Vulnerability Summary for the Week of July 1, 2024

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
2code — wpqa_builder
 
The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks 2024-07-03 8.8 CVE-2024-2376
contact@wpscan.com
ABB–ASPECT Enterprise (ASP-ENT-x)
 
Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured. 2024-07-01 8.8 CVE-2024-4007
cybersecurity@ch.abb.com
Adobe–Acrobat for Edge
 
Acrobat for Edge versions 126.0.2592.68 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-07-02 7.8 CVE-2024-34122
psirt@adobe.com
aimeos–ai-admin-graphql
 
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue. 2024-07-02 7.1 CVE-2024-39323
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Apache Software Foundation–Apache HTTP Server
 
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL’s to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-01 7.5 CVE-2024-39573
security@apache.org
Arm Ltd–Valhall GPU Firmware
 
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arm Ltd Valhall GPU Firmware, Arm Ltd Arm 5th Gen GPU Architecture Firmware allows a local non-privileged user to make improper GPU processing operations to access a limited amount outside of buffer bounds. If the operations are carefully prepared, then this in turn could give them access to all system memory. This issue affects Valhall GPU Firmware: from r29p0 through r46p0; Arm 5th Gen GPU Architecture Firmware: from r41p0 through r46p0. 2024-07-01 7.8 CVE-2024-0153
arm-security@arm.com
certifi–python-certifi
 
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla’s trust store. `GLOBALTRUST`’s root certificates are being removed pursuant to an investigation which identified “long-running and unresolved compliance issues.” 2024-07-05 7.5 CVE-2024-39689
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
CHANGING–Mobile One Time Password
 
CHANGING Mobile One Time Password’s uploading function in a hidden page does not filter file type properly. Remote attackers with administrator privilege can exploit this vulnerability to upload and run malicious file to execute system commands. 2024-07-01 7.2 CVE-2024-3123
twcert@cert.org.tw
twcert@cert.org.tw
CocoaPods–CocoaPods
 
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk. 2024-07-01 10 CVE-2024-38366
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
CocoaPods–CocoaPods
 
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023. 2024-07-01 9.3 CVE-2024-38368
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
CocoaPods–CocoaPods
 
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023. 2024-07-01 8.2 CVE-2024-38367
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
dahlia–fedify
 
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server’s network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue. 2024-07-05 7.2 CVE-2024-39687
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Delinea–Centrify PAS
 
Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing arbitrary files reading outside the web publish directory. Versions 23.1-HF7 and on have the patch. 2024-07-02 7.7 CVE-2024-5865
vulnerability@kaspersky.com
dell — powerscale_onefs
 
Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.0 contain use of a broken or risky cryptographic algorithm vulnerability. An unprivileged network malicious attacker could potentially exploit this vulnerability, leading to data leaks. 2024-07-02 7.5 CVE-2024-32852
security_alert@emc.com
dell — powerscale_onefs
 
Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.2 contain an execution with unnecessary privileges vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 2024-07-02 7.8 CVE-2024-32853
security_alert@emc.com
discourse–discourse
 
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. There are no known workarounds available for this vulnerability. 2024-07-03 7.5 CVE-2024-35227
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Edito–Edito CMS
 
Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 – 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected. 2024-07-02 7.5 CVE-2024-4836
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
evmos–evmos
 
Evmos is a decentralized Ethereum Virtual Machine chain on the Cosmos Network. Prior to version 19.0.0, a user can create a vesting account with a 3rd party account (EOA or contract) as funder. Then, this user can create an authorization for the contract.CallerAddress, this is the authorization checked in the code. But the funds are taken from the funder address provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission. The funder address can be any address, so this vulnerability can be used to drain all the accounts in the chain. The issue has been patched in version 19.0.0. 2024-07-05 8.8 CVE-2024-39696
security-advisories@github.com
security-advisories@github.com
expresstech — quiz_and_survey_master
 
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role 2024-07-02 8.8 CVE-2024-5606
contact@wpscan.com
flowiseai — flowise
 
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available. 2024-07-01 7.5 CVE-2024-36420
security-advisories@github.com
security-advisories@github.com
flowiseai — flowise
 
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. 2024-07-01 7.5 CVE-2024-36421
security-advisories@github.com
security-advisories@github.com
geoserver — geoserver
 
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. 2024-07-01 9.8 CVE-2024-36401
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
geoserver–geoserver
 
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the `geoserver.war` file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary). Versions 2.23.5 and 2.24.3 contain a patch for the issue. Some workarounds are available. One may change from a Windows environment to a Linux environment; or change from Apache Tomcat to Jetty application server. One may also disable anonymous access to the embeded GeoWebCache administration and status pages. 2024-07-01 7.5 CVE-2024-24749
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
geotools–geotools
 
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one’s application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications. 2024-07-02 9.8 CVE-2024-36404
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
gofiber–fiber
 
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber’s session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies. 2024-07-01 10 CVE-2024-38513
security-advisories@github.com
security-advisories@github.com
gorilla–schema
 
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{…}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue. 2024-07-01 7.5 CVE-2024-37298
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Grandstream–GXP2135
 
An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability. 2024-07-03 8.1 CVE-2024-32937
talos-cna@cisco.com
Hitachi–JP1/Extensible SNMP Agent for Windows
 
Incorrect Default Permissions vulnerability in Hitachi JP1/Extensible SNMP Agent for Windows, Hitachi JP1/Extensible SNMP Agent on Windows, Hitachi Job Management Partner1/Extensible SNMP Agent on Windows allows File Manipulation.This issue affects JP1/Extensible SNMP Agent for Windows: from 12-00 before 12-00-01, from 11-00 through 11-00-*; JP1/Extensible SNMP Agent: from 10-10 through 10-10-01, from 10-00 through 10-00-02, from 09-00 through 09-00-04; Job Management Partner1/Extensible SNMP Agent: from 10-10 through 10-10-01, from 10-00 through 10-00-02, from 09-00 through 09-00-04. 2024-07-02 7.8 CVE-2024-4679
hirt@hitachi.co.jp
home_owners_collection_management_system_project — home_owners_collection_management_system
 
A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270167. 2024-07-02 9.8 CVE-2024-6439
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
home_owners_collection_management_system_project — home_owners_collection_management_system
 
A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /classes/Master.php?f=delete_category. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-270168. 2024-07-02 9.8 CVE-2024-6440
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
icegram — email_subscribers_&_newsletters
 
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-07-02 9.8 CVE-2024-6172
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
ICONICS–GENESIS64
 
Uncontrolled Search Path Element vulnerability in ICONICS GENESIS64 all versions, Mitsubishi Electric GENESIS64 all versions and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute a malicious code by storing a specially crafted DLL in a specific folder when GENESIS64 and MC Works64 are installed with the Pager agent in the alarm multi-agent notification feature. 2024-07-04 7 CVE-2024-1182
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Johnson Controls–American Dynamics Illustra Essentials Gen 4
 
Under certain circumstances the web interface will accept characters unrelated to the expected input. 2024-07-02 9.1 CVE-2024-32755
productsecurity@jci.com
productsecurity@jci.com
jungo — windriver
 
Improper privilege management in Jungo WinDriver before 12.1.0 allows local attackers to escalate privileges and execute arbitrary code. 2024-07-02 7.8 CVE-2023-51776
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges, execute arbitrary code, or cause a Denial of Service (DoS). 2024-07-02 7.8 CVE-2024-22106
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute arbitrary code. 2024-07-02 7.8 CVE-2024-25086
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges and execute arbitrary code. 2024-07-02 7.8 CVE-2024-25088
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Improper privilege management in Jungo WinDriver 6.0.0 through 16.1.0 allows local attackers to escalate privileges and execute arbitrary code. 2024-07-02 7.8 CVE-2024-26314
cve@mitre.org
cve@mitre.org
cve@mitre.org
Juniper Networks–Junos OS
 
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device receives specific valid traffic destined to the device, it will cause the PFE to crash and restart. Continued receipt and processing of this traffic will create a sustained DoS condition. This issue affects Junos OS on SRX Series: * 21.4 versions before 21.4R3-S7.9, * 22.1 versions before 22.1R3-S5.3, * 22.2 versions before 22.2R3-S4.11, * 22.3 versions before 22.3R3, * 22.4 versions before 22.4R3. Junos OS versions prior to 21.4R1 are not affected by this issue. 2024-07-01 7.5 CVE-2024-21586
sirt@juniper.net
Kiloview–P1/P2
 
Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by appending shell commands to the Speed-Measurement feature, enabling unauthorized code execution. 2024-07-02 10 CVE-2023-41917
cert@ncsc.nl
Kiloview–P1/P2
 
A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data manipulation, access to privileged functions, or even the execution of arbitrary code. 2024-07-02 10 CVE-2023-41918
cert@ncsc.nl
Kiloview–P1/P2
 
Hardcoded credentials are discovered within the application’s source code, creating a potential security risk for unauthorized access. 2024-07-02 9.8 CVE-2023-41919
cert@ncsc.nl
Kiloview–P1/P2
 
The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in. 2024-07-02 9.8 CVE-2023-41920
cert@ncsc.nl
Kiloview–P1/P2
 
A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target’s integrity to achieve an insecure state. 2024-07-02 9.8 CVE-2023-41921
cert@ncsc.nl
Kiloview–P1/P2
 
The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials. 2024-07-02 8.8 CVE-2023-41926
cert@ncsc.nl
Kiloview–P1/P2
 
The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords. 2024-07-02 7.2 CVE-2023-41923
cert@ncsc.nl
kylephillips — nested_pages
 
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-07-04 8.8 CVE-2024-5943
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
LA-Studio–LA-Studio Element Kit for Elementor
 
Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via “LaStudioKit Progress Bar” widget in New Post, specifically in the “progress_type” attribute.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.8.1. 2024-07-02 8.5 CVE-2024-37479
audit@patchstack.com
la-studioweb — element_kit_for_elementor
 
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.8.1 via the ‘map_style’ parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. 2024-07-02 8.8 CVE-2024-5349
security@wordfence.com
security@wordfence.com
livemeshelementor — addons_for_elementor
 
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.3.7 via several of the plugin’s widgets through the ‘style’ attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. 2024-07-04 8.8 CVE-2024-2385
security@wordfence.com
security@wordfence.com
security@wordfence.com
mastodon–mastodon
 
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue. 2024-07-05 8.2 CVE-2024-37903
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
MediaTek, Inc.–MT2731, MT6739, MT6761, MT6762, MT6763, MT6765, MT6767, MT6768, MT6769, MT6771, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788
 
In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01297806; Issue ID: MSV-1481. 2024-07-01 7.5 CVE-2024-20076
security@mediatek.com
MediaTek, Inc.–MT2731, MT6739, MT6761, MT6762, MT6763, MT6765, MT6767, MT6768, MT6769, MT6771, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788
 
In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01297807; Issue ID: MSV-1482. 2024-07-01 7.5 CVE-2024-20077
security@mediatek.com
MediaTek, Inc.–MT6768, MT6779, MT8321, MT8385, MT8755, MT8765, MT8766, MT8768, MT8771, MT8775, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8792, MT8795T, MT8796, MT8797, MT8798
 
In venc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08737250; Issue ID: MSV-1452. 2024-07-01 9.8 CVE-2024-20078
security@mediatek.com
mesbook — mesbook
 
Information exposure vulnerability in MESbook 20221021.03 version, the exploitation of which could allow a local attacker, with user privileges, to access different resources by changing the API value of the application. 2024-07-03 7.1 CVE-2024-6426
cve-coordination@incibe.es
mesbook — mesbook
 
Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the “message” parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application. 2024-07-03 7.5 CVE-2024-6427
cve-coordination@incibe.es
MESbook–MESbook
 
External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint “/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST” or “/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST” to read the source code of web files, read internal files or access network resources. 2024-07-01 9.3 CVE-2024-6424
cve-coordination@incibe.es
MESbook–MESbook
 
Incorrect Provision of Specified Functionality vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can register user accounts without being authenticated from the route “/account/Register/” and in the parameters “UserName=<RANDOMUSER>&Password=<PASSWORD>&ConfirmPassword=<PASSWORD-REPEAT>”. 2024-07-01 9.1 CVE-2024-6425
cve-coordination@incibe.es
Mitsubishi Electric Corporation–MELIPC Series MI5122-VW
 
Incorrect Default Permissions vulnerability in Smart Device Communication Gateway preinstalled on MELIPC Series MI5122-VW firmware versions “05” to “07” allows a local attacker to execute arbitrary code by saving a malicious file to a specific folder. As a result, the attacker may disclose, tamper with, destroy or delete information in the product, or cause a denial-of-service (DoS) condition on the product. 2024-07-04 8.8 CVE-2024-3904
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mongodb — compass
 
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass’ connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2 2024-07-01 9.8 CVE-2024-6376
cna@mongodb.com
MRW–MRW plugin
 
Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the “mrw_log” functionality. This vulnerability could allow a remote attacker to obtain other customers’ order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels. 2024-07-04 8.2 CVE-2024-6506
cve-coordination@incibe.es
mySCADA–myPRO
 
mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device. 2024-07-02 9.8 CVE-2024-4708
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
N-able–N-central
 
The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild. 2024-07-01 9.1 CVE-2024-28200
a5532a13-c4dd-4202-bef1-e0b8f2f8d12b
a5532a13-c4dd-4202-bef1-e0b8f2f8d12b
N-able–N-central
 
The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3. 2024-07-01 9.1 CVE-2024-5322
a5532a13-c4dd-4202-bef1-e0b8f2f8d12b
a5532a13-c4dd-4202-bef1-e0b8f2f8d12b
N/A–N/A
 
Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API 2024-07-04 8.1 CVE-2024-6507
reefs@jfrog.com
reefs@jfrog.com
n/a–n/a
 
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 9.8 CVE-2024-38993
cve@mitre.org
n/a–n/a
 
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 9.8 CVE-2024-38996
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 9.8 CVE-2024-39015
cve@mitre.org
n/a–n/a
 
agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 9.8 CVE-2024-39017
cve@mitre.org
n/a–n/a
 
Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. 2024-07-01 9.8 CVE-2024-39236
cve@mitre.org
n/a–n/a
 
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious –split-string env request if the built-in SSH server is activated. Windows installations are unaffected. 2024-07-04 9.9 CVE-2024-39930
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Gogs through 0.13.0 allows deletion of internal files. 2024-07-04 9.9 CVE-2024-39931
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Gogs through 0.13.0 allows argument injection during the previewing of changes. 2024-07-04 9.9 CVE-2024-39932
cve@mitre.org
cve@mitre.org
n/a–n/a
 
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js). 2024-07-04 9.9 CVE-2024-39943
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 8.8 CVE-2024-38991
cve@mitre.org
n/a–n/a
 
airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 8.8 CVE-2024-38992
cve@mitre.org
n/a–n/a
 
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function config. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 8.4 CVE-2024-38998
cve@mitre.org
n/a–n/a
 
che3vinci c3/utils-1 1.0.131 was discovered to contain a prototype pollution via the function assign. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 8.1 CVE-2024-39016
cve@mitre.org
n/a–n/a
 
An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. 2024-07-04 8.6 CVE-2024-39936
cve@mitre.org
n/a–n/a
 
supOS 5.0 allows api/image/download?fileName=../ directory traversal for reading files. 2024-07-04 8.6 CVE-2024-39937
cve@mitre.org
cve@mitre.org
n/a–n/a
 
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 7.3 CVE-2024-38994
cve@mitre.org
n/a–n/a
 
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 7.3 CVE-2024-39003
cve@mitre.org
n/a–n/a
 
Gogs through 0.13.0 allows argument injection during the tagging of a new release. 2024-07-04 7.7 CVE-2024-39933
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the “shared holotree usage” feature allows any user to edit any Python environment. 2024-07-04 7.8 CVE-2024-39934
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
openbsd — openssh
 
A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. 2024-07-01 8.1 CVE-2024-6387
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
openharmony — openharmony
 
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds read and write. 2024-07-02 9.8 CVE-2024-36243
scy@openharmony.io
openharmony — openharmony
 
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write. 2024-07-02 9.8 CVE-2024-36260
scy@openharmony.io
openharmony — openharmony
 
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through use after free. 2024-07-02 9.8 CVE-2024-37030
scy@openharmony.io
openharmony — openharmony
 
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write. 2024-07-02 9.8 CVE-2024-37077
scy@openharmony.io
openharmony — openharmony
 
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write. 2024-07-02 9.8 CVE-2024-37185
scy@openharmony.io
parse-community–parse-server
 
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. 2024-07-01 9.8 CVE-2024-39309
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
pi-hole–pi-hole
 
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue. 2024-07-05 8.5 CVE-2024-34361
security-advisories@github.com
security-advisories@github.com
playsms — playsms
 
A vulnerability was found in playSMS 1.4.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?app=main&inc=feature_firewall&op=firewall_list of the component Template Handler. The manipulation of the argument IP address with the input {{`id`} leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-270277 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-07-03 8.8 CVE-2024-6469
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
qualcomm — 315_5g_iot_modem_firmware
 
Memory corruption while performing finish HMAC operation when context is freed by keymaster. 2024-07-01 7.8 CVE-2024-21461
product-security@qualcomm.com
qualcomm — 315_5g_iot_modem_firmware
 
Memory corruption when IOMMU unmap operation fails, the DMA and anon buffers are getting released. 2024-07-01 7.8 CVE-2024-23373
product-security@qualcomm.com
qualcomm — 9205_lte_modem_firmware
 
Memory corruption while processing key blob passed by the user. 2024-07-01 7.8 CVE-2024-21465
product-security@qualcomm.com
qualcomm — 9205_lte_modem_firmware
 
Memory corruption when an invoke call and a TEE call are bound for the same trusted application. 2024-07-01 7.8 CVE-2024-21469
product-security@qualcomm.com
qualcomm — apq8064au_firmware
 
Memory corruption when allocating and accessing an entry in an SMEM partition. 2024-07-01 7.8 CVE-2024-23368
product-security@qualcomm.com
qualcomm — ar8035_firmware
 
INformation disclosure while handling Multi-link IE in beacon frame. 2024-07-01 7.5 CVE-2024-21457
product-security@qualcomm.com
qualcomm — ar8035_firmware
 
Information disclosure while handling SA query action frame. 2024-07-01 7.5 CVE-2024-21458
product-security@qualcomm.com
qualcomm — csr8811_firmware
 
Memory corruption during the secure boot process, when the `bootm` command is used, it bypasses the authentication of the kernel/rootfs image. 2024-07-01 7.8 CVE-2024-21482
product-security@qualcomm.com
qualcomm — fastconnect_6200_firmware
 
Memory corruption while invoking IOCTL call for GPU memory allocation and size param is greater than expected size. 2024-07-01 7.8 CVE-2024-23372
product-security@qualcomm.com
qualcomm — fastconnect_6200_firmware
 
Memory corruption while handling user packets during VBO bind operation. 2024-07-01 7.8 CVE-2024-23380
product-security@qualcomm.com
qualcomm — fastconnect_7800_firmware
 
Information disclosure while parsing sub-IE length during new IE generation. 2024-07-01 7.5 CVE-2024-21466
product-security@qualcomm.com
Qualcomm, Inc.–Snapdragon
 
Memory corruption while processing IOCTL handler in FastRPC. 2024-07-01 8.4 CVE-2023-43554
product-security@qualcomm.com
Red Hat–Red Hat Enterprise Linux 9
 
A flaw was found in the QEMU disk image utility (qemu-img) ‘info’ command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. 2024-07-02 7.8 CVE-2024-4467
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
Red Lion Europe–mbNET.mini
 
A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command. 2024-07-03 7.2 CVE-2024-5672
info@cert.vde.com
info@cert.vde.com
info@cert.vde.com
Routing Release–Routing Release
 
Security check loophole in HAProxy release (in combination with routing release) in Cloud Foundry prior to v40.17.0 potentially allows bypass of mTLS authentication to applications hosted on Cloud Foundry. 2024-07-03 9 CVE-2024-37082
security@vmware.com
samsung — android
 
Improper input validation in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to trigger abnormal behavior. 2024-07-02 8.8 CVE-2024-20890
mobile.security@samsung.com
samsung — android
 
Improper input validation in parsing and distributing RTCP packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to execute arbitrary code with system privilege. User interaction is required for triggering this vulnerability. 2024-07-02 8.8 CVE-2024-34593
mobile.security@samsung.com
samsung — android
 
Improper access control in OneUIHome prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. User interaction is required for triggering this vulnerability. 2024-07-02 7.8 CVE-2024-20888
mobile.security@samsung.com
samsung — android
 
Improper access control in launchFullscreenIntent of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. 2024-07-02 7.8 CVE-2024-20891
mobile.security@samsung.com
samsung — android
 
Improper verification of signature in FilterProvider prior to SMR Jul-2024 Release 1 allows local attackers to execute privileged behaviors. User interaction is required for triggering this vulnerability. 2024-07-02 7.8 CVE-2024-20892
mobile.security@samsung.com
samsung — android
 
Improper input validation in libmediaextractorservice.so prior to SMR Jul-2024 Release 1 allows local attackers to trigger memory corruption. 2024-07-02 7.8 CVE-2024-20893
mobile.security@samsung.com
samsung — android
 
Improper input validation in copying data to buffer cache in libsaped prior to SMR Jul-2024 Release 1 allows local attackers to write out-of-bounds memory. 2024-07-02 7.8 CVE-2024-20901
mobile.security@samsung.com
samsung — android
 
Improper access control in launchApp of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. 2024-07-02 7.8 CVE-2024-34585
mobile.security@samsung.com
samsung — android
 
Improper access control in clickAdapterItem of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. 2024-07-02 7.8 CVE-2024-34595
mobile.security@samsung.com
samsung — smartthings
 
Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner. 2024-07-02 7.5 CVE-2024-34596
mobile.security@samsung.com
sitetweet_project — sitetweet
 
The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack 2024-07-02 8.8 CVE-2024-5767
contact@wpscan.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance. 2024-07-01 8 CVE-2024-36983
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code. 2024-07-01 8.8 CVE-2024-36984
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or power Splunk roles could cause a Remote Code Execution through an external lookup that references the “splunk_archiver” application. 2024-07-01 8.8 CVE-2024-36985
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit. 2024-07-01 8.1 CVE-2024-36997
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an attacker could trigger a null pointer reference on the cluster/config REST endpoint, which could result in a crash of the Splunk daemon. 2024-07-01 7.5 CVE-2024-36982
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the admin or power Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive. 2024-07-01 7.1 CVE-2024-36989
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows. 2024-07-01 7.5 CVE-2024-36991
prodsec@splunk.com
prodsec@splunk.com
Theme-Ruby–Foxiz
 
Server-Side Request Forgery (SSRF) vulnerability in Theme-Ruby Foxiz.This issue affects Foxiz: from n/a through 2.3.5. 2024-07-06 7.2 CVE-2024-37260
audit@patchstack.com
traefik–traefik
 
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available. 2024-07-05 7.5 CVE-2024-39321
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
wbolt — imgspider
 
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘upload_img_file’ function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site’s server which may make remote code execution possible. 2024-07-04 8.8 CVE-2024-6318
security@wordfence.com
security@wordfence.com
security@wordfence.com
wbolt — imgspider
 
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘upload’ function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site’s server which may make remote code execution possible. 2024-07-04 8.8 CVE-2024-6319
security@wordfence.com
security@wordfence.com
security@wordfence.com
WofficeIO–Woffice
 
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice allows Reflected XSS.This issue affects Woffice: from n/a through 5.4.8. 2024-07-04 7.1 CVE-2024-37472
audit@patchstack.com
WofficeIO–Woffice Core
 
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.This issue affects Woffice Core: from n/a through 5.4.8. 2024-07-04 7.1 CVE-2024-37471
audit@patchstack.com
yt-dlp–yt-dlp
 
`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one’s user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o “%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/… one; try to avoid the generic extractor; and/or use `–ignore-config –config-location …` to not load config from common locations. 2024-07-02 7.8 CVE-2024-38519
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
2code — himer
 
The Himer WordPress theme before 2.1.1 does not sanitise and escape some of its Post settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks 2024-07-03 5.4 CVE-2024-2234
contact@wpscan.com
2code — himer
 
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack 2024-07-03 4.3 CVE-2024-2040
contact@wpscan.com
2code — himer
 
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group 2024-07-03 4.3 CVE-2024-2233
contact@wpscan.com
2code — himer
 
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don’t have access to via a CSRF attack 2024-07-03 4.3 CVE-2024-2235
contact@wpscan.com
2code — wpqa_builder
 
The WPQA Builder WordPress plugin before 6.1.1 does not sanitise and escape some of its Slider settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks 2024-07-03 5.4 CVE-2024-2375
contact@wpscan.com
aimeos–ai-admin-jsonadm
 
aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend. Versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2 contain a fix for the issue. 2024-07-02 5.5 CVE-2024-39322
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
aimeos–ai-controller-frontend
 
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn’t reset the payment status of a user’s basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue. 2024-07-02 5.3 CVE-2024-39325
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
apollo13themes — rife_elementor_extensions_&_templates
 
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag’ attribute within the plugin’s Writing Effect Headline widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-5504
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
Automattic–Newspack Ads
 
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Ads allows Stored XSS.This issue affects Newspack Ads: from n/a through 1.47.1. 2024-07-04 6.5 CVE-2024-37474
audit@patchstack.com
Automattic–Newspack Campaigns
 
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.This issue affects Newspack Campaigns: from n/a through 2.31.1. 2024-07-04 6.5 CVE-2024-37476
audit@patchstack.com
Axelerant–Testimonials Widget
 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Axelerant Testimonials Widget allows Stored XSS.This issue affects Testimonials Widget: from n/a through 4.0.4. 2024-07-06 6.5 CVE-2024-37553
audit@patchstack.com
biplob018–Image Hover Effects – Caption Hover with Carousel
 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in biplob018 Image Hover Effects – Caption Hover with Carousel allows Stored XSS.This issue affects Image Hover Effects – Caption Hover with Carousel: from n/a through 3.0.2. 2024-07-06 6.5 CVE-2024-37546
audit@patchstack.com
boot_store_project — boot_store
 
The Boot Store theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme’s Button shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-5938
security@wordfence.com
security@wordfence.com
cedcommerce — one_click_order_re-order
 
The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘ced_ocor_save_general_setting’ function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the plugin settings, including adding stored cross-site scripting. 2024-07-04 5.4 CVE-2024-5641
security@wordfence.com
security@wordfence.com
security@wordfence.com
CHANGING–Mobile One Time Password
 
CHANGING Mobile One Time Password does not properly filter parameters for the file download functionality, allowing remote attackers with administrator privilege to read arbitrary file on the system. 2024-07-01 4.9 CVE-2024-3122
twcert@cert.org.tw
twcert@cert.org.tw
Checkmk GmbH–Checkmk
 
Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements 2024-07-03 6.5 CVE-2024-6052
security@checkmk.com
Checkmk GmbH–Checkmk
 
Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks. 2024-07-02 4.3 CVE-2024-38857
security@checkmk.com
cisco — nx-os
 
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root. Note: To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. 2024-07-01 6.7 CVE-2024-20399
ykramarz@cisco.com
CodeAstrology Team–UltraAddons Elementor Lite (Header & Footer Builder, Menu Builder, Cart Icon, Shortcode)
 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CodeAstrology Team UltraAddons Elementor Lite (Header & Footer Builder, Menu Builder, Cart Icon, Shortcode).This issue affects UltraAddons Elementor Lite (Header & Footer Builder, Menu Builder, Cart Icon, Shortcode): from n/a through 1.1.6. 2024-07-06 6.5 CVE-2024-37554
audit@patchstack.com
coderberg — residencecms
 
A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside which acts as a stored XSS payload. 2024-07-02 5.4 CVE-2024-39143
cve@mitre.org
davidlingren — media_library_assistant
 
The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2024-07-02 6.1 CVE-2024-5544
security@wordfence.com
security@wordfence.com
Delinea–Centrify PAS
 
Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing listing of arbitrary directory outside the root directory of the web application. Versions 23.1-HF7 and on have the patch. 2024-07-02 5 CVE-2024-5866
vulnerability@kaspersky.com
dell — powerscale_onefs
 
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privilege attacker could potentially exploit this vulnerability, leading to privilege escalation. 2024-07-02 6.7 CVE-2024-32854
security_alert@emc.com
dell — powerscale_onefs
 
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to unauthorized gain of root-level access. 2024-07-02 6.7 CVE-2024-37126
security_alert@emc.com
dell — powerscale_onefs
 
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an incorrect privilege assignment vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service and Elevation of privileges. 2024-07-02 6.7 CVE-2024-37132
security_alert@emc.com
dell — powerscale_onefs
 
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to unauthorized gain of root-level access. 2024-07-02 6.7 CVE-2024-37133
security_alert@emc.com
dell — powerscale_onefs
 
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access. 2024-07-02 6.7 CVE-2024-37134
security_alert@emc.com
Dell–CPG BIOS
 
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with admin privileges may potentially exploit this vulnerability to modify a UEFI variable, leading to denial of service and escalation of privileges 2024-07-02 5.1 CVE-2024-0158
security_alert@emc.com
Delower–WP To Do
 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Delower WP To Do allows Stored XSS.This issue affects WP To Do: from n/a through 1.3.0. 2024-07-06 6.5 CVE-2024-37539
audit@patchstack.com
discourse–discourse
 
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available. 2024-07-03 6.4 CVE-2024-37157
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
discourse–discourse
 
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum. 2024-07-03 4.2 CVE-2024-35234
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
discourse–discourse
 
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available. 2024-07-03 4.9 CVE-2024-36113
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
dotcamp — ultimate_blocks
 
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title tag parameter in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-3513
security@wordfence.com
security@wordfence.com
dotcamp — ultimate_blocks
 
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-4268
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
envoyproxy–envoy
 
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy’s memory to be sent to the upstream service or abnormal process termination. This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5, and v1.27.7. As a workaround, do not use cookie attributes in route action hash policy. 2024-07-01 6.5 CVE-2024-39305
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
ethyca–fides
 
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available. 2024-07-03 5.3 CVE-2024-31223
security-advisories@github.com
security-advisories@github.com
flowiseai — flowise
 
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. 2024-07-01 6.1 CVE-2024-36422
security-advisories@github.com
security-advisories@github.com
FlowiseAI–Flowise
 
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. 2024-07-01 6.1 CVE-2024-36423
security-advisories@github.com
security-advisories@github.com
FlowiseAI–Flowise
 
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. 2024-07-01 6.1 CVE-2024-37145
security-advisories@github.com
security-advisories@github.com
FlowiseAI–Flowise
 
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. 2024-07-01 6.1 CVE-2024-37146
security-advisories@github.com
security-advisories@github.com
geoserver — geoserver
 
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer’s Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules’ status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured. The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly. Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice. 2024-07-01 4.9 CVE-2024-34696
security-advisories@github.com
HCL Software–Nomad server on Domino
 
HCL Nomad server on Domino fails to properly handle users configured with limited Domino access resulting in a possible denial of service vulnerability. 2024-07-05 5.3 CVE-2024-23588
psirt@hcl.com
Hitachi–Hitachi Ops Center Common Services
 
Incorrect Default Permissions, Improper Preservation of Permissions vulnerability in Hitachi Ops Center Common Services allows File Manipulation.This issue affects Hitachi Ops Center Common Services: before 11.0.2-00. 2024-07-02 5.1 CVE-2024-2819
hirt@hitachi.co.jp
hitout — carsale
 
A vulnerability has been found in Hitout Carsale 1.0 and classified as critical. This vulnerability affects unknown code of the file OrderController.java. The manipulation of the argument orderBy leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-270166 is the identifier assigned to this vulnerability. 2024-07-02 6.5 CVE-2024-6438
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
ICONICS–GENESIS64
 
Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) vulnerability in the licensing feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2 and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute a malicious code with administrative privileges by tampering with a specific file that is not protected by the system. 2024-07-04 6.7 CVE-2024-1574
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
ICONICS–GENESIS64
 
Improper Authentication vulnerability in the mobile monitoring feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2 and Mitsubishi Electric MC Works64 all versions allows a remote unauthenticated attacker to bypass proper authentication and log in to the system when all of the following conditions are met: * Active Directory is used in the security setting. * “Automatic log in” option is enabled in the security setting. * The IcoAnyGlass IIS Application Pool is running under an Active Directory Domain Account. * The IcoAnyGlass IIS Application Pool account is included in GENESIS64TM and MC Works64 Security and has permission to log in. 2024-07-04 5.9 CVE-2024-1573
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
itsourcecode–Farm Management System
 
A vulnerability was found in itsourcecode Farm Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /quarantine.php?id=3. The manipulation of the argument pigno/breed/reason leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-270241 was assigned to this vulnerability. NOTE: Original submission mentioned parameter pigno only but the VulDB data analysis team determined two additional parameters to be affected as well. 2024-07-02 6.3 CVE-2024-6453
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
JetBrains–TeamCity
 
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings 2024-07-01 5 CVE-2024-39879
cve@jetbrains.com
JetBrains–TeamCity
 
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection 2024-07-01 4.1 CVE-2024-39878
cve@jetbrains.com
Johnson Controls–American Dynamics Illustra Essentials Gen 4
 
Under certain circumstances the Linux users credentials may be recovered by an authenticated user. 2024-07-02 6.8 CVE-2024-32756
productsecurity@jci.com
productsecurity@jci.com
Johnson Controls–American Dynamics Illustra Essentials Gen 4
 
Under certain circumstances unnecessary user details are provided within system logs 2024-07-02 6.8 CVE-2024-32757
productsecurity@jci.com
productsecurity@jci.com
Johnson Controls–American Dynamics Illustra Essentials Gen 4
 
Under certain circumstances the web interface users credentials may be recovered by an authenticated user. 2024-07-02 6.8 CVE-2024-32932
productsecurity@jci.com
productsecurity@jci.com
jungo — windriver
 
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.1.0 allows local attackers to cause a Windows blue screen error. 2024-07-02 5.5 CVE-2023-51777
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.1.0 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). 2024-07-02 5.5 CVE-2023-51778
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error. 2024-07-02 5.5 CVE-2024-22102
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). 2024-07-02 5.5 CVE-2024-22103
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). 2024-07-02 5.5 CVE-2024-22104
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error. 2024-07-02 5.5 CVE-2024-22105
cve@mitre.org
cve@mitre.org
cve@mitre.org
jungo — windriver
 
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.7.0 allows local attackers to cause a Windows blue screen error. 2024-07-02 5.5 CVE-2024-25087
cve@mitre.org
cve@mitre.org
cve@mitre.org
kiloview — p1_firmware
 
A ‘Cross-site Scripting’ (XSS) vulnerability, characterized by improper input neutralization during web page generation, has been discovered. This vulnerability allows for Stored XSS attacks to occur. Multiple areas within the administration interface of the webserver lack adequate input validation, resulting in multiple instances of Stored XSS vulnerabilities. 2024-07-02 5.4 CVE-2023-41922
cert@ncsc.nl
Kiloview–P1/P2
 
The server supports at least one cipher suite which is on the NCSC-NL list of cipher suites to be phased out, increasing the risk of cryptographic weaknesses. 2024-07-02 5.3 CVE-2023-41927
cert@ncsc.nl
Kiloview–P1/P2
 
The device is observed to accept deprecated TLS protocols, increasing the risk of cryptographic weaknesses. 2024-07-02 5.3 CVE-2023-41928
cert@ncsc.nl
KisaragiEffective–toy-blog
 
toy-blog is a headless content management system implementation. Starting in version 0.5.4 and prior to version 0.6.1, articles with private visibility can be read if the reader does not set credentials for the request. Users should upgrade to 0.6.1 or later to receive a patch. No known workarounds are available. 2024-07-01 6.5 CVE-2024-39313
security-advisories@github.com
security-advisories@github.com
KisaragiEffective–toy-blog
 
toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass `–read-bearer-token-from-stdin` to the launch arguments and feed the token from the standard input in version 0.4.14 or later. Earlier versions do not have this workaround. 2024-07-01 4.7 CVE-2024-39314
security-advisories@github.com
security-advisories@github.com
leap13 — premium_addons_for_elementor
 
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Countdown widget in all versions up to, and including, 4.10.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-03 5.4 CVE-2024-6340
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
leap13 — premium_addons_for_elementor
 
The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources. 2024-07-04 4.3 CVE-2024-6434
security@wordfence.com
security@wordfence.com
security@wordfence.com
linlinjava–litemall
 
A vulnerability classified as critical was found in linlinjava litemall up to 1.8.0. Affected by this vulnerability is an unknown functionality of the file AdminGoodscontroller.java. The manipulation of the argument goodsId/goodsSn/name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270235. 2024-07-02 6.3 CVE-2024-6452
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Livemesh–Livemesh Addons for Elementor
 
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.3.7. 2024-07-06 6.5 CVE-2024-37547
audit@patchstack.com
livemeshelementor — addons_for_elementor
 
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-04 5.4 CVE-2024-2926
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
livemeshelementor — addons_for_elementor
 
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-04 5.4 CVE-2024-3638
security@wordfence.com
security@wordfence.com
security@wordfence.com
livemeshelementor — addons_for_elementor
 
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-04 5.4 CVE-2024-3639
security@wordfence.com
security@wordfence.com
matrix-org–matrix-appservice-irc
 
matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they’re replying to when determining whether or not to include a truncated version of the original event in the IRC message. Since this value is controlled by external entities, a malicious Matrix homeserver joined to a room in which a matrix-appservice-irc bridge instance (before version 2.0.1) is present can fabricate the timestamp with the intent of tricking the bridge into leaking room messages the homeserver should not have access to. matrix-appservice-irc 2.0.1 drops the reliance on `origin_server_ts` when determining whether or not an event should be visible to a user, instead tracking the event timestamps internally. As a workaround, it’s possible to limit the amount of information leaked by setting a reply template that doesn’t contain the original message. 2024-07-05 4.3 CVE-2024-39691
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
mattermost — mattermost
 
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. 2024-07-03 6.5 CVE-2024-6428
responsibledisclosure@mattermost.com
mattermost — mattermost
 
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. 2024-07-03 5.3 CVE-2024-36257
responsibledisclosure@mattermost.com
mattermost — mattermost
 
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts 2024-07-03 5.4 CVE-2024-39361
responsibledisclosure@mattermost.com
mattermost — mattermost
 
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. 2024-07-03 5.3 CVE-2024-39807
responsibledisclosure@mattermost.com
mattermost — mattermost
 
Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison. 2024-07-03 5.9 CVE-2024-39830
responsibledisclosure@mattermost.com
mongodb — mongodb
 
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3. 2024-07-01 6.5 CVE-2024-6375
cna@mongodb.com
MongoDB Inc–libbson
 
The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1 2024-07-03 5.3 CVE-2024-6383
cna@mongodb.com
MongoDB Inc–libbson
 
The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2 2024-07-02 4 CVE-2024-6381
cna@mongodb.com
MongoDB Inc–MongoDB Rust Driver
 
Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2 2024-07-02 6.4 CVE-2024-6382
cna@mongodb.com
n/a–n/a
 
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end. 2024-07-01 6.6 CVE-2024-32228
cve@mitre.org
n/a–n/a
 
Tada5hi sp-common v0.5.4 was discovered to contain a prototype pollution via the function mergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 6.3 CVE-2024-38990
cve@mitre.org
n/a–n/a
 
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 6.5 CVE-2024-38997
cve@mitre.org
n/a–n/a
 
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 6.5 CVE-2024-39000
cve@mitre.org
n/a–n/a
 
adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 6.5 CVE-2024-39853
cve@mitre.org
n/a–n/a
 
MachForm up to version 19 is affected by an authenticated stored cross-site scripting. 2024-07-01 5.4 CVE-2024-37764
cve@mitre.org
n/a–n/a
 
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.) 2024-07-02 5.3 CVE-2024-39891
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–ORIPA
 
A vulnerability was found in ORIPA up to 1.72. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/oripa/persistence/doc/loader/LoaderXML.java. The manipulation leads to deserialization. The attack can be launched remotely. Upgrading to version 1.80 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-270169 was assigned to this vulnerability. 2024-07-02 6.3 CVE-2024-6441
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a–ShopXO
 
A vulnerability was found in ShopXO up to 6.1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file extend/base/Uploader.php. The manipulation of the argument source leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270367. NOTE: The original disclosure confuses CSRF with SSRF. 2024-07-05 5.5 CVE-2024-6524
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
N/A–VMware Cloud Director Availability
 
VMware Cloud Director Availability contains an HTML injection vulnerability. A malicious actor with network access to VMware Cloud Director Availability can craft malicious HTML tags to execute within replication tasks. 2024-07-04 6.4 CVE-2024-22277
security@vmware.com
NationalSecurityAgency–skills-service
 
SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue. 2024-07-02 4.4 CVE-2024-39326
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
pomerium–pomerium
 
Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user’s session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of a cross-site scripting vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint. Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner. Note that an OAuth2 access token or ID token by itself is not sufficient to hijack a user’s Pomerium session. Upstream applications should not be vulnerable to user impersonation via these tokens provided the application verifies the Pomerium JWT for each request, the connection between Pomerium and the application is secured by mTLS, or the connection between Pomerium and the application is otherwise secured at the network layer. The issue is patched in Pomerium v0.26.1. No known workarounds are available. 2024-07-02 5.7 CVE-2024-39315
security-advisories@github.com
security-advisories@github.com
posimyth — the_plus_addons_for_elementor
 
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Countdown’ widget in all versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping on user supplied ‘text_days’ attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-03 5.4 CVE-2024-4482
security@wordfence.com
security@wordfence.com
security@wordfence.com
qualcomm — 315_5g_iot_modem_firmware
 
Transient DOS while loading the TA ELF file. 2024-07-01 5.5 CVE-2024-21462
product-security@qualcomm.com
qualcomm — fastconnect_6900_firmware
 
Information disclosure when ASLR relocates the IMEM and Secure DDR portions as one chunk in virtual address space. 2024-07-01 6.5 CVE-2024-21460
product-security@qualcomm.com
Qualcomm, Inc.–Snapdragon
 
Information Disclosure while parsing beacon frame in STA. 2024-07-01 6.5 CVE-2024-21456
product-security@qualcomm.com
rack–rack
 
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix. 2024-07-02 6.5 CVE-2024-39316
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
radiustheme — the_post_grid
 
The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the section title tag attribute in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-1427
security@wordfence.com
security@wordfence.com
security@wordfence.com
rankmath — seo
 
The Rank Math SEO WordPress plugin before 1.0.219 does not sanitise and escape some of its settings, which could allow users with access to the General Settings (by default admin, however such access can be given to lower roles via the Role Manager feature of the Rank Math SEO WordPress plugin before 1.0.219) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2024-07-02 5.4 CVE-2024-4627
contact@wpscan.com
Red Hat–Red Hat Enterprise Linux 6
 
A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host. 2024-07-05 6 CVE-2024-6505
secalert@redhat.com
secalert@redhat.com
Robert Macchi–WP Scraper
 
Server-Side Request Forgery (SSRF) vulnerability in Robert Macchi WP Scraper.This issue affects WP Scraper: from n/a through 5.7. 2024-07-06 4.9 CVE-2024-37208
audit@patchstack.com
samsung — android
 
Improper input validation in parsing application information from RTCP packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to execute arbitrary code with system privilege. User interaction is required for triggering this vulnerability. 2024-07-02 6.8 CVE-2024-34587
mobile.security@samsung.com
samsung — android
 
Improper input validation?in parsing RTCP SR packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. 2024-07-02 6.5 CVE-2024-34588
mobile.security@samsung.com
samsung — android
 
Improper input validation in parsing RTCP RR packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. 2024-07-02 6.5 CVE-2024-34589
mobile.security@samsung.com
samsung — android
 
Improper access control in Dar service prior to SMR Jul-2024 Release 1 allows local attackers to bypass restriction for calling SDP features. 2024-07-02 5.5 CVE-2024-20895
mobile.security@samsung.com
samsung — android
 
Use of implicit intent for sensitive communication in Configuration message prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. 2024-07-02 5.5 CVE-2024-20896
mobile.security@samsung.com
samsung — android
 
Use of implicit intent for sensitive communication in FCM function in IMS service prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. 2024-07-02 5.5 CVE-2024-20897
mobile.security@samsung.com
samsung — android
 
Use of implicit intent for sensitive communication in SoftphoneClient in IMS service prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. 2024-07-02 5.5 CVE-2024-20898
mobile.security@samsung.com
samsung — android
 
Use of implicit intent for sensitive communication in RCS function in IMS service prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. 2024-07-02 5.5 CVE-2024-20899
mobile.security@samsung.com
samsung — android
 
Exposure of sensitive information in proc file system prior to SMR Jul-2024 Release 1 allows local attackers to read kernel memory address. 2024-07-02 5.5 CVE-2024-34594
mobile.security@samsung.com
samsung — android
 
Improper authentication in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to pair with devices. 2024-07-02 4.3 CVE-2024-20889
mobile.security@samsung.com
samsung — android
 
Improper handling of exceptional conditions in Secure Folder prior to SMR Jul-2024 Release 1 allows physical attackers to bypass authentication under certain condition. User interaction is required for triggering this vulnerability. 2024-07-02 4.3 CVE-2024-20894
mobile.security@samsung.com
samsung — android
 
Improper input validation혻in parsing an item type from RTCP SDES packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. 2024-07-02 4.3 CVE-2024-34590
mobile.security@samsung.com
samsung — android
 
Improper input validation in parsing an item data from RTCP SDES packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. 2024-07-02 4.3 CVE-2024-34591
mobile.security@samsung.com
samsung — android
 
Improper input validation in parsing RTCP SDES packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. 2024-07-02 4.3 CVE-2024-34592
mobile.security@samsung.com
samsung — galaxystore
 
Improper verification of intent by broadcast receiver vulnerability in GalaxyStore prior to version 4.5.81.0 allows local attackers to launch unexported activities of GalaxyStore. 2024-07-02 5.3 CVE-2024-34601
mobile.security@samsung.com
shaonsina–Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
 
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 6.4 CVE-2024-5260
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
SourceCodester–Medicine Tracker System
 
A vulnerability classified as critical was found in SourceCodester Medicine Tracker System 1.0. This vulnerability affects unknown code of the file /classes/Master.php?f=save_medicine. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-270010 is the identifier assigned to this vulnerability. 2024-07-01 6.3 CVE-2024-6419
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester–Online Tours & Travels Management
 
A vulnerability classified as critical has been found in SourceCodester Online Tours & Travels Management 1.0. This affects an unknown part of the file sms_setting.php. The manipulation of the argument uname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270279. 2024-07-03 6.3 CVE-2024-6471
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
spider-themes — eazydocs
 
The EazyDocs WordPress plugin before 2.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2024-07-02 4.8 CVE-2024-3999
contact@wpscan.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass SPL safeguards for risky commands in the Analytics Workspace. The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. 2024-07-01 6.3 CVE-2024-36986
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the admin or power Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service. 2024-07-01 6.5 CVE-2024-36990
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user. The “url” parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit. 2024-07-01 5.4 CVE-2024-36992
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user. 2024-07-01 5.4 CVE-2024-36993
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user. 2024-07-01 5.4 CVE-2024-36994
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could create experimental items. 2024-07-01 5.4 CVE-2024-36995
prodsec@splunk.com
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme. 2024-07-01 5.3 CVE-2024-36996
prodsec@splunk.com
Splunk–Splunk Enterprise
 
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint. 2024-07-01 4.3 CVE-2024-36987
prodsec@splunk.com
StaxWP–Elementor Addons, Widgets and Enhancements Stax
 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in StaxWP Elementor Addons, Widgets and Enhancements – Stax allows Stored XSS.This issue affects Elementor Addons, Widgets and Enhancements – Stax: from n/a through 1.4.4.1. 2024-07-06 6.5 CVE-2024-37541
audit@patchstack.com
stylemixthemes — cost_calculator_builder
 
The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 4.8 CVE-2024-6011
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
stylemixthemes — cost_calculator_builder
 
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ’embed-create-page’ and ’embed-insert-pages’ functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary posts and append arbitrary content to existing posts. 2024-07-02 4.3 CVE-2024-6012
security@wordfence.com
security@wordfence.com
security@wordfence.com
stylemixthemes — motors_-_car_dealer,_classifieds_&_listing
 
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages. 2024-07-02 5.3 CVE-2024-5545
security@wordfence.com
security@wordfence.com
supsystic — easy_google_maps
 
The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-5219
security@wordfence.com
security@wordfence.com
security@wordfence.com
syedbalkhi — wp_lightbox_2
 
The WP Lightbox 2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 3.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-03 5.4 CVE-2024-6263
security@wordfence.com
security@wordfence.com
security@wordfence.com
thimpress — learnpress
 
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the ‘register’ function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role. 2024-07-02 5.3 CVE-2024-6088
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
thimpress — learnpress
 
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the ‘check_validate_fields’ function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. 2024-07-02 5.3 CVE-2024-6099
security@wordfence.com
security@wordfence.com
security@wordfence.com
Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618
 
In faceid servive, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed 2024-07-01 5.1 CVE-2024-39429
security@unisoc.com
Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618
 
In faceid servive, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed 2024-07-01 5.1 CVE-2024-39430
security@unisoc.com
Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000
 
In trusty service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed 2024-07-01 6.8 CVE-2024-39428
security@unisoc.com
Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000
 
In trusty service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed 2024-07-01 5.1 CVE-2024-39427
security@unisoc.com
voidcoders — void_contact_form_7_widget_for_elementor_page_builder
 
The Void Contact Form 7 Widget For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cf7_redirect_page’ attribute within the plugin’s Void Contact From 7 widget in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-5419
security@wordfence.com
security@wordfence.com
security@wordfence.com
WeblateOrg–weblate
 
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects. 2024-07-01 4.4 CVE-2024-39303
security-advisories@github.com
security-advisories@github.com
WpDevArt–Responsive Image Gallery, Gallery Album
 
Missing Authorization vulnerability in WpDevArt Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. 2024-07-06 5.4 CVE-2024-37542
audit@patchstack.com
wpexpertplugins — post_meta_data_manager
 
The Post Meta Data Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘$meta_key’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-07-02 5.4 CVE-2024-6264
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
XjSv–Basil
 
The Basil recipe theme for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `post_title` parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. Because the of the default WordPress validation, it is not possible to insert the payload directly but if the Cooked plugin is installed, it is possible to create a recipe post type (cp_recipe) and inject the payload in the title field. Version 2.0.5 contains a patch for the issue. 2024-07-01 5.4 CVE-2024-39310
security-advisories@github.com
security-advisories@github.com
yeken — snippet_shortcodes
 
The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-07-03 4.3 CVE-2024-4543
security@wordfence.com
security@wordfence.com
zephyrproject-rtos–Zephyr
 
A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device 2024-07-03 6.5 CVE-2024-3332
vulnerabilities@zephyrproject.org
zitadel–zitadel
 
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user’s sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available. 2024-07-03 5.7 CVE-2024-39683
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
aimeos–ai-admin-graphql
 
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn’t allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue. 2024-07-02 3.8 CVE-2024-39324
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
CodeIgniter–Ecommerce-CodeIgniter-Bootstrap
 
A vulnerability classified as problematic has been found in CodeIgniter Ecommerce-CodeIgniter-Bootstrap up to 1998845073cf433bc6c250b0354461fbd84d0e03. This affects an unknown part. The manipulation of the argument search_title/catName/sub/name/categorie leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 1b3da45308bb6c3f55247d0e99620b600bd85277. It is recommended to apply a patch to fix this issue. The identifier VDB-270369 was assigned to this vulnerability. 2024-07-05 3.5 CVE-2024-6526
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
discourse–discourse
 
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue. 2024-07-03 2.4 CVE-2024-36122
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Johnson Controls–Kantech KT1 Door Controller, Rev01
 
Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information. 2024-07-04 3.1 CVE-2024-32754
productsecurity@jci.com
productsecurity@jci.com
Kodezen Limited–Academy LMS
 
URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Kodezen Limited Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4. 2024-07-06 3.5 CVE-2024-37234
audit@patchstack.com
mattermost — mattermost
 
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents. 2024-07-03 2.7 CVE-2024-39353
responsibledisclosure@mattermost.com
n/a–n/a
 
The OpenAI ChatGPT app before 2024-07-05 for macOS opts out of the sandbox, and stores conversations in cleartext in a location accessible to other apps. 2024-07-06 2.3 CVE-2024-40594
cve@mitre.org
cve@mitre.org
n/a–playSMS
 
A vulnerability was found in playSMS 1.4.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php?app=main&inc=feature_inboxgroup&op=list of the component Template Handler. The manipulation of the argument Receiver Number with the input {{`id`}} leads to injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-270278 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-07-03 2.7 CVE-2024-6470
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
openharmony — openharmony
 
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause apps crash through type confusion. 2024-07-02 3.3 CVE-2024-31071
scy@openharmony.io
openharmony — openharmony
 
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause apps crash through type confusion. 2024-07-02 3.3 CVE-2024-36278
scy@openharmony.io
Red Hat–Red Hat Enterprise Linux 7
 
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env’s user_readenv option, which leads to a denial of service (DoS) attack. 2024-07-03 3.2 CVE-2024-6126
secalert@redhat.com
secalert@redhat.com
samsung — android
 
Improper authentication in MTP application prior to SMR Jul-2024 Release 1 allows local attackers to enter MTP mode without proper authentication. 2024-07-02 3.3 CVE-2024-20900
mobile.security@samsung.com
samsung — android
 
Improper access control in system property prior to SMR Jul-2024 Release 1 allows local attackers to get device identifier. 2024-07-02 3.3 CVE-2024-34583
mobile.security@samsung.com
samsung — android
 
Improper access control in KnoxCustomManagerService prior to SMR Jul-2024 Release 1 allows local attackers to configure Knox privacy policy. 2024-07-02 3.3 CVE-2024-34586
mobile.security@samsung.com
samsung — flow
 
Improper verification of intent by broadcast receiver vulnerability in Samsung Flow prior to version 4.9.13.0 allows local attackers to copy image files to external storage. 2024-07-02 3.3 CVE-2024-34600
mobile.security@samsung.com
samsung — health
 
Improper input validation in Samsung Health prior to version 6.27.0.113 allows local attackers to write arbitrary document files to the sandbox of Samsung Health. User interaction is required for triggering this vulnerability. 2024-07-02 3.3 CVE-2024-34597
mobile.security@samsung.com
samsung — tips
 
Improper input validation in Tips prior to version 6.2.9.4 in Android 14 allows local attacker to send broadcast with Tips&#39; privilege. 2024-07-02 3.3 CVE-2024-34599
mobile.security@samsung.com
y_project–RuoYi
 
A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function isJsonRequest of the component Content-Type Handler. The manipulation of the argument HttpHeaders.CONTENT_TYPE leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270343. 2024-07-04 3.5 CVE-2024-6511
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
ZKTeco–BioTime
 
A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert(‘XSS’)</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-07-05 3.5 CVE-2024-6523
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com

Back to top

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
ABB–ASPECT-Enterprise
 
Unauthorized file access in WEB Server in ABB ASPECT – Enterprise v <=3.08.01; NEXUS Series v <=3.08.01 ; MATRIX Series v<=3.08.01 allows Attacker to access files unauthorized 2024-07-05 not yet calculated CVE-2024-6209
cybersecurity@ch.abb.com
ABB–ASPECT-Enterprise
 
Improper Input Validation vulnerability in ABB ASPECT-Enterprise on Linux, ABB NEXUS Series on Linux, ABB MATRIX Series on Linux allows Remote Code Inclusion.This issue affects ASPECT-Enterprise: through 3.08.01; NEXUS Series: through 3.08.01; MATRIX Series: through 3.08.01. 2024-07-05 not yet calculated CVE-2024-6298
cybersecurity@ch.abb.com
Akana–Akana
 
In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality. 2024-07-02 not yet calculated CVE-2024-3826
security@puppet.com
Apache Software Foundation–Apache CloudStack
 
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access to the cluster service port (default 9090) on a CloudStack management server host to only its peer CloudStack management server hosts. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue. 2024-07-05 not yet calculated CVE-2024-38346
security@apache.org
security@apache.org
security@apache.org
security@apache.org
Apache Software Foundation–Apache CloudStack
 
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue. 2024-07-05 not yet calculated CVE-2024-39864
security@apache.org
security@apache.org
security@apache.org
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. 2024-07-01 not yet calculated CVE-2024-36387
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive “UNCList” to allow access during request processing. 2024-07-01 not yet calculated CVE-2024-38472
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-01 not yet calculated CVE-2024-38473
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag “UnsafeAllow3F” is specified. 2024-07-01 not yet calculated CVE-2024-38474
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag “UnsafePrefixStat” can be used to opt back in once ensuring the substitution is appropriately constrained. 2024-07-01 not yet calculated CVE-2024-38475
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-01 not yet calculated CVE-2024-38476
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-01 not yet calculated CVE-2024-38477
security@apache.org
Apache Software Foundation–Apache HTTP Server
 
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   “AddType” and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. 2024-07-04 not yet calculated CVE-2024-39884
security@apache.org
Apache Software Foundation–Apache Tomcat
 
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. 2024-07-03 not yet calculated CVE-2024-34750
security@apache.org
ethyca–fides
 
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard. 2024-07-02 not yet calculated CVE-2024-38537
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Go standard library–net/http
 
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an “Expect: 100-continue” header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending “Expect: 100-continue” requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. 2024-07-02 not yet calculated CVE-2024-24791
security@golang.org
security@golang.org
security@golang.org
security@golang.org
Go toolchain–cmd/go
 
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn’t sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making “go env” print them out. 2024-07-02 not yet calculated CVE-2023-24531
security@golang.org
security@golang.org
security@golang.org
security@golang.org
security@golang.org
golang.org/x/crypto–golang.org/x/crypto/acme/autocert
 
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator ( vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/….asd becomes ….asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix. 2024-07-02 not yet calculated CVE-2022-30636
security@golang.org
security@golang.org
security@golang.org
Google–https://github.com/google/nftables
 
In https://github.com/google/nftables  IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which does not work as intended (might block or not block the desired addresses). This issue affects:  https://pkg.go.dev/github.com/google/nftables@v0.1.0 The bug was fixed in the next released version:  https://pkg.go.dev/github.com/google/nftables@v0.2.0 2024-07-03 not yet calculated CVE-2024-6284
cve-coordination@google.com
cve-coordination@google.com
cve-coordination@google.com
Kakao piccoma Corp.–“Piccoma” App for Android
 
“Piccoma” App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability. 2024-07-01 not yet calculated CVE-2024-38480
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: xfs: fix log recovery buffer allocation for the legacy h_size fixup Commit a70f9fe52daa (“xfs: detect and handle invalid iclog size set by mkfs”) added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 (“xfs: clean up calculation of LR header blocks”) cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation. 2024-07-05 not yet calculated CVE-2024-39472
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension If a process module does not have base config extension then the same format applies to all of it’s inputs and the process->base_config_ext is NULL, causing NULL dereference when specifically crafted topology and sequences used. 2024-07-05 not yet calculated CVE-2024-39473
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL commit a421ef303008 (“mm: allow !GFP_KERNEL allocations for kvmalloc”) includes support for __GFP_NOFAIL, but it presents a conflict with commit dd544141b9eb (“vmalloc: back off when the current task is OOM-killed”). A possible scenario is as follows: process-a __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL) __vmalloc_area_node() vm_area_alloc_pages() –> oom-killer send SIGKILL to process-a if (fatal_signal_pending(current)) break; –> return NULL; To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages() if __GFP_NOFAIL set. This issue occurred during OPLUS KASAN TEST. Below is part of the log -> oom-killer sends signal to process [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198 [65731.259685] [T32454] Call trace: [65731.259698] [T32454] dump_backtrace+0xf4/0x118 [65731.259734] [T32454] show_stack+0x18/0x24 [65731.259756] [T32454] dump_stack_lvl+0x60/0x7c [65731.259781] [T32454] dump_stack+0x18/0x38 [65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump] [65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump] [65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc [65731.260047] [T32454] notify_die+0x114/0x198 [65731.260073] [T32454] die+0xf4/0x5b4 [65731.260098] [T32454] die_kernel_fault+0x80/0x98 [65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8 [65731.260146] [T32454] do_bad_area+0x68/0x148 [65731.260174] [T32454] do_mem_abort+0x151c/0x1b34 [65731.260204] [T32454] el1_abort+0x3c/0x5c [65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90 [65731.260248] [T32454] el1h_64_sync+0x68/0x6c [65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258 –> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL); kernel panic by NULL pointer dereference. erofs assume kvmalloc with __GFP_NOFAIL never return NULL. [65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c [65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968 [65731.260339] [T32454] read_pages+0x170/0xadc [65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30 [65731.260388] [T32454] page_cache_ra_order+0x24c/0x714 [65731.260411] [T32454] filemap_fault+0xbf0/0x1a74 [65731.260437] [T32454] __do_fault+0xd0/0x33c [65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0 [65731.260486] [T32454] do_mem_abort+0x54c/0x1b34 [65731.260509] [T32454] el0_da+0x44/0x94 [65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4 [65731.260553] [T32454] el0t_64_sync+0x198/0x19c 2024-07-05 not yet calculated CVE-2024-39474
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: fbdev: savage: Handle err return when savagefb_check_var failed The commit 04e5eac8f3ab(“fbdev: savage: Error out if pixclock equals zero”) checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn’t handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error. 2024-07-05 not yet calculated CVE-2024-39475
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with small possibility, the root cause is exactly the same as commit bed9e27baf52 (“Revert “md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d””) However, Dan reported another hang after that, and junxiao investigated the problem and found out that this is caused by plugged bio can’t issue from raid5d(). Current implementation in raid5d() has a weird dependence: 1) md_check_recovery() from raid5d() must hold ‘reconfig_mutex’ to clear MD_SB_CHANGE_PENDING; 2) raid5d() handles IO in a deadloop, until all IO are issued; 3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared; This behaviour is introduce before v2.6, and for consequence, if other context hold ‘reconfig_mutex’, and md_check_recovery() can’t update super_block, then raid5d() will waste one cpu 100% by the deadloop, until ‘reconfig_mutex’ is released. Refer to the implementation from raid1 and raid10, fix this problem by skipping issue IO if MD_SB_CHANGE_PENDING is still set after md_check_recovery(), daemon thread will be woken up when ‘reconfig_mutex’ is released. Meanwhile, the hang problem will be fixed as well. 2024-07-05 not yet calculated CVE-2024-39476
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: do not call vma_add_reservation upon ENOMEM sysbot reported a splat [1] on __unmap_hugepage_range(). This is because vma_needs_reservation() can return -ENOMEM if allocate_file_region_entries() fails to allocate the file_region struct for the reservation. Check for that and do not call vma_add_reservation() if that is the case, otherwise region_abort() and region_del() will see that we do not have any file_regions. If we detect that vma_needs_reservation() returned -ENOMEM, we clear the hugetlb_restore_reserve flag as if this reservation was still consumed, so free_huge_folio() will not increment the resv count. [1] https://lore.kernel.org/linux-mm/0000000000004096100617c58d54@google.com/T/#ma5983bc1ab18a54910da83416b3f89f3c7ee43aa 2024-07-05 not yet calculated CVE-2024-39477
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: crypto: starfive – Do not free stack buffer RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations. 2024-07-05 not yet calculated CVE-2024-39478
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn’t. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi) 2024-07-05 not yet calculated CVE-2024-39479
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: kdb: Fix buffer overflow during tab-complete Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. 2024-07-05 not yet calculated CVE-2024-39480
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: media: mc: Fix graph walk in media_pipeline_start The graph walk tries to follow all links, even if they are not between pads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link. Fix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK links. 2024-07-05 not yet calculated CVE-2024-39481
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with a fixed size MAX_BSETS, or from a mempool with a dynamic size based on the specific cache set. Previously, the struct had a fixed-length array of size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized iterators, which causes UBSAN to complain. This patch uses the same approach as in bcachefs’s sort_iter and splits the iterator into a btree_iter with a flexible array member and a btree_iter_stack which embeds a btree_iter as well as a fixed-length data array. 2024-07-05 not yet calculated CVE-2024-39482
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked When requesting an NMI window, WARN on vNMI support being enabled if and only if NMIs are actually masked, i.e. if the vCPU is already handling an NMI. KVM’s ABI for NMIs that arrive simultanesouly (from KVM’s point of view) is to inject one NMI and pend the other. When using vNMI, KVM pends the second NMI simply by setting V_NMI_PENDING, and lets the CPU do the rest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected). However, if KVM can’t immediately inject an NMI, e.g. because the vCPU is in an STI shadow or is running with GIF=0, then KVM will request an NMI window and trigger the WARN (but still function correctly). Whether or not the GIF=0 case makes sense is debatable, as the intent of KVM’s behavior is to provide functionality that is as close to real hardware as possible. E.g. if two NMIs are sent in quick succession, the probability of both NMIs arriving in an STI shadow is infinitesimally low on real hardware, but significantly larger in a virtual environment, e.g. if the vCPU is preempted in the STI shadow. For GIF=0, the argument isn’t as clear cut, because the window where two NMIs can collide is much larger in bare metal (though still small). That said, KVM should not have divergent behavior for the GIF=0 case based on whether or not vNMI support is enabled. And KVM has allowed simultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400 (“KVM: Fix simultaneous NMIs”). I.e. KVM’s GIF=0 handling shouldn’t be modified without a *really* good reason to do so, and if KVM’s behavior were to be modified, it should be done irrespective of vNMI support. 2024-07-05 not yet calculated CVE-2024-39483
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don’t strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text) 2024-07-05 not yet calculated CVE-2024-39484
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Properly re-initialise notifier entry in unregister The notifier_entry of a notifier is not re-initialised after unregistering the notifier. This leads to dangling pointers being left there so use list_del_init() to return the notifier_entry an empty list. 2024-07-05 not yet calculated CVE-2024-39485
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux–Linux
 
In the Linux kernel, the following vulnerability has been resolved: drm/drm_file: Fix pid refcounting race filp->pid is supposed to be a refcounted pointer; however, before this patch, drm_file_update_pid() only increments the refcount of a struct pid after storing a pointer to it in filp->pid and dropping the dev->filelist_mutex, making the following race possible: process A process B ========= ========= begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid B>, 1) mutex_unlock(&dev->filelist_mutex) begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid A>, 1) mutex_unlock(&dev->filelist_mutex) get_pid(<pid A>) synchronize_rcu() put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here *** get_pid(<pid B>) *** UAF *** synchronize_rcu() put_pid(<pid A>) As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y because it requires RCU to detect a quiescent state in code that is not explicitly calling into the scheduler. This race leads to use-after-free of a “struct pid”. It is probably somewhat hard to hit because process A has to pass through a synchronize_rcu() operation while process B is between mutex_unlock() and get_pid(). Fix it by ensuring that by the time a pointer to the current task’s pid is stored in the file, an extra reference to the pid has been taken. This fix also removes the condition for synchronize_rcu(); I think that optimization is unnecessary complexity, since in that case we would usually have bailed out on the lockless check above. 2024-07-06 not yet calculated CVE-2024-39486
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
MediaTek, Inc.–MT2735, MT2737, MT6761, MT6765, MT6768, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6980, MT6983, MT6985, MT6989, MT6990, MT8666, MT8667, MT8673, MT8676, MT8678
 
In gnss service, there is a possible escalation of privilege due to improper certificate validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08720039; Issue ID: MSV-1424. 2024-07-01 not yet calculated CVE-2024-20080
security@mediatek.com
MediaTek, Inc.–MT2735, MT2737, MT6761, MT6765, MT6768, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6980, MT6983, MT6985, MT6989, MT6990, MT8666, MT8667, MT8673, MT8676, MT8678
 
In gnss service, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08719602; Issue ID: MSV-1412. 2024-07-01 not yet calculated CVE-2024-20081
security@mediatek.com
MediaTek, Inc.–MT6761, MT6765, MT6768, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT6989, MT8666, MT8667, MT8673, MT8676, MT8678
 
In gnss service, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08044040; Issue ID: MSV-1491. 2024-07-01 not yet calculated CVE-2024-20079
security@mediatek.com
mudler–mudler/localai
 
A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as ‘gpt-4-vision-preview’, without the victim’s consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality. 2024-07-06 not yet calculated CVE-2024-5616
security@huntr.dev
security@huntr.dev
mudler–mudler/localai
 
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17. 2024-07-06 not yet calculated CVE-2024-6095
security@huntr.dev
security@huntr.dev
n/a–n/a
 
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 leaks driver logs that contain addresses of kernel mode objects, weakening KASLR. 2024-07-02 not yet calculated CVE-2022-25477
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 provides read and write access to the PCI configuration space of the device. 2024-07-02 not yet calculated CVE-2022-25478
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 allows for the leakage of kernel memory from both the stack and the heap. 2024-07-02 not yet calculated CVE-2022-25479
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 allows writing to kernel memory beyond the SystemBuffer of the IRP. 2024-07-02 not yet calculated CVE-2022-25480
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. 2024-07-03 not yet calculated CVE-2023-52168
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 2024-07-03 not yet calculated CVE-2023-52169
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket. 2024-07-05 not yet calculated CVE-2023-52340
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Confluence allows attackers to manipulate a user’s S/MIME certificate of PGP key via malicious link or email. 2024-07-01 not yet calculated CVE-2024-23736
cve@mitre.org
n/a–n/a
 
Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Jira allows attackers to allows attackers to manipulate a user’s S/MIME certificate of PGP key via malicious link or email. 2024-07-01 not yet calculated CVE-2024-23737
cve@mitre.org
n/a–n/a
 
Lukas Bach yana =<1.0.16 is vulnerable to Cross Site Scripting (XSS) via src/electron-main.ts. 2024-07-05 not yet calculated CVE-2024-23997
cve@mitre.org
n/a–n/a
 
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.vue. 2024-07-05 not yet calculated CVE-2024-23998
cve@mitre.org
n/a–n/a
 
SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component. 2024-07-05 not yet calculated CVE-2024-27709
cve@mitre.org
n/a–n/a
 
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the authentication mechanism. 2024-07-05 not yet calculated CVE-2024-27710
cve@mitre.org
n/a–n/a
 
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the Sin-up process function in the account settings. 2024-07-05 not yet calculated CVE-2024-27711
cve@mitre.org
n/a–n/a
 
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the User Account Mangemnt component in the authentication mechanism. 2024-07-05 not yet calculated CVE-2024-27712
cve@mitre.org
n/a–n/a
 
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the HTTP Response Header Settings component. 2024-07-05 not yet calculated CVE-2024-27713
cve@mitre.org
n/a–n/a
 
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism. 2024-07-05 not yet calculated CVE-2024-27715
cve@mitre.org
n/a–n/a
 
Cross Site Scripting vulnerability in Eskooly Web Product v.3.0 and before allows a remote attacker to execute arbitrary code via the message sending and user input fields. 2024-07-05 not yet calculated CVE-2024-27716
cve@mitre.org
n/a–n/a
 
Cross Site Request Forgery vulnerability in Eskooly Free Online School Management Software v.3.0 and before allows a remote attacker to escalate privileges via the Token Handling component. 2024-07-05 not yet calculated CVE-2024-27717
cve@mitre.org
n/a–n/a
 
Volmarg Personal Management System 1.4.64 is vulnerable to stored cross site scripting (XSS) via upload of a SVG file with embedded javascript code. 2024-07-05 not yet calculated CVE-2024-29318
cve@mitre.org
n/a–n/a
 
Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls. 2024-07-05 not yet calculated CVE-2024-29319
cve@mitre.org
n/a–n/a
 
Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name. 2024-07-03 not yet calculated CVE-2024-29506
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters. 2024-07-03 not yet calculated CVE-2024-29507
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc. 2024-07-03 not yet calculated CVE-2024-29508
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a 00 byte in the middle. 2024-07-03 not yet calculated CVE-2024-29509
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. 2024-07-03 not yet calculated CVE-2024-29510
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd. 2024-07-03 not yet calculated CVE-2024-29511
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_tiltandshift.c:189:5 in copy_column. 2024-07-01 not yet calculated CVE-2024-32229
cve@mitre.org
n/a–n/a
 
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0 2024-07-01 not yet calculated CVE-2024-32230
cve@mitre.org
n/a–n/a
 
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file’s contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected. 2024-07-05 not yet calculated CVE-2024-32498
cve@mitre.org
cve@mitre.org
n/a–n/a
 
A buffer-management vulnerability in OPC Foundation OPCFoundation.NetStandard.Opc.Ua.Core before 1.05.374.54 could allow remote attackers to exhaust memory resources. It is triggered when the system receives an excessive number of messages from a remote source. This could potentially lead to a denial of service (DoS) condition, disrupting the normal operation of the system. 2024-07-05 not yet calculated CVE-2024-33862
cve@mitre.org
n/a–n/a
 
An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. 2024-07-03 not yet calculated CVE-2024-33869
cve@mitre.org
cve@mitre.org
n/a–n/a
 
An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. 2024-07-03 not yet calculated CVE-2024-33870
cve@mitre.org
cve@mitre.org
n/a–n/a
 
An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded. 2024-07-03 not yet calculated CVE-2024-33871
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page. 2024-07-05 not yet calculated CVE-2024-34481
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory. 2024-07-05 not yet calculated CVE-2024-36041
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Insecure Permissions vulnerability in Micro-Star International Co., Ltd MSI Center v.2.0.36.0 allows a local attacker to escalate privileges via the Export System Info function in MSI.CentralServer.exe 2024-07-03 not yet calculated CVE-2024-37726
cve@mitre.org
n/a–n/a
 
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution. 2024-07-01 not yet calculated CVE-2024-37762
cve@mitre.org
n/a–n/a
 
MachForm up to version 19 is affected by an unauthenticated stored cross-site scripting which affects users with valid sessions whom can view compiled forms results. 2024-07-01 not yet calculated CVE-2024-37763
cve@mitre.org
n/a–n/a
 
Machform up to version 19 is affected by an authenticated Blind SQL injection in the user account settings page. 2024-07-01 not yet calculated CVE-2024-37765
cve@mitre.org
n/a–n/a
 
Insecure permissions in the component /api/admin/user of 14Finger v1.1 allows attackers to access all user information via a crafted GET request. 2024-07-05 not yet calculated CVE-2024-37767
cve@mitre.org
n/a–n/a
 
14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id. 2024-07-05 not yet calculated CVE-2024-37768
cve@mitre.org
n/a–n/a
 
Insecure permissions in 14Finger v1.1 allow attackers to escalate privileges from normal user to Administrator via a crafted POST request. 2024-07-05 not yet calculated CVE-2024-37769
cve@mitre.org
n/a–n/a
 
The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024. 2024-07-03 not yet calculated CVE-2024-38453
cve@mitre.org
cve@mitre.org
n/a–n/a
 
phpok 6.4.003 contains a Cross Site Scripting (XSS) vulnerability in the ok_f() method under the framework/api/upload_control.php file. 2024-07-01 not yet calculated CVE-2024-38953
cve@mitre.org
n/a–n/a
 
aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-38987
cve@mitre.org
cve@mitre.org
n/a–n/a
 
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-38999
cve@mitre.org
n/a–n/a
 
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-39001
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function util.clone. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-39002
cve@mitre.org
n/a–n/a
 
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-39008
cve@mitre.org
n/a–n/a
 
2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-39013
cve@mitre.org
n/a–n/a
 
ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-39014
cve@mitre.org
n/a–n/a
 
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function “query”. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. 2024-07-01 not yet calculated CVE-2024-39018
cve@mitre.org
n/a–n/a
 
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/idcProData_deal.php?mudi=del 2024-07-05 not yet calculated CVE-2024-39019
cve@mitre.org
n/a–n/a
 
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/vpsApiData_deal.php?mudi=rev&nohrefStr=close 2024-07-05 not yet calculated CVE-2024-39020
cve@mitre.org
n/a–n/a
 
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://127.0.0.1:80/admin/vpsApiData_deal.php?mudi=del 2024-07-05 not yet calculated CVE-2024-39021
cve@mitre.org
n/a–n/a
 
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/infoSys_deal.php?mudi=deal 2024-07-05 not yet calculated CVE-2024-39022
cve@mitre.org
n/a–n/a
 
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via admin/info_deal.php?mudi=add&nohrefStr=close 2024-07-05 not yet calculated CVE-2024-39023
cve@mitre.org
n/a–n/a
 
SeaCMS v12.9 has an unauthorized SQL injection vulnerability. The vulnerability is caused by the SQL injection through the cid parameter at /js/player/dmplayer/dmku/index.php?ac=edit, which can cause sensitive database information to be leaked. 2024-07-05 not yet calculated CVE-2024-39027
cve@mitre.org
n/a–n/a
 
An issue was discovered in SeaCMS <=12.9 which allows remote attackers to execute arbitrary code via admin_ping.php. 2024-07-05 not yet calculated CVE-2024-39028
cve@mitre.org
n/a–n/a
 
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/info_deal.php?mudi=rev&nohrefStr=close. 2024-07-02 not yet calculated CVE-2024-39119
cve@mitre.org
n/a–n/a
 
vditor v.3.9.8 and before is vulnerable to Arbitrary file read via a crafted data packet. 2024-07-05 not yet calculated CVE-2024-39150
cve@mitre.org
n/a–n/a
 
QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. 2024-07-04 not yet calculated CVE-2024-39165
cve@mitre.org
n/a–n/a
 
A cross-site scripting (XSS) vulnerability in the Publish Article function of yzmcms v7.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a published article. 2024-07-05 not yet calculated CVE-2024-39174
cve@mitre.org
n/a–n/a
 
MyPower vc8100 V100R001C00B030 was discovered to contain an arbitrary file read vulnerability via the component /tcpdump/tcpdump.php?menu_uuid. 2024-07-05 not yet calculated CVE-2024-39178
cve@mitre.org
n/a–n/a
 
An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user’s session via an arbitrary command (ISP6-1779). 2024-07-05 not yet calculated CVE-2024-39182
cve@mitre.org
n/a–n/a
 
An issue discovered in MSP360 Backup Agent v7.8.5.15 and v7.9.4.84 allows attackers to obtain network share credentials used in a backup due to enginesettings.list being encrypted with a hard coded key. 2024-07-02 not yet calculated CVE-2024-39206
cve@mitre.org
n/a–n/a
 
Best House Rental Management System v1.0 was discovered to contain an arbitrary file read vulnerability via the Page parameter at index.php. This vulnerability allows attackers to read arbitrary PHP files and access other sensitive information within the application. 2024-07-05 not yet calculated CVE-2024-39210
cve@mitre.org
n/a–n/a
 
Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists. 2024-07-04 not yet calculated CVE-2024-39211
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD before firmware v3.9.2 allows authenticated attackers to read SIP account passwords via a crafted GET request. 2024-07-03 not yet calculated CVE-2024-39220
cve@mitre.org
cve@mitre.org
n/a–n/a
 
An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey 2024-07-03 not yet calculated CVE-2024-39223
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
A cross-site scripting (XSS) vulnerability in SimpCMS v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field at /admin.php. 2024-07-03 not yet calculated CVE-2024-39248
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. 2024-07-01 not yet calculated CVE-2024-39249
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
An issue in the component ControlCenter.sys/ControlCenter64.sys of ThundeRobot Control Center v2.0.0.10 allows attackers to access sensitive information, execute arbitrary code, or escalate privileges via sending crafted IOCTL requests. 2024-07-01 not yet calculated CVE-2024-39251
cve@mitre.org
n/a–n/a
 
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. 2024-07-03 not yet calculated CVE-2024-39844
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur. 2024-07-02 not yet calculated CVE-2024-39894
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
The TCP protocol in RFC 9293 has a timing side channel that makes it easier for remote attackers to infer the content of one TCP connection from a client system (to any server), when that client system is concurrently obtaining TCP data at a slow rate from an attacker-controlled server, aka the “SnailLoad” issue. For example, the attack can begin by measuring RTTs via the TCP segments whose role is to provide an ACK control bit and an Acknowledgment Number. 2024-07-03 not yet calculated CVE-2024-39920
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users. 2024-07-04 not yet calculated CVE-2024-39929
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a–n/a
 
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS provider configuration. NOTE: this is not part of any NGINX software shipped by F5. 2024-07-04 not yet calculated CVE-2024-39935
cve@mitre.org
cve@mitre.org
cve@mitre.org
parisneo–parisneo/lollms-webui
 
parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application’s ‘binding_zoo’ feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application’s handling of model files in the ‘bindings_zoo’ feature, specifically when processing gguf format model files. 2024-07-02 not yet calculated CVE-2024-4897
security@huntr.dev
Samsung Open Source–Walrus
 
Improper Validation of Array Index vulnerability in Samsung Open Source Walrus Webassembly runtime engine allows a segmentation fault issue. This issue affects Walrus: before 72c7230f32a0b791355bbdfc78669701024b0956. 2024-07-03 not yet calculated CVE-2024-32673
PSIRT@samsung.com
SOKRATES-software–SOWA OPAC
 
Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user’s browser. This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12. 2024-07-01 not yet calculated CVE-2024-6050
cvd@cert.pl
cvd@cert.pl
Sola Plugins–Sola Testimonials
 
A cross-site request forgery vulnerability exists in Sola Testimonials versions prior to 3.0.0. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site. 2024-07-04 not yet calculated CVE-2024-38345
vultures@jpcert.or.jp
vultures@jpcert.or.jp
Sola Plugins–WP Tweet Walls
 
A cross-site request forgery vulnerability exists in WP Tweet Walls versions prior to 1.0.4. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site. 2024-07-04 not yet calculated CVE-2024-38344
vultures@jpcert.or.jp
vultures@jpcert.or.jp
stitionai–stitionai/devika
 
Improper Access Control in stitionai/devika 2024-07-03 not yet calculated CVE-2024-5821
security@huntr.dev
stitionai–stitionai/devika
 
Cross-Site Request Forgery (CSRF) in stitionai/devika 2024-07-03 not yet calculated CVE-2024-5887
security@huntr.dev
TP-LINK–Archer AX3000
 
Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi. 2024-07-04 not yet calculated CVE-2024-38471
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
Unknown–Form Maker by 10Web 
 
The Form Maker by 10Web WordPress plugin before 1.15.26 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2024-07-01 not yet calculated CVE-2024-6130
contact@wpscan.com
Unknown–Himer
 
The allows any authenticated user to join a private group due to a missing authorization check on a function 2024-07-03 not yet calculated CVE-2024-2231
contact@wpscan.com
Unknown–Quiz and Survey Master (QSM) 
 
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 2024-07-01 not yet calculated CVE-2024-4934
contact@wpscan.com
vanna-ai–vanna-ai/vanna
 
vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API. 2024-07-05 not yet calculated CVE-2024-5753
security@huntr.dev

Back to top