid sc_file. To reproduce: mount the server with 4.0, read and close a file and then on the server cat /proc/fs/nfsd/clients/2/states [ 513.590804] Call trace: [ 513.590925] _raw_spin_lock+0xcc/0x160 [ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd] [ 513.591412] states_show+0x44c/0x488 [nfsd] [ 513.591681] seq_read_iter+0x5d8/0x760 [ 513.591896] seq_read+0x188/0x208 [ 513.592075] vfs_read+0x148/0x470 [ 513.592241] ksys_read+0xcc/0x178 | 2024-09-13 | 5.5 | CVE-2024-46682 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix potential NULL dereference in pcs_get_function() pinmux_generic_get_function() can return NULL and the pointer ‘function’ was dereferenced without checking against NULL. Add checking of pointer ‘function’ in pcs_get_function(). Found by code review. | 2024-09-13 | 5.5 | CVE-2024-46685 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold. | 2024-09-13 | 5.5 | CVE-2024-46686 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit ‘9329933699b3 (“soc: qcom: pmic_glink: Make client-lock non-sleeping”)’ moved the pmic_glink client list under a spinlock, as it is accessed by the rpmsg/glink callback, which in turn is invoked from IRQ context. This means that ucsi_unregister() is now called from atomic context, which isn’t feasible as it’s expecting a sleepable context. An effort is under way to get GLINK to invoke its callbacks in a sleepable context, but until then lets schedule the unregistration. A side effect of this is that ucsi_unregister() can now happen after the remote processor, and thereby the communication link with it, is gone. pmic_glink_send() is amended with a check to avoid the resulting NULL pointer dereference. This does however result in the user being informed about this error by the following entry in the kernel log: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5 | 2024-09-13 | 5.5 | CVE-2024-46691 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: scm: Mark get_wq_ctx() as atomic call Currently get_wq_ctx() is wrongly configured as a standard call. When two SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to resume the corresponding sleeping thread. But if get_wq_ctx() is interrupted, goes to sleep and another SMC call is waiting to be allocated a waitq context, it leads to a deadlock. To avoid this get_wq_ctx() must be an atomic call and can’t be a standard SMC call. Hence mark get_wq_ctx() as a fast call. | 2024-09-13 | 5.5 | CVE-2024-46692 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: video/aperture: optionally match the device in sysfb_disable() In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by aperture_detach_platform_device() 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable() 4. NULL pointer dereference via sysfb_disable() since the resources have already been freed by aperture_detach_platform_device() when it was called by the other device. Fix this by passing a device pointer to sysfb_disable() and checking the device to determine if we should execute it or not. v2: Fix build when CONFIG_SCREEN_INFO is not set v3: Move device check into the mutex Drop primary variable in aperture_remove_conflicting_pci_devices() Drop __init on pci sysfb_pci_dev_is_enabled() | 2024-09-13 | 5.5 | CVE-2024-46698 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
elemntor–Elementor Website Builder More than Just a Page Builder | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2. | 2024-09-11 | 5.4 | CVE-2024-5416 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
litonice13–Master Addons Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor | The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link. | 2024-09-10 | 5.4 | CVE-2024-6282 | [email protected] [email protected] [email protected] |
coffee2code–Custom Post Limits | The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | 2024-09-13 | 5.3 | CVE-2024-6544 | [email protected] [email protected] |
oscat.de–OSCAT Basic Library | Out-of-Bounds read vulnerability in OSCAT Basic Library allows an local, unprivileged attacker to access limited internal data of the PLC which may lead to a crash of the affected service. | 2024-09-10 | 5.1 | CVE-2024-6876 | [email protected] [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | A low privileged remote attacker can get access to CSRF tokens of higher privileged users which can be abused to mount CSRF attacks. | 2024-09-10 | 5.7 | CVE-2024-7698 | [email protected] |
bplugins–HTML5 Video Player mp4 Video Player Plugin and Block | The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the ‘h5vp_ajax_handler’ ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data. | 2024-09-11 | 5.3 | CVE-2024-7727 | [email protected] [email protected] [email protected] [email protected] |
PHOENIX CONTACT–FL MGUARD 2102 | An unauthenticated remote attacker can exploit the behavior of the pathfinder TCP encapsulation service by establishing a high number of TCP connections to the pathfinder TCP encapsulation service. The impact is limited to blocking of valid IPsec VPN peers. | 2024-09-10 | 5.3 | CVE-2024-7734 | [email protected] |
ivanti — endpoint_manager | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. | 2024-09-10 | 5.3 | CVE-2024-8320 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 |
metagauss–EventPrime Events Calendar, Bookings and Tickets | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events. | 2024-09-10 | 5.3 | CVE-2024-8369 | [email protected] [email protected] |
code-projects — inventory_management | A vulnerability classified as problematic was found in code-projects Inventory Management 1.0. This vulnerability affects unknown code of the file /view/registration.php of the component Registration Form. The manipulation with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-09-09 | 5.4 | CVE-2024-8605 | [email protected] [email protected] [email protected] [email protected] [email protected] |
Wireshark Foundation–Wireshark | SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 allows denial of service via packet injection or crafted capture file | 2024-09-10 | 5.5 | CVE-2024-8645 | [email protected] [email protected] |
MongoDB Inc–MongoDB Server | MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3. | 2024-09-10 | 5 | CVE-2024-8654 | [email protected] |
Mercury–MNVR816 | A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has been classified as problematic. This affects an unknown part of the file /web-static/. The manipulation leads to files or directories accessible. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-10 | 5.3 | CVE-2024-8655 | [email protected] [email protected] [email protected] |
TDuckCloud–TDuckPro | A vulnerability classified as critical was found in TDuckCloud TDuckPro up to 6.3. Affected by this vulnerability is an unknown functionality. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-11 | 5.3 | CVE-2024-8692 | [email protected] [email protected] [email protected] [email protected] |
Synetics–Idoit pro | Cross-site Scripting (XSS) vulnerability in idoit pro version 28. This vulnerability allows an attacker to retrieve session details of an authenticated user due to lack of proper sanitization of the following parameters (id,lang,mNavID,name,pID,treeNode,type,view). | 2024-09-12 | 5.4 | CVE-2024-8750 | [email protected] |
Red Hat–Red Hat Discovery | A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions. | 2024-09-14 | 5.5 | CVE-2024-8775 | [email protected] [email protected] |
composiohq–composio | A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-15 | 5.5 | CVE-2024-8864 | [email protected] [email protected] [email protected] [email protected] |
TOTOLINK–A720R | A vulnerability classified as critical has been found in TOTOLINK A720R 4.1.5. Affected is the function exportOvpn. The manipulation leads to os command injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-15 | 5 | CVE-2024-8869 | [email protected] [email protected] [email protected] [email protected] |
vedees–wcms | A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-15 | 5.4 | CVE-2024-8875 | [email protected] [email protected] [email protected] [email protected] |
kasdanet — kw5515_firmware | Cross Site Scripting (XSS) Vulnerability in Firewall menu in Control Panel in KASDA KW5515 version 4.3.1.0, allows attackers to execute arbitrary code and steal cookies via a crafted script | 2024-09-12 | 4.3 | CVE-2020-24061 | [email protected] [email protected] |
OpenText–Identity Manager REST Driver 1.1.2.0200 | Possible Insertion of Sensitive Information into Log File Vulnerability in Identity Manager has been discovered in OpenText™ Identity Manager REST Driver. This impact version before 1.1.2.0200. | 2024-09-12 | 4.9 | CVE-2022-26322 | [email protected] |
Fortinet–FortiClientiOS | An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and both the service provider and the identity provider. | 2024-09-10 | 4.8 | CVE-2022-45856 | [email protected] |
themeum–Tutor LMS eLearning and online course solution | The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the ‘addon_enable_disable’ function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2024-09-10 | 4.3 | CVE-2023-2919 | [email protected] [email protected] [email protected] |
Siemens–SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) | A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-7 LTE (All versions < V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions < V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions < V2.4.8). The web server of the affected devices do not properly handle the shutdown or reboot request, which could lead to the clean up of certain resources. This could allow a remote attacker with elevated privileges to cause a denial of service condition in the system. | 2024-09-10 | 4.4 | CVE-2023-30755 | [email protected] |
Axis Communications AB–AXIS OS | Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | 2024-09-10 | 4.3 | CVE-2024-0067 | [email protected] |
mirapolis — lms | An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data. | 2024-09-12 | 4.3 | CVE-2024-25270 | [email protected] |
IBM–OpenPages | IBM OpenPages 8.3 and 9.0 potentially exposes information about client-side source code through use of JavaScript source maps to unauthorized users. | 2024-09-10 | 4.3 | CVE-2024-27257 | [email protected] [email protected] |
n/a–n/a | An issue was discovered in Samsung Mobile Processor Exynos Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_blockack_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read. | 2024-09-09 | 4.4 | CVE-2024-27365 | [email protected] [email protected] |
Fortinet–FortiSandbox | An exposure of sensitive information to an unauthorized actor in Fortinet FortiSandbox version 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.5 and 3.2.2 through 3.2.4 and 3.1.5 allows attacker to information disclosure via HTTP get requests. | 2024-09-10 | 4.3 | CVE-2024-31490 | [email protected] |
Unknown–Easy Property Listings | The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | 2024-09-12 | 4.3 | CVE-2024-3163 | [email protected] |
Siemens–SINEMA Remote Connect Client | A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication. | 2024-09-10 | 4.3 | CVE-2024-32006 | [email protected] |
Fortinet–FortiClientiOS | A cleartext storage of sensitive information in memory vulnerability [CWE-316] affecting FortiClient VPN iOS 7.2 all versions, 7.0 all versions, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an unauthenticated attacker that has physical access to a jailbroken device to obtain cleartext passwords via keychain dump. | 2024-09-10 | 4.2 | CVE-2024-35282 | [email protected] |
Siemens–SIMATIC Reader RF610R CMIIT | A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected devices does not properly handle the error in case of exceeding characters while setting SNMP leading to the restart of the application. | 2024-09-10 | 4.9 | CVE-2024-37992 | [email protected] |
Siemens–SIMATIC Reader RF610R CMIIT | A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected application contains a hidden configuration item to enable debug functionality. This could allow an attacker to gain insight into the internal configuration of the deployment. | 2024-09-10 | 4.3 | CVE-2024-37994 | [email protected] |
Unknown–Gallery Plugin for WordPress | The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks. | 2024-09-11 | 4.8 | CVE-2024-3899 | [email protected] |
Gallagher–Controller 6000 and Controller 7000 | Incorrect Calculation of Buffer Size (CWE-131) in the Controller 6000 and Controller 7000 OSDP message handling, allows an attacker with physical access to Controller wiring to instigate a reboot leading to a denial of service. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior. | 2024-09-11 | 4.6 | CVE-2024-39808 | [email protected] |
SAP_SE–SAP NetWeaver BW (BEx Analyzer) | Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application. | 2024-09-10 | 4.3 | CVE-2024-41729 | [email protected] [email protected] |
siemens — sinema_remote_connect_server | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). The affected application does not properly handle user session establishment and invalidation. This could allow a remote attacker to circumvent the additional multi factor authentication for user session establishment. | 2024-09-10 | 4.3 | CVE-2024-42345 | [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | The RFC enabled function module allows a low privileged user to read any user’s workplace favourites and user menu along with all the specific data of each node. Usernames can be enumerated by exploiting vulnerability. There is low impact on confidentiality of the application. | 2024-09-10 | 4.3 | CVE-2024-42380 | [email protected] [email protected] |
IBM–Concert | IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | 2024-09-13 | 4.3 | CVE-2024-43180 | [email protected] [email protected] |
SAP_SE–SAP for Oil & Gas | Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability. | 2024-09-10 | 4.3 | CVE-2024-44112 | [email protected] [email protected] |
SAP_SE–SAP Business Warehouse (BEx Analyzer) | Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application. | 2024-09-10 | 4.3 | CVE-2024-44113 | [email protected] [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | The RFC enabled function module allows a low privileged user to add URLs to any user’s workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user’s workplaces, and nodes. There is low impact on integrity of the application | 2024-09-10 | 4.3 | CVE-2024-44115 | [email protected] [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | The RFC enabled function module allows a low privileged user to add any workbook to any user’s workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user’s workplaces. There is low impact on integrity of the application. | 2024-09-10 | 4.3 | CVE-2024-44116 | [email protected] [email protected] |
SAP_SE–SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser. | 2024-09-10 | 4.7 | CVE-2024-44120 | [email protected] [email protected] |
SAP_SE–SAP S/4 HANA (Statutory Reports) | Under certain conditions Statutory Reports in SAP S/4 HANA allows an attacker with basic privileges to access information which would otherwise be restricted. The vulnerability could expose internal user data that should remain confidential. It does not impact the integrity and availability of the application | 2024-09-10 | 4.3 | CVE-2024-44121 | [email protected] [email protected] |
GitLab–GitLab | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs. | 2024-09-12 | 4 | CVE-2024-4472 | [email protected] [email protected] |
Lenovo–XClarity Administrator | A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges. | 2024-09-13 | 4.3 | CVE-2024-45103 | [email protected] |
SAP_SE–SAP NetWeaver AS Java (Logon Application) | Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability. | 2024-09-10 | 4.8 | CVE-2024-45280 | [email protected] [email protected] |
Fortinet–FortiEDR Manager | An improper access control vulnerability [CWE-284] in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include information related to other organizations. | 2024-09-10 | 4.3 | CVE-2024-45323 | [email protected] |
craftcms — craft_cms | Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input. | 2024-09-09 | 4.8 | CVE-2024-45406 | [email protected] [email protected] |
linux — linux_kernel | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink: Fix race during initialization As pointed out by Stephen Boyd it is possible that during initialization of the pmic_glink child drivers, the protection-domain notifiers fires, and the associated work is scheduled, before the client registration returns and as a result the local “client” pointer has been initialized. The outcome of this is a NULL pointer dereference as the “client” pointer is blindly dereferenced. Timeline provided by Stephen: CPU0 CPU1 —- —- ucsi->client = NULL; devm_pmic_glink_register_client() client->pdr_notify(client->priv, pg->client_state) pmic_glink_ucsi_pdr_notify() schedule_work(&ucsi->register_work) <schedule away> pmic_glink_ucsi_register() ucsi_register() pmic_glink_ucsi_read_version() pmic_glink_ucsi_read() pmic_glink_ucsi_read() pmic_glink_send(ucsi->client) <client is NULL BAD> ucsi->client = client // Too late! This code is identical across the altmode, battery manager and usci child drivers. Resolve this by splitting the allocation of the “client” object and the registration thereof into two operations. This only happens if the protection domain registry is populated at the time of registration, which by the introduction of commit ‘1ebcde047c54 (“soc: qcom: add pd-mapper implementation”)’ became much more likely. | 2024-09-13 | 4.7 | CVE-2024-46693 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Unknown–Popup Maker | The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2024-09-09 | 4.8 | CVE-2024-5561 | [email protected] |
Unknown–CM Pop-Up Banners for WordPress | The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks. | 2024-09-12 | 4.8 | CVE-2024-5799 | [email protected] |
gitlab — gitlab | An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. | 2024-09-12 | 4.3 | CVE-2024-6389 | [email protected] [email protected] |
Unknown–NinjaTeam Header Footer Custom Code | The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2024-09-13 | 4.8 | CVE-2024-6493 | [email protected] |
Unknown–NinjaTeam Header Footer Custom Code | The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2024-09-13 | 4.8 | CVE-2024-6617 | [email protected] |
pega — infinity | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name. | 2024-09-12 | 4.8 | CVE-2024-6700 | [email protected] |
pega — infinity | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type. | 2024-09-12 | 4.8 | CVE-2024-6701 | [email protected] |
pega — infinity | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage. | 2024-09-12 | 4.8 | CVE-2024-6702 | [email protected] |
Unknown–AI Engine | The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions. | 2024-09-13 | 4.7 | CVE-2024-6723 | [email protected] |
Unknown–Carousel Slider | The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 2024-09-13 | 4.8 | CVE-2024-6850 | [email protected] |
Unknown–Giveaways and Contests by RafflePress | The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2024-09-12 | 4.8 | CVE-2024-6887 | [email protected] |
Unknown–EventON | The EventON WordPress plugin before 2.2.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | 2024-09-09 | 4.8 | CVE-2024-6910 | [email protected] |
Unknown–Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme | The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks. | 2024-09-13 | 4.8 | CVE-2024-7133 | [email protected] |
Red Hat–Red Hat build of Keycloak 24 | An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain. | 2024-09-09 | 4.4 | CVE-2024-7260 | [email protected] [email protected] [email protected] [email protected] |
Red Hat–Red Hat build of Keycloak 24 | A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. | 2024-09-09 | 4.8 | CVE-2024-7318 | [email protected] [email protected] [email protected] [email protected] |
peepso–Community by PeepSo Social Network, Membership, Registration, User Profiles, Premium Mobile App | The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2024-09-10 | 4.4 | CVE-2024-7618 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
peepso–Community by PeepSo Social Network, Membership, Registration, User Profiles, Premium Mobile App | The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2024-09-10 | 4.4 | CVE-2024-7655 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
Unknown–Snapshot Backup | The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 2024-09-09 | 4.7 | CVE-2024-7689 | [email protected] |
Unknown–Logo Slider | The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2024-09-11 | 4.8 | CVE-2024-7716 | [email protected] |
bplugins–HTML5 Video Player mp4 Video Player Plugin and Block | The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘save_password’ function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled. | 2024-09-11 | 4.3 | CVE-2024-7721 | [email protected] [email protected] [email protected] |
Unknown–ILC Thickbox | The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 2024-09-12 | 4.3 | CVE-2024-7820 | [email protected] |
Unknown–blogintroduction-wordpress-plugin | The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 2024-09-12 | 4.3 | CVE-2024-7862 | [email protected] |
Unknown–Floating Contact Button | The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 2024-09-10 | 4.8 | CVE-2024-7891 | [email protected] |
Unknown–Pocket Widget | The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2024-09-09 | 4.8 | CVE-2024-7918 | [email protected] |
Unknown–Starbox | The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2024-09-10 | 4.8 | CVE-2024-7955 | [email protected] |
Lenovo–HX5530 Appliance (ThinkAgile) XCC | IPMI credentials may be captured in XCC audit log entries when the account username length is 16 characters. | 2024-09-13 | 4.3 | CVE-2024-8059 | [email protected] |
inspireui–MStore API Create Native Android & iOS Apps On The Cloud | The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site’s server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue. | 2024-09-13 | 4.3 | CVE-2024-8242 | [email protected] [email protected] [email protected] [email protected] |
Google–AngularJS | Improper sanitization of the value of the ‘[srcset]’ attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | 2024-09-09 | 4.8 | CVE-2024-8372 | 36c7be3b-2937-45df-85ea-ca7133ea542c 36c7be3b-2937-45df-85ea-ca7133ea542c |
Google–AngularJS | Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | 2024-09-09 | 4.8 | CVE-2024-8373 | 36c7be3b-2937-45df-85ea-ca7133ea542c 36c7be3b-2937-45df-85ea-ca7133ea542c |
n/a–JFinalCMS | A vulnerability was found in JFinalCMS up to 20240903. It has been classified as problematic. This affects the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-09-12 | 4.3 | CVE-2024-8706 | [email protected] [email protected] [email protected] [email protected] [email protected] |
–Yunke Online School System | A vulnerability was found in 云课网络科技有限公司 Yunke Online School System up to 3.0.6. It has been declared as problematic. This vulnerability affects the function downfile of the file application/admin/controller/Appadmin.php. The manipulation of the argument url leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-09-12 | 4.3 | CVE-2024-8707 | [email protected] [email protected] [email protected] [email protected] |
n/a–AutoCMS | A vulnerability was found in AutoCMS 5.4. It has been classified as problematic. This affects an unknown part of the file /admin/robot.php. The manipulation of the argument sidebar leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-09-15 | 4.3 | CVE-2024-8866 | [email protected] [email protected] [email protected] [email protected] |
xiaohe4966–TpMeCMS | A vulnerability, which was classified as problematic, has been found in xiaohe4966 TpMeCMS up to 1.3.3.1. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.3.2 is able to address this issue. It is recommended to upgrade the affected component. | 2024-09-15 | 4.3 | CVE-2024-8876 | [email protected] [email protected] [email protected] [email protected] |
Low Vulnerabilities
Primary Vendor — Product | Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
Fortinet–FortiADC | An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an attacker, under specific conditions, to retrieve the initial encrypted and signed cookie protected by the feature | 2024-09-10 | 3.7 | CVE-2024-36511 | [email protected] |
Dell–Dell Precision Rack BIOS | Dell Precision Rack, 14G Intel BIOS versions prior to 2.22.2, contains an Access of Memory Location After End of Buffer vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2024-09-10 | 3.8 | CVE-2024-42425 | [email protected] |
gitlab — gitlab | An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application. | 2024-09-12 | 3.5 | CVE-2024-6446 | [email protected] [email protected] |
Red Hat–Red Hat Enterprise Linux 7 | A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution. | 2024-09-10 | 3.4 | CVE-2024-8443 | [email protected] [email protected] |
SourceCodester–Best House Rental Management System | A vulnerability classified as problematic has been found in SourceCodester Best House Rental Management System 1.0. Affected is an unknown function of the file /index.php?page=tenants of the component New Tenant Page. The manipulation of the argument Last Name/First Name/Middle Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-09-09 | 3.5 | CVE-2024-8610 | [email protected] [email protected] [email protected] [email protected] [email protected] |
n/a–JFinalCMS | A vulnerability, which was classified as problematic, was found in JFinalCMS up to 20240903. This affects the function update of the file /admin/template/update of the component com.cms.controller.admin.TemplateController. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-09-11 | 3.8 | CVE-2024-8694 | [email protected] [email protected] [email protected] [email protected] [email protected] |
SourceCodester–Best House Rental Management System | A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file categories.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. | 2024-09-12 | 3.5 | CVE-2024-8708 | [email protected] [email protected] [email protected] [email protected] |
OpenTibiaBR–MyAAC | A vulnerability classified as problematic has been found in OpenTibiaBR MyAAC up to 0.8.16. Affected is an unknown function of the file system/pages/forum/new_post.php of the component Post Reply Handler. The manipulation of the argument post_topic leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as bf6ae3df0d32fa22552bb44ca4f8489a6e78cc1c. It is recommended to apply a patch to fix this issue. | 2024-09-13 | 3.5 | CVE-2024-8783 | [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] |
aimhubio–aim | A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-14 | 3.5 | CVE-2024-8863 | [email protected] [email protected] [email protected] [email protected] |
composiohq–composio | A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file composio\server\api.py. The manipulation of the argument file leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-15 | 3.5 | CVE-2024-8865 | [email protected] [email protected] [email protected] [email protected] |
Perfex–CRM | A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. | 2024-09-15 | 3.5 | CVE-2024-8867 | [email protected] [email protected] [email protected] [email protected] |
Octopus Deploy–Octopus Server | Affected versions of Octopus Server had a weak content security policy. | 2024-09-11 | 2.6 | CVE-2024-1656 | [email protected] |
Siemens–SIMATIC Reader RF610R CMIIT | A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected application improperly handles error while a faulty certificate upload leading to crashing of application. This vulnerability could allow an attacker to disclose sensitive information. | 2024-09-10 | 2.7 | CVE-2024-37995 | [email protected] |
Dell–PowerScale InsightIQ | Dell PowerScale InsightIQ, version 5.0, contain a Use of hard coded Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2024-09-10 | 2.3 | CVE-2024-39582 | [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects. | 2024-09-10 | 2.7 | CVE-2024-41728 | [email protected] [email protected] |
SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform | SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application. | 2024-09-10 | 2 | CVE-2024-44114 | [email protected] [email protected] |
SAP_SE–SAP Student Life Cycle Management (SLcM) | An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application. | 2024-09-10 | 2.4 | CVE-2024-45284 | [email protected] [email protected] |
Rapid7–Insight Platform | Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024. | 2024-09-09 | 2.4 | CVE-2024-8042 | [email protected] |
Kaon–CG3000 | A vulnerability, which was classified as problematic, has been found in Kaon CG3000 1.01.43. Affected by this issue is some unknown functionality of the component dhcpcd Command Handler. The manipulation of the argument -h with the input <script>alert(‘XSS’)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-09-11 | 2.4 | CVE-2024-8693 | [email protected] [email protected] [email protected] [email protected] |
Severity Not Yet Assigned
Primary Vendor — Product | Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
TE Informatics–V5 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS.This issue affects V5: before 6.2. | 2024-09-12 | not yet calculated | CVE-2024-2010 | [email protected] |
n/a–n/a | Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component. | 2024-09-09 | not yet calculated | CVE-2024-24510 | [email protected] [email protected] |
Simple Online Planning–SO Planning | A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02. | 2024-09-11 | not yet calculated | CVE-2024-27112 | [email protected] |
Simple Online Planning–SO Planning | An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database by exporting it as a CSV file. The vulnerability has been remediated in version 1.52.02. | 2024-09-11 | not yet calculated | CVE-2024-27113 | [email protected] |
Simple Online Planning–SO Planning | A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02. | 2024-09-11 | not yet calculated | CVE-2024-27115 | [email protected] |
Google–Android | there is a possible escalation of privilege due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-13 | not yet calculated | CVE-2024-29779 | [email protected] |
Utarit Information–SoliClub | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android. | 2024-09-12 | not yet calculated | CVE-2024-3305 | [email protected] |
Utarit Information–SoliClub | Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android. | 2024-09-12 | not yet calculated | CVE-2024-3306 | [email protected] |
n/a–n/a | The CMP CLI client in KeyFactor EJBCA before 8.3.1 has only 6 octets of salt, and is thus not compliant with the security requirements of RFC 4211, and might make man-in-the-middle attacks easier. CMP includes password-based MAC as one of the options for message integrity and authentication (the other option is certificate-based). RFC 4211 section 4.4 requires that password-based MAC parameters use a salt with a random value of at least 8 octets. This helps to inhibit dictionary attacks. Because the standalone CMP client originally was developed as test code, the salt was instead hardcoded and only 6 octets long. | 2024-09-12 | not yet calculated | CVE-2024-36066 | [email protected] [email protected] |
Google–Android | In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2024-09-11 | not yet calculated | CVE-2024-40654 | [email protected] [email protected] |
Google–Android | In handleCreateConferenceComplete of ConnectionServiceWrapper.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2024-09-11 | not yet calculated | CVE-2024-40656 | [email protected] [email protected] |
Google–Android | In getRegistration of RemoteProvisioningService.java, there is a possible way to permanently disable the AndroidKeyStore key generation feature by updating the attestation keys of all installed apps due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-11 | not yet calculated | CVE-2024-40659 | [email protected] [email protected] |
Ubiquiti Inc–UniFi Network Application | A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device. | 2024-09-13 | not yet calculated | CVE-2024-42025 | [email protected] |
Google–Android | In TBD of TBD, there is a possible LCS signing enforcement missing due to test/debugging code left in a production build. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-13 | not yet calculated | CVE-2024-44092 | [email protected] |
Google–Android | In ppmp_unprotect_buf of drm/code/drm_fw.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-13 | not yet calculated | CVE-2024-44093 | [email protected] |
Google–Android | In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-13 | not yet calculated | CVE-2024-44094 | [email protected] |
Google–Android | In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible corrupt memory due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-09-13 | not yet calculated | CVE-2024-44095 | [email protected] |
Google–Android | there is a possible arbitrary read due to an insecure default value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. | 2024-09-13 | not yet calculated | CVE-2024-44096 | [email protected] |
n/a–n/a | D-Link DI-8100 v16.07.26A1 has a stack overflow vulnerability in the dbsrv_asp function. | 2024-09-09 | not yet calculated | CVE-2024-44375 | [email protected] [email protected] |
n/a–n/a | SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interface | 2024-09-13 | not yet calculated | CVE-2024-44430 | [email protected] [email protected] |
n/a–n/a | A memory allocation issue in vernemq v2.0.1 allows attackers to cause a Denial of Service (DoS) via excessive memory consumption. | 2024-09-12 | not yet calculated | CVE-2024-44459 | [email protected] |
n/a–n/a | An invalid read size in Nanomq v0.21.9 allows attackers to cause a Denial of Service (DoS). | 2024-09-12 | not yet calculated | CVE-2024-44460 | [email protected] |
n/a–n/a | A stored cross-site scripting (XSS) vulnerability in the VLAN configuration of RELY-PCIe v22.2.1 to v23.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2024-09-11 | not yet calculated | CVE-2024-44573 | [email protected] [email protected] |
n/a–n/a | RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session. | 2024-09-11 | not yet calculated | CVE-2024-44575 | [email protected] [email protected] |
n/a–n/a | An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70 An improper bounds check allows specially crafted packets to cause an arbitrary address read, resulting in Denial of Service. | 2024-09-12 | not yet calculated | CVE-2024-45182 | [email protected] [email protected] |
istyle Inc.–“@cosme” App for Android | Improper authorization in handler for custom URL scheme issue in “@cosme” App for Android versions prior 5.69.0 and “@cosme” App for iOS versions prior to 6.74.0 allows an attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack. | 2024-09-09 | not yet calculated | CVE-2024-45203 | [email protected] |
Alps System Integration Co., Ltd.–InterSafe WebFilter | Cross-site request forgery (CSRF) vulnerability in multiple Alps System Integration products and the OEM products allow a remote unauthenticated attacker to hijack the authentication of the user and to perform unintended operations if the user views a malicious page while logged in. | 2024-09-10 | not yet calculated | CVE-2024-45504 | [email protected] [email protected] [email protected] [email protected] |
Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) | This vulnerability exists in Reedos aiM-Star version 2.0.1 due to improper access controls on its certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to gain unauthorized access to sensitive information belonging to other users. | 2024-09-11 | not yet calculated | CVE-2024-45786 | [email protected] |
Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) | This vulnerability exists in Reedos aiM-Star version 2.0.1 due to transmission of sensitive information in plain text in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL and intercepting response of the API request leading to exposure of sensitive information belonging to other users. | 2024-09-11 | not yet calculated | CVE-2024-45787 | [email protected] |
Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) | This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system. | 2024-09-11 | not yet calculated | CVE-2024-45788 | [email protected] |
Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) | This vulnerability exists in Reedos aiM-Star version 2.0.1 due to improper validation of the ‘mode’ parameter in the API endpoint used during the registration process. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body on the vulnerable application. Successful exploitation of this vulnerability could allow the attacker to bypass certain constraints in the registration process leading to creation of multiple accounts. | 2024-09-11 | not yet calculated | CVE-2024-45789 | [email protected] |
Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) | This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user passwords, which could lead to gain unauthorized access and compromise other user accounts. | 2024-09-11 | not yet calculated | CVE-2024-45790 | [email protected] |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Prevent USB core invalid event buffer address access This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3_gadget_suspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3_core_exit, the event buffer is cleared regardless of the USB core’s status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address. To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address. | 2024-09-13 | not yet calculated | CVE-2024-46675 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check ‘if (!im_protocols && !tm_protocols)’ in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFC_CMD_START_POLL operation). So a broken or malicious program may pass a message containing a “bad” combination of protocol parameter values so that dev->poll_mod_count is not incremented inside pn533_poll_create_mod_list(), thus leading to division by zero. Call trace looks like: nfc_genl_start_poll() nfc_start_poll() ->start_poll() pn533_start_poll() Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2024-09-13 | not yet calculated | CVE-2024-46676 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: change ipsec_lock from spin lock to mutex In the cited commit, bond->ipsec_lock is added to protect ipsec_list, hence xdo_dev_state_add and xdo_dev_state_delete are called inside this lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep, “scheduling while atomic” will be triggered when changing bond’s active slave. [ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200 [ 101.055726] Modules linked in: [ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1 [ 101.058760] Hardware name: [ 101.059434] Call Trace: [ 101.059436] <TASK> [ 101.060873] dump_stack_lvl+0x51/0x60 [ 101.061275] __schedule_bug+0x4e/0x60 [ 101.061682] __schedule+0x612/0x7c0 [ 101.062078] ? __mod_timer+0x25c/0x370 [ 101.062486] schedule+0x25/0xd0 [ 101.062845] schedule_timeout+0x77/0xf0 [ 101.063265] ? asm_common_interrupt+0x22/0x40 [ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10 [ 101.064215] __wait_for_common+0x87/0x190 [ 101.064648] ? usleep_range_state+0x90/0x90 [ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core] [ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core] [ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core] [ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core] [ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.067738] ? kmalloc_trace+0x4d/0x350 [ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core] [ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core] [ 101.069312] bond_change_active_slave+0x392/0x900 [bonding] [ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding] [ 101.070454] __bond_opt_set+0xa6/0x430 [bonding] [ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding] [ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding] [ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0 [ 101.073033] vfs_write+0x2d8/0x400 [ 101.073416] ? alloc_fd+0x48/0x180 [ 101.073798] ksys_write+0x5f/0xe0 [ 101.074175] do_syscall_64+0x52/0x110 [ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53 As bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called from bond_change_active_slave, which requires holding the RTNL lock. And bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state xdo_dev_state_add and xdo_dev_state_delete APIs, which are in user context. So ipsec_lock doesn’t have to be spin lock, change it to mutex, and thus the above issue can be resolved. | 2024-09-13 | not yet calculated | CVE-2024-46678 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: check device is present when getting link settings A sysfs reader can race with a device reset or removal, attempting to read device state when the device is not actually present. eg: [exception RIP: qed_get_current_link+17] #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede] #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3 #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4 #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300 #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3 #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1 #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb crash> struct net_device.state ffff9a9d21336000 state = 5, state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100). The device is not present, note lack of __LINK_STATE_PRESENT (0b10). This is the same sort of panic as observed in commit 4224cfd7fb65 (“net-sysfs: add check for netdevice being present to speed_show”). There are many other callers of __ethtool_get_link_ksettings() which don’t have a device presence check. Move this check into ethtool to protect all callers. | 2024-09-13 | not yet calculated | CVE-2024-46679 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix random crash seen while removing driver This fixes the random kernel crash seen while removing the driver, when running the load/unload test over multiple iterations. 1) modprobe btnxpuart 2) hciconfig hci0 reset 3) hciconfig (check hci0 interface up with valid BD address) 4) modprobe -r btnxpuart Repeat steps 1 to 4 The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(), which gets scheduled after module is removed, causing a kernel crash. This hidden issue got highlighted after enabling Power Save by default in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on startup) The new ps_cleanup() deasserts UART break immediately while closing serdev device, cancels any scheduled ps_work and destroys the ps_lock mutex. [ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258 [ 85.884624] Mem abort info: [ 85.884625] ESR = 0x0000000086000007 [ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits [ 85.884633] SET = 0, FnV = 0 [ 85.884636] EA = 0, S1PTW = 0 [ 85.884638] FSC = 0x07: level 3 translation fault [ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000 [ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000 [ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP [ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)] [ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1 [ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT) [ 85.936182] Workqueue: events 0xffffd4a61638f380 [ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 85.952817] pc : 0xffffd4a61638f258 [ 85.952823] lr : 0xffffd4a61638f258 [ 85.952827] sp : ffff8000084fbd70 [ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000 [ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305 [ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970 [ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000 [ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090 [ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139 [ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50 [ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8 [ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000 [ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000 [ 85.977443] Call trace: [ 85.977446] 0xffffd4a61638f258 [ 85.977451] 0xffffd4a61638f3e8 [ 85.977455] process_one_work+0x1d4/0x330 [ 85.977464] worker_thread+0x6c/0x430 [ 85.977471] kthread+0x108/0x10c [ 85.977476] ret_from_fork+0x10/0x20 [ 85.977488] Code: bad PC value [ 85.977491] —[ end trace 0000000000000000 ]— Preset since v6.9.11 | 2024-09-13 | not yet calculated | CVE-2024-46680 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firing in pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood. | 2024-09-13 | not yet calculated | CVE-2024-46681 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined create_elf_fdpic_tables() does not correctly account the space for the AUX vector when an architecture has ELF_HWCAP2 defined. Prior to the commit 10e29251be0e (“binfmt_elf_fdpic: fix /proc/<pid>/auxv”) it resulted in the last entry of the AUX vector being set to zero, but with that change it results in a kernel BUG. Fix that by adding one to the number of AUXV entries (nitems) when ELF_HWCAP2 is defined. | 2024-09-13 | not yet calculated | CVE-2024-46684 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails If z_erofs_gbuf_growsize() partially fails on a global buffer due to memory allocation failure or fault injection (as reported by syzbot [1]), new pages need to be freed by comparing to the existing pages to avoid memory leaks. However, the old gbuf->pages[] array may not be large enough, which can lead to null-ptr-deref or out-of-bound access. Fix this by checking against gbuf->nrpages in advance. [1] https://lore.kernel.org/r/[email protected] | 2024-09-13 | not yet calculated | CVE-2024-46688 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: cmd-db: Map shared memory as WC, not WB Linux does not write into cmd-db region. This region of memory is write protected by XPU. XPU may sometime falsely detect clean cache eviction as “write” into the write protected region leading to secure interrupt which causes an endless loop somewhere in Trust Zone. The only reason it is working right now is because Qualcomm Hypervisor maps the same region as Non-Cacheable memory in Stage 2 translation tables. The issue manifests if we want to use another hypervisor (like Xen or KVM), which does not know anything about those specific mappings. Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC removes dependency on correct mappings in Stage 2 tables. This patch fixes the issue by updating the mapping to MEMREMAP_WC. I tested this on SA8155P with Xen. | 2024-09-13 | not yet calculated | CVE-2024-46689 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease It is not safe to dereference fl->c.flc_owner without first confirming fl->fl_lmops is the expected manager. nfsd4_deleg_getattr_conflict() tests fl_lmops but largely ignores the result and assumes that flc_owner is an nfs4_delegation anyway. This is wrong. With this patch we restore the “!= &nfsd_lease_mng_ops” case to behave as it did before the change mentioned below. This is the same as the current code, but without any reference to a possible delegation. | 2024-09-13 | not yet calculated | CVE-2024-46690 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. (cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3) | 2024-09-13 | not yet calculated | CVE-2024-46694 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don’t bypass permissions check in inode_setsecctx hook Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode’s i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don’t do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. | 2024-09-13 | not yet calculated | CVE-2024-46695 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: ensure that nfsd4_fattr_args.context is zeroed out If nfsd4_encode_fattr4 ends up doing a “goto out” before we get to checking for the security label, then args.context will be set to uninitialized junk on the stack, which we’ll then try to free. Initialize it early. | 2024-09-13 | not yet calculated | CVE-2024-46697 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libfs: fix infinite directory reads for offset dir After we switch tmpfs dir operations from simple_dir_operations to simple_offset_dir_operations, every rename happened will fill new dentry to dest dir’s maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free key starting with octx->newx_offset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail generic/736 in xfstests(detail show as below). 1. create 5000 files(1 2 3…) under one dir 2. call readdir(man 3 readdir) once, and get one entry 3. rename(entry, “TEMPFILE”), then rename(“TEMPFILE”, entry) 4. loop 2~3, until readdir return nothing or we loop too many times(tmpfs break test with the second condition) We choose the same logic what commit 9b378f6ad48cf (“btrfs: fix infinite directory reads”) to fix it, record the last_index when we open dir, and do not emit the entry which index >= last_index. The file->private_data now used in offset dir can use directly to do this, and we also update the last_index when we llseek the dir file. [brauner: only update last_index after seek when offset is zero like Jan suggested] | 2024-09-13 | not yet calculated | CVE-2024-46701 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Mark XDomain as unplugged when router is removed I noticed that when we do discrete host router NVM upgrade and it gets hot-removed from the PCIe side as a result of NVM firmware authentication, if there is another host connected with enabled paths we hang in tearing them down. This is due to fact that the Thunderbolt networking driver also tries to cleanup the paths and ends up blocking in tb_disconnect_xdomain_paths() waiting for the domain lock. However, at this point we already cleaned the paths in tb_stop() so there is really no need for tb_disconnect_xdomain_paths() to do that anymore. Furthermore it already checks if the XDomain is unplugged and bails out early so take advantage of that and mark the XDomain as unplugged when we remove the parent router. | 2024-09-13 | not yet calculated | CVE-2024-46702 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “serial: 8250_omap: Set the console genpd always on if no console suspend” This reverts commit 68e6939ea9ec3d6579eadeab16060339cdeaf940. Kevin reported that this causes a crash during suspend on platforms that dont use PM domains. | 2024-09-13 | not yet calculated | CVE-2024-46703 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: workqueue: Fix spruious data race in __flush_work() When flushing a work item for cancellation, __flush_work() knows that it exclusively owns the work item through its PENDING bit. 134874e2eee9 (“workqueue: Allow cancel_work_sync() and disable_work() from atomic contexts on BH work items”) added a read of @work->data to determine whether to use busy wait for BH work items that are being canceled. While the read is safe when @from_cancel, @work->data was read before testing @from_cancel to simplify code structure: data = *work_data_bits(work); if (from_cancel && !WARN_ON_ONCE(data & WORK_STRUCT_PWQ) && (data & WORK_OFFQ_BH)) { While the read data was never used if !@from_cancel, this could trigger KCSAN data race detection spuriously: ================================================================== BUG: KCSAN: data-race in __flush_work / __flush_work write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0: instrument_write include/linux/instrumented.h:41 [inline] ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline] insert_wq_barrier kernel/workqueue.c:3790 [inline] start_flush_work kernel/workqueue.c:4142 [inline] __flush_work+0x30b/0x570 kernel/workqueue.c:4178 flush_work kernel/workqueue.c:4229 [inline] … read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1: __flush_work+0x42a/0x570 kernel/workqueue.c:4188 flush_work kernel/workqueue.c:4229 [inline] flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251 … value changed: 0x0000000000400000 -> 0xffff88810006c00d Reorganize the code so that @from_cancel is tested before @work->data is accessed. The only problem is triggering KCSAN detection spuriously. This shouldn’t need READ_ONCE() or other access qualifiers. No functional changes. | 2024-09-13 | not yet calculated | CVE-2024-46704 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: reset mmio mappings with devm Set our various mmio mappings to NULL. This should make it easier to catch something rogue trying to mess with mmio after device removal. For example, we might unmap everything and then start hitting some mmio address which has already been unmamped by us and then remapped by something else, causing all kinds of carnage. | 2024-09-13 | not yet calculated | CVE-2024-46705 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: fsl_lpuart: mark last busy before uart_add_one_port With “earlycon initcall_debug=1 loglevel=8” in bootargs, kernel sometimes boot hang. It is because normal console still is not ready, but runtime suspend is called, so early console putchar will hang in waiting TRDE set in UARTSTAT. The lpuart driver has auto suspend delay set to 3000ms, but during uart_add_one_port, a child device serial ctrl will added and probed with its pm runtime enabled(see serial_ctrl.c). The runtime suspend call path is: device_add |-> bus_probe_device |->device_initial_probe |->__device_attach |-> pm_runtime_get_sync(dev->parent); |-> pm_request_idle(dev); |-> pm_runtime_put(dev->parent); So in the end, before normal console ready, the lpuart get runtime suspended. And earlycon putchar will hang. To address the issue, mark last busy just after pm_runtime_enable, three seconds is long enough to switch from bootconsole to normal console. | 2024-09-13 | not yet calculated | CVE-2024-46706 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 On a system with a GICv3, if a guest hasn’t been configured with GICv3 and that the host is not capable of GICv2 emulation, a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. We therefore try to emulate the SGI access, only to hit a NULL pointer as no private interrupt is allocated (no GIC, remember?). The obvious fix is to give the guest what it deserves, in the shape of a UNDEF exception. | 2024-09-13 | not yet calculated | CVE-2024-46707 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: x1e80100: Fix special pin offsets Remove the erroneus 0x100000 offset to prevent the boards from crashing on pin state setting, as well as for the intended state changes to take effect. | 2024-09-13 | not yet calculated | CVE-2024-46708 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix prime with external buffers Make sure that for external buffers mapping goes through the dma_buf interface instead of trying to access pages directly. External buffers might not provide direct access to readable/writable pages so to make sure the bo’s created from external dma_bufs can be read dma_buf interface has to be used. Fixes crashes in IGT’s kms_prime with vgem. Regular desktop usage won’t trigger this due to the fact that virtual machines will not have multiple GPUs but it enables better test coverage in IGT. | 2024-09-13 | not yet calculated | CVE-2024-46709 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Prevent unmapping active read buffers The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer “a” mapped for update b) buffer “a” mapped for compare c) do the compare d) unmap “a” for compare e) update the cursor f) unmap “a” for update At step “e” the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0. | 2024-09-13 | not yet calculated | CVE-2024-46710 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix ID 0 endp usage after multiple re-creations ‘local_addr_used’ and ‘add_addr_accepted’ are decremented for addresses not related to the initial subflow (ID0), because the source and destination addresses of the initial subflows are known from the beginning: they don’t count as “additional local address being used” or “ADD_ADDR being accepted”. It is then required not to increment them when the entrypoint used by the initial subflow is removed and re-added during a connection. Without this modification, this entrypoint cannot be removed and re-added more than once. | 2024-09-13 | not yet calculated | CVE-2024-46711 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Disable coherent dumb buffers without 3d Coherent surfaces make only sense if the host renders to them using accelerated apis. Without 3d the entire content of dumb buffers stays in the guest making all of the extra work they’re doing to synchronize between guest and host useless. Configurations without 3d also tend to run with very low graphics memory limits. The pinned console fb, mob cursors and graphical login manager tend to run out of 16MB graphics memory that those guests use. Fix it by making sure the coherent dumb buffers are only used on configs with 3d enabled. | 2024-09-13 | not yet calculated | CVE-2024-46712 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch. | 2024-09-13 | not yet calculated | CVE-2024-46713 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
n/a–n/a | app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. | 2024-09-15 | not yet calculated | CVE-2024-46918 | [email protected] [email protected] |
n/a–n/a | An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files. | 2024-09-15 | not yet calculated | CVE-2024-46938 | [email protected] |
n/a–n/a | In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment. | 2024-09-15 | not yet calculated | CVE-2024-46942 | [email protected] [email protected] [email protected] |
n/a–n/a | An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information. | 2024-09-15 | not yet calculated | CVE-2024-46943 | [email protected] [email protected] [email protected] |
Rockwell Automation–CompactLogix 5380 | A denial-of-service vulnerability exists in the Rockwell Automation affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover. | 2024-09-12 | not yet calculated | CVE-2024-6077 | [email protected] |
lunary-ai–lunary-ai/lunary | An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the ‘invite user’ functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover. | 2024-09-13 | not yet calculated | CVE-2024-6087 | [email protected] [email protected] |
significant-gravitas–significant-gravitas/autogpt | A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as ‘whoami’ and ‘/bin/whoami’. An attacker can circumvent this restriction by executing commands with a modified path, such as ‘/bin/./whoami’, which is not recognized by the denylist. | 2024-09-11 | not yet calculated | CVE-2024-6091 | [email protected] [email protected] |
lunary-ai–lunary-ai/lunary | A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known. | 2024-09-13 | not yet calculated | CVE-2024-6582 | [email protected] [email protected] |
berriai–berriai/litellm | A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key. | 2024-09-13 | not yet calculated | CVE-2024-6587 | [email protected] [email protected] |
TNB Mobile Solutions–Cockpit Software | Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable.This issue affects Cockpit Software: before v2.13. | 2024-09-13 | not yet calculated | CVE-2024-6656 | [email protected] |
lunary-ai–lunary-ai/lunary | A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks. | 2024-09-13 | not yet calculated | CVE-2024-6862 | [email protected] [email protected] |
lunary-ai–lunary-ai/lunary | An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run. | 2024-09-13 | not yet calculated | CVE-2024-6867 | [email protected] [email protected] |
Profelis Informatics and Consulting–PassBox | Improper Authentication, Missing Authentication for Critical Function, Improper Authorization vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse.This issue affects PassBox: before v1.2. | 2024-09-09 | not yet calculated | CVE-2024-7015 | [email protected] |
Vidco Software–VOC TESTER | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Vidco Software VOC TESTER allows Path Traversal.This issue affects VOC TESTER: before 12.34.8. | 2024-09-11 | not yet calculated | CVE-2024-7609 | [email protected] |
Citrix–Citrix Workspace app for Windows | Local privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Workspace app for Windows | 2024-09-11 | not yet calculated | CVE-2024-7889 | [email protected] |
Citrix–Citrix Workspace app for Windows | Local privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Workspace app for Windows | 2024-09-11 | not yet calculated | CVE-2024-7890 | [email protected] |
Rockwell Automation–Pavilion8 | The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not. | 2024-09-12 | not yet calculated | CVE-2024-7960 | [email protected] |
Rockwell Automation–Pavilion8 | A path traversal vulnerability exists in the Rockwell Automation affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution. | 2024-09-12 | not yet calculated | CVE-2024-7961 | [email protected] |
TECNO–com.afmobi.boomplayer | Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks. | 2024-09-14 | not yet calculated | CVE-2024-8039 | 907edf6c-bf03-423e-ab1a-8da27e1aa1ea 907edf6c-bf03-423e-ab1a-8da27e1aa1ea |
Payara Platform–Payara Server | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50. | 2024-09-11 | not yet calculated | CVE-2024-8097 | 769c9ae7-73c3-4e47-ae19-903170fc3eb8 769c9ae7-73c3-4e47-ae19-903170fc3eb8 |
Logitech–Logitech Options Plus | Improper Control of Generation of Code (‘Code Injection’) in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration. | 2024-09-10 | not yet calculated | CVE-2024-8258 | [email protected] [email protected] [email protected] [email protected] |
Rockwell Automation–2800C OptixPanel Compact | A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges. | 2024-09-12 | not yet calculated | CVE-2024-8533 | [email protected] |
TechExcel Software Solutions–Back Office Software | This vulnerability exists in TechExcel Back Office Software versions prior to 1.0.0 due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to unauthorized access to sensitive information belonging to other users. | 2024-09-09 | not yet calculated | CVE-2024-8601 | [email protected] |
Eclipse Foundation–Eclipse EDC Connector | In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module “transfer-data-plane”. The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed. | 2024-09-11 | not yet calculated | CVE-2024-8642 | [email protected] [email protected] [email protected] [email protected] |
Palo Alto Networks–PAN-OS | A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as root on the firewall. | 2024-09-11 | not yet calculated | CVE-2024-8686 | [email protected] |
Palo Alto Networks–PAN-OS | An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so. | 2024-09-11 | not yet calculated | CVE-2024-8687 | [email protected] |
Palo Alto Networks–PAN-OS | An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall. | 2024-09-11 | not yet calculated | CVE-2024-8688 | [email protected] |
Palo Alto Networks–ActiveMQ Content Pack | A problem with the ActiveMQ integration for both Cortex XSOAR and Cortex XSIAM can result in the cleartext exposure of the configured ActiveMQ credentials in log bundles. | 2024-09-11 | not yet calculated | CVE-2024-8689 | [email protected] |
Palo Alto Networks–Cortex XDR Agent | A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows administrator privileges to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity. | 2024-09-11 | not yet calculated | CVE-2024-8690 | [email protected] |
Palo Alto Networks–PAN-OS | A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN-OS software enables a malicious authenticated GlobalProtect user to impersonate another GlobalProtect user. Active GlobalProtect users impersonated by an attacker who is exploiting this vulnerability are disconnected from GlobalProtect. Upon exploitation, PAN-OS logs indicate that the impersonated user authenticated to GlobalProtect, which hides the identity of the attacker. | 2024-09-11 | not yet calculated | CVE-2024-8691 | [email protected] |
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.