High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| 2code — wpqa_builder |
The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | 2024-07-03 | 8.8 | CVE-2024-2376 contact@wpscan.com |
| ABB–ASPECT Enterprise (ASP-ENT-x) |
Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured. | 2024-07-01 | 8.8 | CVE-2024-4007 cybersecurity@ch.abb.com |
| Adobe–Acrobat for Edge |
Acrobat for Edge versions 126.0.2592.68 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2024-07-02 | 7.8 | CVE-2024-34122 psirt@adobe.com |
| aimeos–ai-admin-graphql |
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue. | 2024-07-02 | 7.1 | CVE-2024-39323 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| Apache Software Foundation–Apache HTTP Server |
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL’s to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. | 2024-07-01 | 7.5 | CVE-2024-39573 security@apache.org |
| Arm Ltd–Valhall GPU Firmware |
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arm Ltd Valhall GPU Firmware, Arm Ltd Arm 5th Gen GPU Architecture Firmware allows a local non-privileged user to make improper GPU processing operations to access a limited amount outside of buffer bounds. If the operations are carefully prepared, then this in turn could give them access to all system memory. This issue affects Valhall GPU Firmware: from r29p0 through r46p0; Arm 5th Gen GPU Architecture Firmware: from r41p0 through r46p0. | 2024-07-01 | 7.8 | CVE-2024-0153 arm-security@arm.com |
| certifi–python-certifi |
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla’s trust store. `GLOBALTRUST`’s root certificates are being removed pursuant to an investigation which identified “long-running and unresolved compliance issues.” | 2024-07-05 | 7.5 | CVE-2024-39689 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| CHANGING–Mobile One Time Password |
CHANGING Mobile One Time Password’s uploading function in a hidden page does not filter file type properly. Remote attackers with administrator privilege can exploit this vulnerability to upload and run malicious file to execute system commands. | 2024-07-01 | 7.2 | CVE-2024-3123 twcert@cert.org.tw twcert@cert.org.tw |
| CocoaPods–CocoaPods |
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk. | 2024-07-01 | 10 | CVE-2024-38366 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| CocoaPods–CocoaPods |
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023. | 2024-07-01 | 9.3 | CVE-2024-38368 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| CocoaPods–CocoaPods |
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023. | 2024-07-01 | 8.2 | CVE-2024-38367 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| dahlia–fedify |
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server’s network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue. | 2024-07-05 | 7.2 | CVE-2024-39687 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| Delinea–Centrify PAS |
Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing arbitrary files reading outside the web publish directory. Versions 23.1-HF7 and on have the patch. | 2024-07-02 | 7.7 | CVE-2024-5865 vulnerability@kaspersky.com |
| dell — powerscale_onefs |
Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.0 contain use of a broken or risky cryptographic algorithm vulnerability. An unprivileged network malicious attacker could potentially exploit this vulnerability, leading to data leaks. | 2024-07-02 | 7.5 | CVE-2024-32852 security_alert@emc.com |
| dell — powerscale_onefs |
Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.2 contain an execution with unnecessary privileges vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 2024-07-02 | 7.8 | CVE-2024-32853 security_alert@emc.com |
| discourse–discourse |
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. There are no known workarounds available for this vulnerability. | 2024-07-03 | 7.5 | CVE-2024-35227 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| Edito–Edito CMS |
Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 – 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected. | 2024-07-02 | 7.5 | CVE-2024-4836 cvd@cert.pl cvd@cert.pl cvd@cert.pl |
| evmos–evmos |
Evmos is a decentralized Ethereum Virtual Machine chain on the Cosmos Network. Prior to version 19.0.0, a user can create a vesting account with a 3rd party account (EOA or contract) as funder. Then, this user can create an authorization for the contract.CallerAddress, this is the authorization checked in the code. But the funds are taken from the funder address provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission. The funder address can be any address, so this vulnerability can be used to drain all the accounts in the chain. The issue has been patched in version 19.0.0. | 2024-07-05 | 8.8 | CVE-2024-39696 security-advisories@github.com security-advisories@github.com |
| expresstech — quiz_and_survey_master |
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role | 2024-07-02 | 8.8 | CVE-2024-5606 contact@wpscan.com |
| flowiseai — flowise |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available. | 2024-07-01 | 7.5 | CVE-2024-36420 security-advisories@github.com security-advisories@github.com |
| flowiseai — flowise |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | 2024-07-01 | 7.5 | CVE-2024-36421 security-advisories@github.com security-advisories@github.com |
| geoserver — geoserver |
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. | 2024-07-01 | 9.8 | CVE-2024-36401 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| geoserver–geoserver |
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the `geoserver.war` file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary). Versions 2.23.5 and 2.24.3 contain a patch for the issue. Some workarounds are available. One may change from a Windows environment to a Linux environment; or change from Apache Tomcat to Jetty application server. One may also disable anonymous access to the embeded GeoWebCache administration and status pages. | 2024-07-01 | 7.5 | CVE-2024-24749 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| geotools–geotools |
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one’s application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications. | 2024-07-02 | 9.8 | CVE-2024-36404 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| gofiber–fiber |
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber’s session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies. | 2024-07-01 | 10 | CVE-2024-38513 security-advisories@github.com security-advisories@github.com |
| gorilla–schema |
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{…}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue. | 2024-07-01 | 7.5 | CVE-2024-37298 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| Grandstream–GXP2135 |
An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability. | 2024-07-03 | 8.1 | CVE-2024-32937 talos-cna@cisco.com |
| Hitachi–JP1/Extensible SNMP Agent for Windows |
Incorrect Default Permissions vulnerability in Hitachi JP1/Extensible SNMP Agent for Windows, Hitachi JP1/Extensible SNMP Agent on Windows, Hitachi Job Management Partner1/Extensible SNMP Agent on Windows allows File Manipulation.This issue affects JP1/Extensible SNMP Agent for Windows: from 12-00 before 12-00-01, from 11-00 through 11-00-*; JP1/Extensible SNMP Agent: from 10-10 through 10-10-01, from 10-00 through 10-00-02, from 09-00 through 09-00-04; Job Management Partner1/Extensible SNMP Agent: from 10-10 through 10-10-01, from 10-00 through 10-00-02, from 09-00 through 09-00-04. | 2024-07-02 | 7.8 | CVE-2024-4679 hirt@hitachi.co.jp |
| home_owners_collection_management_system_project — home_owners_collection_management_system |
A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270167. | 2024-07-02 | 9.8 | CVE-2024-6439 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| home_owners_collection_management_system_project — home_owners_collection_management_system |
A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /classes/Master.php?f=delete_category. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-270168. | 2024-07-02 | 9.8 | CVE-2024-6440 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| icegram — email_subscribers_&_newsletters |
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2024-07-02 | 9.8 | CVE-2024-6172 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| ICONICS–GENESIS64 |
Uncontrolled Search Path Element vulnerability in ICONICS GENESIS64 all versions, Mitsubishi Electric GENESIS64 all versions and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute a malicious code by storing a specially crafted DLL in a specific folder when GENESIS64 and MC Works64 are installed with the Pager agent in the alarm multi-agent notification feature. | 2024-07-04 | 7 | CVE-2024-1182 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp |
| Johnson Controls–American Dynamics Illustra Essentials Gen 4 |
Under certain circumstances the web interface will accept characters unrelated to the expected input. | 2024-07-02 | 9.1 | CVE-2024-32755 productsecurity@jci.com productsecurity@jci.com |
| jungo — windriver |
Improper privilege management in Jungo WinDriver before 12.1.0 allows local attackers to escalate privileges and execute arbitrary code. | 2024-07-02 | 7.8 | CVE-2023-51776 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges, execute arbitrary code, or cause a Denial of Service (DoS). | 2024-07-02 | 7.8 | CVE-2024-22106 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute arbitrary code. | 2024-07-02 | 7.8 | CVE-2024-25086 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges and execute arbitrary code. | 2024-07-02 | 7.8 | CVE-2024-25088 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Improper privilege management in Jungo WinDriver 6.0.0 through 16.1.0 allows local attackers to escalate privileges and execute arbitrary code. | 2024-07-02 | 7.8 | CVE-2024-26314 cve@mitre.org cve@mitre.org cve@mitre.org |
| Juniper Networks–Junos OS |
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device receives specific valid traffic destined to the device, it will cause the PFE to crash and restart. Continued receipt and processing of this traffic will create a sustained DoS condition. This issue affects Junos OS on SRX Series: * 21.4 versions before 21.4R3-S7.9, * 22.1 versions before 22.1R3-S5.3, * 22.2 versions before 22.2R3-S4.11, * 22.3 versions before 22.3R3, * 22.4 versions before 22.4R3. Junos OS versions prior to 21.4R1 are not affected by this issue. | 2024-07-01 | 7.5 | CVE-2024-21586 sirt@juniper.net |
| Kiloview–P1/P2 |
Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by appending shell commands to the Speed-Measurement feature, enabling unauthorized code execution. | 2024-07-02 | 10 | CVE-2023-41917 cert@ncsc.nl |
| Kiloview–P1/P2 |
A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data manipulation, access to privileged functions, or even the execution of arbitrary code. | 2024-07-02 | 10 | CVE-2023-41918 cert@ncsc.nl |
| Kiloview–P1/P2 |
Hardcoded credentials are discovered within the application’s source code, creating a potential security risk for unauthorized access. | 2024-07-02 | 9.8 | CVE-2023-41919 cert@ncsc.nl |
| Kiloview–P1/P2 |
The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in. | 2024-07-02 | 9.8 | CVE-2023-41920 cert@ncsc.nl |
| Kiloview–P1/P2 |
A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target’s integrity to achieve an insecure state. | 2024-07-02 | 9.8 | CVE-2023-41921 cert@ncsc.nl |
| Kiloview–P1/P2 |
The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials. | 2024-07-02 | 8.8 | CVE-2023-41926 cert@ncsc.nl |
| Kiloview–P1/P2 |
The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords. | 2024-07-02 | 7.2 | CVE-2023-41923 cert@ncsc.nl |
| kylephillips — nested_pages |
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2024-07-04 | 8.8 | CVE-2024-5943 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| LA-Studio–LA-Studio Element Kit for Elementor |
Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via “LaStudioKit Progress Bar” widget in New Post, specifically in the “progress_type” attribute.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.8.1. | 2024-07-02 | 8.5 | CVE-2024-37479 audit@patchstack.com |
| la-studioweb — element_kit_for_elementor |
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.8.1 via the ‘map_style’ parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | 2024-07-02 | 8.8 | CVE-2024-5349 security@wordfence.com security@wordfence.com |
| livemeshelementor — addons_for_elementor |
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.3.7 via several of the plugin’s widgets through the ‘style’ attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | 2024-07-04 | 8.8 | CVE-2024-2385 security@wordfence.com security@wordfence.com security@wordfence.com |
| mastodon–mastodon |
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue. | 2024-07-05 | 8.2 | CVE-2024-37903 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| MediaTek, Inc.–MT2731, MT6739, MT6761, MT6762, MT6763, MT6765, MT6767, MT6768, MT6769, MT6771, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788 |
In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01297806; Issue ID: MSV-1481. | 2024-07-01 | 7.5 | CVE-2024-20076 security@mediatek.com |
| MediaTek, Inc.–MT2731, MT6739, MT6761, MT6762, MT6763, MT6765, MT6767, MT6768, MT6769, MT6771, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788 |
In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01297807; Issue ID: MSV-1482. | 2024-07-01 | 7.5 | CVE-2024-20077 security@mediatek.com |
| MediaTek, Inc.–MT6768, MT6779, MT8321, MT8385, MT8755, MT8765, MT8766, MT8768, MT8771, MT8775, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8792, MT8795T, MT8796, MT8797, MT8798 |
In venc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08737250; Issue ID: MSV-1452. | 2024-07-01 | 9.8 | CVE-2024-20078 security@mediatek.com |
| mesbook — mesbook |
Information exposure vulnerability in MESbook 20221021.03 version, the exploitation of which could allow a local attacker, with user privileges, to access different resources by changing the API value of the application. | 2024-07-03 | 7.1 | CVE-2024-6426 cve-coordination@incibe.es |
| mesbook — mesbook |
Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the “message” parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application. | 2024-07-03 | 7.5 | CVE-2024-6427 cve-coordination@incibe.es |
| MESbook–MESbook |
External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint “/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST” or “/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST” to read the source code of web files, read internal files or access network resources. | 2024-07-01 | 9.3 | CVE-2024-6424 cve-coordination@incibe.es |
| MESbook–MESbook |
Incorrect Provision of Specified Functionality vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can register user accounts without being authenticated from the route “/account/Register/” and in the parameters “UserName=<RANDOMUSER>&Password=<PASSWORD>&ConfirmPassword=<PASSWORD-REPEAT>”. | 2024-07-01 | 9.1 | CVE-2024-6425 cve-coordination@incibe.es |
| Mitsubishi Electric Corporation–MELIPC Series MI5122-VW |
Incorrect Default Permissions vulnerability in Smart Device Communication Gateway preinstalled on MELIPC Series MI5122-VW firmware versions “05” to “07” allows a local attacker to execute arbitrary code by saving a malicious file to a specific folder. As a result, the attacker may disclose, tamper with, destroy or delete information in the product, or cause a denial-of-service (DoS) condition on the product. | 2024-07-04 | 8.8 | CVE-2024-3904 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp |
| mongodb — compass |
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass’ connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2 | 2024-07-01 | 9.8 | CVE-2024-6376 cna@mongodb.com |
| MRW–MRW plugin |
Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the “mrw_log” functionality. This vulnerability could allow a remote attacker to obtain other customers’ order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels. | 2024-07-04 | 8.2 | CVE-2024-6506 cve-coordination@incibe.es |
| mySCADA–myPRO |
mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device. | 2024-07-02 | 9.8 | CVE-2024-4708 ics-cert@hq.dhs.gov ics-cert@hq.dhs.gov |
| N-able–N-central |
The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild. | 2024-07-01 | 9.1 | CVE-2024-28200 a5532a13-c4dd-4202-bef1-e0b8f2f8d12b a5532a13-c4dd-4202-bef1-e0b8f2f8d12b |
| N-able–N-central |
The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3. | 2024-07-01 | 9.1 | CVE-2024-5322 a5532a13-c4dd-4202-bef1-e0b8f2f8d12b a5532a13-c4dd-4202-bef1-e0b8f2f8d12b |
| N/A–N/A |
Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API | 2024-07-04 | 8.1 | CVE-2024-6507 reefs@jfrog.com reefs@jfrog.com |
| n/a–n/a |
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 9.8 | CVE-2024-38993 cve@mitre.org |
| n/a–n/a |
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 9.8 | CVE-2024-38996 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 9.8 | CVE-2024-39015 cve@mitre.org |
| n/a–n/a |
agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 9.8 | CVE-2024-39017 cve@mitre.org |
| n/a–n/a |
Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. | 2024-07-01 | 9.8 | CVE-2024-39236 cve@mitre.org |
| n/a–n/a |
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious –split-string env request if the built-in SSH server is activated. Windows installations are unaffected. | 2024-07-04 | 9.9 | CVE-2024-39930 cve@mitre.org cve@mitre.org |
| n/a–n/a |
Gogs through 0.13.0 allows deletion of internal files. | 2024-07-04 | 9.9 | CVE-2024-39931 cve@mitre.org cve@mitre.org |
| n/a–n/a |
Gogs through 0.13.0 allows argument injection during the previewing of changes. | 2024-07-04 | 9.9 | CVE-2024-39932 cve@mitre.org cve@mitre.org |
| n/a–n/a |
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js). | 2024-07-04 | 9.9 | CVE-2024-39943 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 8.8 | CVE-2024-38991 cve@mitre.org |
| n/a–n/a |
airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 8.8 | CVE-2024-38992 cve@mitre.org |
| n/a–n/a |
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function config. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 8.4 | CVE-2024-38998 cve@mitre.org |
| n/a–n/a |
che3vinci c3/utils-1 1.0.131 was discovered to contain a prototype pollution via the function assign. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 8.1 | CVE-2024-39016 cve@mitre.org |
| n/a–n/a |
An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. | 2024-07-04 | 8.6 | CVE-2024-39936 cve@mitre.org |
| n/a–n/a |
supOS 5.0 allows api/image/download?fileName=../ directory traversal for reading files. | 2024-07-04 | 8.6 | CVE-2024-39937 cve@mitre.org cve@mitre.org |
| n/a–n/a |
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 7.3 | CVE-2024-38994 cve@mitre.org |
| n/a–n/a |
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 7.3 | CVE-2024-39003 cve@mitre.org |
| n/a–n/a |
Gogs through 0.13.0 allows argument injection during the tagging of a new release. | 2024-07-04 | 7.7 | CVE-2024-39933 cve@mitre.org cve@mitre.org |
| n/a–n/a |
Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the “shared holotree usage” feature allows any user to edit any Python environment. | 2024-07-04 | 7.8 | CVE-2024-39934 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| openbsd — openssh |
A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. | 2024-07-01 | 8.1 | CVE-2024-6387 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com |
| openharmony — openharmony |
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds read and write. | 2024-07-02 | 9.8 | CVE-2024-36243 scy@openharmony.io |
| openharmony — openharmony |
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write. | 2024-07-02 | 9.8 | CVE-2024-36260 scy@openharmony.io |
| openharmony — openharmony |
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through use after free. | 2024-07-02 | 9.8 | CVE-2024-37030 scy@openharmony.io |
| openharmony — openharmony |
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write. | 2024-07-02 | 9.8 | CVE-2024-37077 scy@openharmony.io |
| openharmony — openharmony |
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write. | 2024-07-02 | 9.8 | CVE-2024-37185 scy@openharmony.io |
| parse-community–parse-server |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. | 2024-07-01 | 9.8 | CVE-2024-39309 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| pi-hole–pi-hole |
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue. | 2024-07-05 | 8.5 | CVE-2024-34361 security-advisories@github.com security-advisories@github.com |
| playsms — playsms |
A vulnerability was found in playSMS 1.4.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?app=main&inc=feature_firewall&op=firewall_list of the component Template Handler. The manipulation of the argument IP address with the input {{`id`} leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-270277 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2024-07-03 | 8.8 | CVE-2024-6469 cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| qualcomm — 315_5g_iot_modem_firmware |
Memory corruption while performing finish HMAC operation when context is freed by keymaster. | 2024-07-01 | 7.8 | CVE-2024-21461 product-security@qualcomm.com |
| qualcomm — 315_5g_iot_modem_firmware |
Memory corruption when IOMMU unmap operation fails, the DMA and anon buffers are getting released. | 2024-07-01 | 7.8 | CVE-2024-23373 product-security@qualcomm.com |
| qualcomm — 9205_lte_modem_firmware |
Memory corruption while processing key blob passed by the user. | 2024-07-01 | 7.8 | CVE-2024-21465 product-security@qualcomm.com |
| qualcomm — 9205_lte_modem_firmware |
Memory corruption when an invoke call and a TEE call are bound for the same trusted application. | 2024-07-01 | 7.8 | CVE-2024-21469 product-security@qualcomm.com |
| qualcomm — apq8064au_firmware |
Memory corruption when allocating and accessing an entry in an SMEM partition. | 2024-07-01 | 7.8 | CVE-2024-23368 product-security@qualcomm.com |
| qualcomm — ar8035_firmware |
INformation disclosure while handling Multi-link IE in beacon frame. | 2024-07-01 | 7.5 | CVE-2024-21457 product-security@qualcomm.com |
| qualcomm — ar8035_firmware |
Information disclosure while handling SA query action frame. | 2024-07-01 | 7.5 | CVE-2024-21458 product-security@qualcomm.com |
| qualcomm — csr8811_firmware |
Memory corruption during the secure boot process, when the `bootm` command is used, it bypasses the authentication of the kernel/rootfs image. | 2024-07-01 | 7.8 | CVE-2024-21482 product-security@qualcomm.com |
| qualcomm — fastconnect_6200_firmware |
Memory corruption while invoking IOCTL call for GPU memory allocation and size param is greater than expected size. | 2024-07-01 | 7.8 | CVE-2024-23372 product-security@qualcomm.com |
| qualcomm — fastconnect_6200_firmware |
Memory corruption while handling user packets during VBO bind operation. | 2024-07-01 | 7.8 | CVE-2024-23380 product-security@qualcomm.com |
| qualcomm — fastconnect_7800_firmware |
Information disclosure while parsing sub-IE length during new IE generation. | 2024-07-01 | 7.5 | CVE-2024-21466 product-security@qualcomm.com |
| Qualcomm, Inc.–Snapdragon |
Memory corruption while processing IOCTL handler in FastRPC. | 2024-07-01 | 8.4 | CVE-2023-43554 product-security@qualcomm.com |
| Red Hat–Red Hat Enterprise Linux 9 |
A flaw was found in the QEMU disk image utility (qemu-img) ‘info’ command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. | 2024-07-02 | 7.8 | CVE-2024-4467 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com |
| Red Lion Europe–mbNET.mini |
A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command. | 2024-07-03 | 7.2 | CVE-2024-5672 info@cert.vde.com info@cert.vde.com info@cert.vde.com |
| Routing Release–Routing Release |
Security check loophole in HAProxy release (in combination with routing release) in Cloud Foundry prior to v40.17.0 potentially allows bypass of mTLS authentication to applications hosted on Cloud Foundry. | 2024-07-03 | 9 | CVE-2024-37082 security@vmware.com |
| samsung — android |
Improper input validation in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to trigger abnormal behavior. | 2024-07-02 | 8.8 | CVE-2024-20890 mobile.security@samsung.com |
| samsung — android |
Improper input validation in parsing and distributing RTCP packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to execute arbitrary code with system privilege. User interaction is required for triggering this vulnerability. | 2024-07-02 | 8.8 | CVE-2024-34593 mobile.security@samsung.com |
| samsung — android |
Improper access control in OneUIHome prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. User interaction is required for triggering this vulnerability. | 2024-07-02 | 7.8 | CVE-2024-20888 mobile.security@samsung.com |
| samsung — android |
Improper access control in launchFullscreenIntent of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. | 2024-07-02 | 7.8 | CVE-2024-20891 mobile.security@samsung.com |
| samsung — android |
Improper verification of signature in FilterProvider prior to SMR Jul-2024 Release 1 allows local attackers to execute privileged behaviors. User interaction is required for triggering this vulnerability. | 2024-07-02 | 7.8 | CVE-2024-20892 mobile.security@samsung.com |
| samsung — android |
Improper input validation in libmediaextractorservice.so prior to SMR Jul-2024 Release 1 allows local attackers to trigger memory corruption. | 2024-07-02 | 7.8 | CVE-2024-20893 mobile.security@samsung.com |
| samsung — android |
Improper input validation in copying data to buffer cache in libsaped prior to SMR Jul-2024 Release 1 allows local attackers to write out-of-bounds memory. | 2024-07-02 | 7.8 | CVE-2024-20901 mobile.security@samsung.com |
| samsung — android |
Improper access control in launchApp of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. | 2024-07-02 | 7.8 | CVE-2024-34585 mobile.security@samsung.com |
| samsung — android |
Improper access control in clickAdapterItem of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. | 2024-07-02 | 7.8 | CVE-2024-34595 mobile.security@samsung.com |
| samsung — smartthings |
Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner. | 2024-07-02 | 7.5 | CVE-2024-34596 mobile.security@samsung.com |
| sitetweet_project — sitetweet |
The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | 2024-07-02 | 8.8 | CVE-2024-5767 contact@wpscan.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance. | 2024-07-01 | 8 | CVE-2024-36983 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code. | 2024-07-01 | 8.8 | CVE-2024-36984 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or power Splunk roles could cause a Remote Code Execution through an external lookup that references the “splunk_archiver” application. | 2024-07-01 | 8.8 | CVE-2024-36985 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit. | 2024-07-01 | 8.1 | CVE-2024-36997 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an attacker could trigger a null pointer reference on the cluster/config REST endpoint, which could result in a crash of the Splunk daemon. | 2024-07-01 | 7.5 | CVE-2024-36982 prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the admin or power Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive. | 2024-07-01 | 7.1 | CVE-2024-36989 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows. | 2024-07-01 | 7.5 | CVE-2024-36991 prodsec@splunk.com prodsec@splunk.com |
| Theme-Ruby–Foxiz |
Server-Side Request Forgery (SSRF) vulnerability in Theme-Ruby Foxiz.This issue affects Foxiz: from n/a through 2.3.5. | 2024-07-06 | 7.2 | CVE-2024-37260 audit@patchstack.com |
| traefik–traefik |
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available. | 2024-07-05 | 7.5 | CVE-2024-39321 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| wbolt — imgspider |
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘upload_img_file’ function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2024-07-04 | 8.8 | CVE-2024-6318 security@wordfence.com security@wordfence.com security@wordfence.com |
| wbolt — imgspider |
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘upload’ function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2024-07-04 | 8.8 | CVE-2024-6319 security@wordfence.com security@wordfence.com security@wordfence.com |
| WofficeIO–Woffice |
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice allows Reflected XSS.This issue affects Woffice: from n/a through 5.4.8. | 2024-07-04 | 7.1 | CVE-2024-37472 audit@patchstack.com |
| WofficeIO–Woffice Core |
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.This issue affects Woffice Core: from n/a through 5.4.8. | 2024-07-04 | 7.1 | CVE-2024-37471 audit@patchstack.com |
| yt-dlp–yt-dlp |
`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one’s user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o “%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/… one; try to avoid the generic extractor; and/or use `–ignore-config –config-location …` to not load config from common locations. | 2024-07-02 | 7.8 | CVE-2024-38519 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| 2code — himer |
The Himer WordPress theme before 2.1.1 does not sanitise and escape some of its Post settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks | 2024-07-03 | 5.4 | CVE-2024-2234 contact@wpscan.com |
| 2code — himer |
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack | 2024-07-03 | 4.3 | CVE-2024-2040 contact@wpscan.com |
| 2code — himer |
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group | 2024-07-03 | 4.3 | CVE-2024-2233 contact@wpscan.com |
| 2code — himer |
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don’t have access to via a CSRF attack | 2024-07-03 | 4.3 | CVE-2024-2235 contact@wpscan.com |
| 2code — wpqa_builder |
The WPQA Builder WordPress plugin before 6.1.1 does not sanitise and escape some of its Slider settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | 2024-07-03 | 5.4 | CVE-2024-2375 contact@wpscan.com |
| aimeos–ai-admin-jsonadm |
aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend. Versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2 contain a fix for the issue. | 2024-07-02 | 5.5 | CVE-2024-39322 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| aimeos–ai-controller-frontend |
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn’t reset the payment status of a user’s basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue. | 2024-07-02 | 5.3 | CVE-2024-39325 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| apollo13themes — rife_elementor_extensions_&_templates |
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag’ attribute within the plugin’s Writing Effect Headline widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-5504 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| Automattic–Newspack Ads |
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Ads allows Stored XSS.This issue affects Newspack Ads: from n/a through 1.47.1. | 2024-07-04 | 6.5 | CVE-2024-37474 audit@patchstack.com |
| Automattic–Newspack Campaigns |
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.This issue affects Newspack Campaigns: from n/a through 2.31.1. | 2024-07-04 | 6.5 | CVE-2024-37476 audit@patchstack.com |
| Axelerant–Testimonials Widget |
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Axelerant Testimonials Widget allows Stored XSS.This issue affects Testimonials Widget: from n/a through 4.0.4. | 2024-07-06 | 6.5 | CVE-2024-37553 audit@patchstack.com |
| biplob018–Image Hover Effects – Caption Hover with Carousel |
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in biplob018 Image Hover Effects – Caption Hover with Carousel allows Stored XSS.This issue affects Image Hover Effects – Caption Hover with Carousel: from n/a through 3.0.2. | 2024-07-06 | 6.5 | CVE-2024-37546 audit@patchstack.com |
| boot_store_project — boot_store |
The Boot Store theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme’s Button shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-5938 security@wordfence.com security@wordfence.com |
| cedcommerce — one_click_order_re-order |
The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘ced_ocor_save_general_setting’ function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the plugin settings, including adding stored cross-site scripting. | 2024-07-04 | 5.4 | CVE-2024-5641 security@wordfence.com security@wordfence.com security@wordfence.com |
| CHANGING–Mobile One Time Password |
CHANGING Mobile One Time Password does not properly filter parameters for the file download functionality, allowing remote attackers with administrator privilege to read arbitrary file on the system. | 2024-07-01 | 4.9 | CVE-2024-3122 twcert@cert.org.tw twcert@cert.org.tw |
| Checkmk GmbH–Checkmk |
Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements | 2024-07-03 | 6.5 | CVE-2024-6052 security@checkmk.com |
| Checkmk GmbH–Checkmk |
Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks. | 2024-07-02 | 4.3 | CVE-2024-38857 security@checkmk.com |
| cisco — nx-os |
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root. Note: To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. | 2024-07-01 | 6.7 | CVE-2024-20399 ykramarz@cisco.com |
| CodeAstrology Team–UltraAddons Elementor Lite (Header & Footer Builder, Menu Builder, Cart Icon, Shortcode) |
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CodeAstrology Team UltraAddons Elementor Lite (Header & Footer Builder, Menu Builder, Cart Icon, Shortcode).This issue affects UltraAddons Elementor Lite (Header & Footer Builder, Menu Builder, Cart Icon, Shortcode): from n/a through 1.1.6. | 2024-07-06 | 6.5 | CVE-2024-37554 audit@patchstack.com |
| coderberg — residencecms |
A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside which acts as a stored XSS payload. | 2024-07-02 | 5.4 | CVE-2024-39143 cve@mitre.org |
| davidlingren — media_library_assistant |
The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-07-02 | 6.1 | CVE-2024-5544 security@wordfence.com security@wordfence.com |
| Delinea–Centrify PAS |
Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing listing of arbitrary directory outside the root directory of the web application. Versions 23.1-HF7 and on have the patch. | 2024-07-02 | 5 | CVE-2024-5866 vulnerability@kaspersky.com |
| dell — powerscale_onefs |
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privilege attacker could potentially exploit this vulnerability, leading to privilege escalation. | 2024-07-02 | 6.7 | CVE-2024-32854 security_alert@emc.com |
| dell — powerscale_onefs |
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to unauthorized gain of root-level access. | 2024-07-02 | 6.7 | CVE-2024-37126 security_alert@emc.com |
| dell — powerscale_onefs |
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an incorrect privilege assignment vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service and Elevation of privileges. | 2024-07-02 | 6.7 | CVE-2024-37132 security_alert@emc.com |
| dell — powerscale_onefs |
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to unauthorized gain of root-level access. | 2024-07-02 | 6.7 | CVE-2024-37133 security_alert@emc.com |
| dell — powerscale_onefs |
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access. | 2024-07-02 | 6.7 | CVE-2024-37134 security_alert@emc.com |
| Dell–CPG BIOS |
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with admin privileges may potentially exploit this vulnerability to modify a UEFI variable, leading to denial of service and escalation of privileges | 2024-07-02 | 5.1 | CVE-2024-0158 security_alert@emc.com |
| Delower–WP To Do |
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Delower WP To Do allows Stored XSS.This issue affects WP To Do: from n/a through 1.3.0. | 2024-07-06 | 6.5 | CVE-2024-37539 audit@patchstack.com |
| discourse–discourse |
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available. | 2024-07-03 | 6.4 | CVE-2024-37157 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| discourse–discourse |
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum. | 2024-07-03 | 4.2 | CVE-2024-35234 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| discourse–discourse |
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available. | 2024-07-03 | 4.9 | CVE-2024-36113 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| dotcamp — ultimate_blocks |
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title tag parameter in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-3513 security@wordfence.com security@wordfence.com |
| dotcamp — ultimate_blocks |
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-4268 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| envoyproxy–envoy |
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy’s memory to be sent to the upstream service or abnormal process termination. This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5, and v1.27.7. As a workaround, do not use cookie attributes in route action hash policy. | 2024-07-01 | 6.5 | CVE-2024-39305 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| ethyca–fides |
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available. | 2024-07-03 | 5.3 | CVE-2024-31223 security-advisories@github.com security-advisories@github.com |
| flowiseai — flowise |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | 2024-07-01 | 6.1 | CVE-2024-36422 security-advisories@github.com security-advisories@github.com |
| FlowiseAI–Flowise |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | 2024-07-01 | 6.1 | CVE-2024-36423 security-advisories@github.com security-advisories@github.com |
| FlowiseAI–Flowise |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | 2024-07-01 | 6.1 | CVE-2024-37145 security-advisories@github.com security-advisories@github.com |
| FlowiseAI–Flowise |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | 2024-07-01 | 6.1 | CVE-2024-37146 security-advisories@github.com security-advisories@github.com |
| geoserver — geoserver |
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer’s Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules’ status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured. The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly. Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice. | 2024-07-01 | 4.9 | CVE-2024-34696 security-advisories@github.com |
| HCL Software–Nomad server on Domino |
HCL Nomad server on Domino fails to properly handle users configured with limited Domino access resulting in a possible denial of service vulnerability. | 2024-07-05 | 5.3 | CVE-2024-23588 psirt@hcl.com |
| Hitachi–Hitachi Ops Center Common Services |
Incorrect Default Permissions, Improper Preservation of Permissions vulnerability in Hitachi Ops Center Common Services allows File Manipulation.This issue affects Hitachi Ops Center Common Services: before 11.0.2-00. | 2024-07-02 | 5.1 | CVE-2024-2819 hirt@hitachi.co.jp |
| hitout — carsale |
A vulnerability has been found in Hitout Carsale 1.0 and classified as critical. This vulnerability affects unknown code of the file OrderController.java. The manipulation of the argument orderBy leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-270166 is the identifier assigned to this vulnerability. | 2024-07-02 | 6.5 | CVE-2024-6438 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| ICONICS–GENESIS64 |
Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) vulnerability in the licensing feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2 and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute a malicious code with administrative privileges by tampering with a specific file that is not protected by the system. | 2024-07-04 | 6.7 | CVE-2024-1574 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp |
| ICONICS–GENESIS64 |
Improper Authentication vulnerability in the mobile monitoring feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2 and Mitsubishi Electric MC Works64 all versions allows a remote unauthenticated attacker to bypass proper authentication and log in to the system when all of the following conditions are met: * Active Directory is used in the security setting. * “Automatic log in” option is enabled in the security setting. * The IcoAnyGlass IIS Application Pool is running under an Active Directory Domain Account. * The IcoAnyGlass IIS Application Pool account is included in GENESIS64TM and MC Works64 Security and has permission to log in. | 2024-07-04 | 5.9 | CVE-2024-1573 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp |
| itsourcecode–Farm Management System |
A vulnerability was found in itsourcecode Farm Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /quarantine.php?id=3. The manipulation of the argument pigno/breed/reason leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-270241 was assigned to this vulnerability. NOTE: Original submission mentioned parameter pigno only but the VulDB data analysis team determined two additional parameters to be affected as well. | 2024-07-02 | 6.3 | CVE-2024-6453 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| JetBrains–TeamCity |
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings | 2024-07-01 | 5 | CVE-2024-39879 cve@jetbrains.com |
| JetBrains–TeamCity |
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection | 2024-07-01 | 4.1 | CVE-2024-39878 cve@jetbrains.com |
| Johnson Controls–American Dynamics Illustra Essentials Gen 4 |
Under certain circumstances the Linux users credentials may be recovered by an authenticated user. | 2024-07-02 | 6.8 | CVE-2024-32756 productsecurity@jci.com productsecurity@jci.com |
| Johnson Controls–American Dynamics Illustra Essentials Gen 4 |
Under certain circumstances unnecessary user details are provided within system logs | 2024-07-02 | 6.8 | CVE-2024-32757 productsecurity@jci.com productsecurity@jci.com |
| Johnson Controls–American Dynamics Illustra Essentials Gen 4 |
Under certain circumstances the web interface users credentials may be recovered by an authenticated user. | 2024-07-02 | 6.8 | CVE-2024-32932 productsecurity@jci.com productsecurity@jci.com |
| jungo — windriver |
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.1.0 allows local attackers to cause a Windows blue screen error. | 2024-07-02 | 5.5 | CVE-2023-51777 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.1.0 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). | 2024-07-02 | 5.5 | CVE-2023-51778 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error. | 2024-07-02 | 5.5 | CVE-2024-22102 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). | 2024-07-02 | 5.5 | CVE-2024-22103 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). | 2024-07-02 | 5.5 | CVE-2024-22104 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error. | 2024-07-02 | 5.5 | CVE-2024-22105 cve@mitre.org cve@mitre.org cve@mitre.org |
| jungo — windriver |
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.7.0 allows local attackers to cause a Windows blue screen error. | 2024-07-02 | 5.5 | CVE-2024-25087 cve@mitre.org cve@mitre.org cve@mitre.org |
| kiloview — p1_firmware |
A ‘Cross-site Scripting’ (XSS) vulnerability, characterized by improper input neutralization during web page generation, has been discovered. This vulnerability allows for Stored XSS attacks to occur. Multiple areas within the administration interface of the webserver lack adequate input validation, resulting in multiple instances of Stored XSS vulnerabilities. | 2024-07-02 | 5.4 | CVE-2023-41922 cert@ncsc.nl |
| Kiloview–P1/P2 |
The server supports at least one cipher suite which is on the NCSC-NL list of cipher suites to be phased out, increasing the risk of cryptographic weaknesses. | 2024-07-02 | 5.3 | CVE-2023-41927 cert@ncsc.nl |
| Kiloview–P1/P2 |
The device is observed to accept deprecated TLS protocols, increasing the risk of cryptographic weaknesses. | 2024-07-02 | 5.3 | CVE-2023-41928 cert@ncsc.nl |
| KisaragiEffective–toy-blog |
toy-blog is a headless content management system implementation. Starting in version 0.5.4 and prior to version 0.6.1, articles with private visibility can be read if the reader does not set credentials for the request. Users should upgrade to 0.6.1 or later to receive a patch. No known workarounds are available. | 2024-07-01 | 6.5 | CVE-2024-39313 security-advisories@github.com security-advisories@github.com |
| KisaragiEffective–toy-blog |
toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass `–read-bearer-token-from-stdin` to the launch arguments and feed the token from the standard input in version 0.4.14 or later. Earlier versions do not have this workaround. | 2024-07-01 | 4.7 | CVE-2024-39314 security-advisories@github.com security-advisories@github.com |
| leap13 — premium_addons_for_elementor |
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Countdown widget in all versions up to, and including, 4.10.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-03 | 5.4 | CVE-2024-6340 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| leap13 — premium_addons_for_elementor |
The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources. | 2024-07-04 | 4.3 | CVE-2024-6434 security@wordfence.com security@wordfence.com security@wordfence.com |
| linlinjava–litemall |
A vulnerability classified as critical was found in linlinjava litemall up to 1.8.0. Affected by this vulnerability is an unknown functionality of the file AdminGoodscontroller.java. The manipulation of the argument goodsId/goodsSn/name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270235. | 2024-07-02 | 6.3 | CVE-2024-6452 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| Livemesh–Livemesh Addons for Elementor |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.3.7. | 2024-07-06 | 6.5 | CVE-2024-37547 audit@patchstack.com |
| livemeshelementor — addons_for_elementor |
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-04 | 5.4 | CVE-2024-2926 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| livemeshelementor — addons_for_elementor |
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-04 | 5.4 | CVE-2024-3638 security@wordfence.com security@wordfence.com security@wordfence.com |
| livemeshelementor — addons_for_elementor |
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-04 | 5.4 | CVE-2024-3639 security@wordfence.com security@wordfence.com |
| matrix-org–matrix-appservice-irc |
matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they’re replying to when determining whether or not to include a truncated version of the original event in the IRC message. Since this value is controlled by external entities, a malicious Matrix homeserver joined to a room in which a matrix-appservice-irc bridge instance (before version 2.0.1) is present can fabricate the timestamp with the intent of tricking the bridge into leaking room messages the homeserver should not have access to. matrix-appservice-irc 2.0.1 drops the reliance on `origin_server_ts` when determining whether or not an event should be visible to a user, instead tracking the event timestamps internally. As a workaround, it’s possible to limit the amount of information leaked by setting a reply template that doesn’t contain the original message. | 2024-07-05 | 4.3 | CVE-2024-39691 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| mattermost — mattermost |
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. | 2024-07-03 | 6.5 | CVE-2024-6428 responsibledisclosure@mattermost.com |
| mattermost — mattermost |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | 2024-07-03 | 5.3 | CVE-2024-36257 responsibledisclosure@mattermost.com |
| mattermost — mattermost |
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts | 2024-07-03 | 5.4 | CVE-2024-39361 responsibledisclosure@mattermost.com |
| mattermost — mattermost |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0Â fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. | 2024-07-03 | 5.3 | CVE-2024-39807 responsibledisclosure@mattermost.com |
| mattermost — mattermost |
Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison. | 2024-07-03 | 5.9 | CVE-2024-39830 responsibledisclosure@mattermost.com |
| mongodb — mongodb |
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3. | 2024-07-01 | 6.5 | CVE-2024-6375 cna@mongodb.com |
| MongoDB Inc–libbson |
The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1 | 2024-07-03 | 5.3 | CVE-2024-6383 cna@mongodb.com |
| MongoDB Inc–libbson |
The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2 | 2024-07-02 | 4 | CVE-2024-6381 cna@mongodb.com |
| MongoDB Inc–MongoDB Rust Driver |
Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2 | 2024-07-02 | 6.4 | CVE-2024-6382 cna@mongodb.com |
| n/a–n/a |
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end. | 2024-07-01 | 6.6 | CVE-2024-32228 cve@mitre.org |
| n/a–n/a |
Tada5hi sp-common v0.5.4 was discovered to contain a prototype pollution via the function mergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 6.3 | CVE-2024-38990 cve@mitre.org |
| n/a–n/a |
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 6.5 | CVE-2024-38997 cve@mitre.org |
| n/a–n/a |
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 6.5 | CVE-2024-39000 cve@mitre.org |
| n/a–n/a |
adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | 6.5 | CVE-2024-39853 cve@mitre.org |
| n/a–n/a |
MachForm up to version 19 is affected by an authenticated stored cross-site scripting. | 2024-07-01 | 5.4 | CVE-2024-37764 cve@mitre.org |
| n/a–n/a |
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.) | 2024-07-02 | 5.3 | CVE-2024-39891 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–ORIPA |
A vulnerability was found in ORIPA up to 1.72. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/oripa/persistence/doc/loader/LoaderXML.java. The manipulation leads to deserialization. The attack can be launched remotely. Upgrading to version 1.80 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-270169 was assigned to this vulnerability. | 2024-07-02 | 6.3 | CVE-2024-6441 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| n/a–ShopXO |
A vulnerability was found in ShopXO up to 6.1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file extend/base/Uploader.php. The manipulation of the argument source leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270367. NOTE: The original disclosure confuses CSRF with SSRF. | 2024-07-05 | 5.5 | CVE-2024-6524 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| N/A–VMware Cloud Director Availability |
VMware Cloud Director Availability contains an HTML injection vulnerability. A malicious actor with network access to VMware Cloud Director Availability can craft malicious HTML tags to execute within replication tasks. | 2024-07-04 | 6.4 | CVE-2024-22277 security@vmware.com |
| NationalSecurityAgency–skills-service |
SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue. | 2024-07-02 | 4.4 | CVE-2024-39326 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| pomerium–pomerium |
Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user’s session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of a cross-site scripting vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint. Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner. Note that an OAuth2 access token or ID token by itself is not sufficient to hijack a user’s Pomerium session. Upstream applications should not be vulnerable to user impersonation via these tokens provided the application verifies the Pomerium JWT for each request, the connection between Pomerium and the application is secured by mTLS, or the connection between Pomerium and the application is otherwise secured at the network layer. The issue is patched in Pomerium v0.26.1. No known workarounds are available. | 2024-07-02 | 5.7 | CVE-2024-39315 security-advisories@github.com security-advisories@github.com |
| posimyth — the_plus_addons_for_elementor |
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Countdown’ widget in all versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping on user supplied ‘text_days’ attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-03 | 5.4 | CVE-2024-4482 security@wordfence.com security@wordfence.com security@wordfence.com |
| qualcomm — 315_5g_iot_modem_firmware |
Transient DOS while loading the TA ELF file. | 2024-07-01 | 5.5 | CVE-2024-21462 product-security@qualcomm.com |
| qualcomm — fastconnect_6900_firmware |
Information disclosure when ASLR relocates the IMEM and Secure DDR portions as one chunk in virtual address space. | 2024-07-01 | 6.5 | CVE-2024-21460 product-security@qualcomm.com |
| Qualcomm, Inc.–Snapdragon |
Information Disclosure while parsing beacon frame in STA. | 2024-07-01 | 6.5 | CVE-2024-21456 product-security@qualcomm.com |
| rack–rack |
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix. | 2024-07-02 | 6.5 | CVE-2024-39316 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| radiustheme — the_post_grid |
The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the section title tag attribute in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-1427 security@wordfence.com security@wordfence.com security@wordfence.com |
| rankmath — seo |
The Rank Math SEO WordPress plugin before 1.0.219 does not sanitise and escape some of its settings, which could allow users with access to the General Settings (by default admin, however such access can be given to lower roles via the Role Manager feature of the Rank Math SEO WordPress plugin before 1.0.219) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2024-07-02 | 5.4 | CVE-2024-4627 contact@wpscan.com |
| Red Hat–Red Hat Enterprise Linux 6 |
A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host. | 2024-07-05 | 6 | CVE-2024-6505 secalert@redhat.com secalert@redhat.com |
| Robert Macchi–WP Scraper |
Server-Side Request Forgery (SSRF) vulnerability in Robert Macchi WP Scraper.This issue affects WP Scraper: from n/a through 5.7. | 2024-07-06 | 4.9 | CVE-2024-37208 audit@patchstack.com |
| samsung — android |
Improper input validation in parsing application information from RTCP packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to execute arbitrary code with system privilege. User interaction is required for triggering this vulnerability. | 2024-07-02 | 6.8 | CVE-2024-34587 mobile.security@samsung.com |
| samsung — android |
Improper input validation?in parsing RTCP SR packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. | 2024-07-02 | 6.5 | CVE-2024-34588 mobile.security@samsung.com |
| samsung — android |
Improper input validation in parsing RTCP RR packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. | 2024-07-02 | 6.5 | CVE-2024-34589 mobile.security@samsung.com |
| samsung — android |
Improper access control in Dar service prior to SMR Jul-2024 Release 1 allows local attackers to bypass restriction for calling SDP features. | 2024-07-02 | 5.5 | CVE-2024-20895 mobile.security@samsung.com |
| samsung — android |
Use of implicit intent for sensitive communication in Configuration message prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. | 2024-07-02 | 5.5 | CVE-2024-20896 mobile.security@samsung.com |
| samsung — android |
Use of implicit intent for sensitive communication in FCM function in IMS service prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. | 2024-07-02 | 5.5 | CVE-2024-20897 mobile.security@samsung.com |
| samsung — android |
Use of implicit intent for sensitive communication in SoftphoneClient in IMS service prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. | 2024-07-02 | 5.5 | CVE-2024-20898 mobile.security@samsung.com |
| samsung — android |
Use of implicit intent for sensitive communication in RCS function in IMS service prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. | 2024-07-02 | 5.5 | CVE-2024-20899 mobile.security@samsung.com |
| samsung — android |
Exposure of sensitive information in proc file system prior to SMR Jul-2024 Release 1 allows local attackers to read kernel memory address. | 2024-07-02 | 5.5 | CVE-2024-34594 mobile.security@samsung.com |
| samsung — android |
Improper authentication in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to pair with devices. | 2024-07-02 | 4.3 | CVE-2024-20889 mobile.security@samsung.com |
| samsung — android |
Improper handling of exceptional conditions in Secure Folder prior to SMR Jul-2024 Release 1 allows physical attackers to bypass authentication under certain condition. User interaction is required for triggering this vulnerability. | 2024-07-02 | 4.3 | CVE-2024-20894 mobile.security@samsung.com |
| samsung — android |
Improper input validation혻in parsing an item type from RTCP SDES packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. | 2024-07-02 | 4.3 | CVE-2024-34590 mobile.security@samsung.com |
| samsung — android |
Improper input validation in parsing an item data from RTCP SDES packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. | 2024-07-02 | 4.3 | CVE-2024-34591 mobile.security@samsung.com |
| samsung — android |
Improper input validation in parsing RTCP SDES packet in librtp.so prior to SMR Jul-2024 Release 1 allows remote attackers to trigger temporary denial of service. User interaction is required for triggering this vulnerability. | 2024-07-02 | 4.3 | CVE-2024-34592 mobile.security@samsung.com |
| samsung — galaxystore |
Improper verification of intent by broadcast receiver vulnerability in GalaxyStore prior to version 4.5.81.0 allows local attackers to launch unexported activities of GalaxyStore. | 2024-07-02 | 5.3 | CVE-2024-34601 mobile.security@samsung.com |
| shaonsina–Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) |
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 6.4 | CVE-2024-5260 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| SourceCodester–Medicine Tracker System |
A vulnerability classified as critical was found in SourceCodester Medicine Tracker System 1.0. This vulnerability affects unknown code of the file /classes/Master.php?f=save_medicine. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-270010 is the identifier assigned to this vulnerability. | 2024-07-01 | 6.3 | CVE-2024-6419 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| SourceCodester–Online Tours & Travels Management |
A vulnerability classified as critical has been found in SourceCodester Online Tours & Travels Management 1.0. This affects an unknown part of the file sms_setting.php. The manipulation of the argument uname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270279. | 2024-07-03 | 6.3 | CVE-2024-6471 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| spider-themes — eazydocs |
The EazyDocs WordPress plugin before 2.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2024-07-02 | 4.8 | CVE-2024-3999 contact@wpscan.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass SPL safeguards for risky commands in the Analytics Workspace. The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | 2024-07-01 | 6.3 | CVE-2024-36986 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the admin or power Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service. | 2024-07-01 | 6.5 | CVE-2024-36990 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user. The “url” parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit. | 2024-07-01 | 5.4 | CVE-2024-36992 prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user. | 2024-07-01 | 5.4 | CVE-2024-36993 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user. | 2024-07-01 | 5.4 | CVE-2024-36994 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could create experimental items. | 2024-07-01 | 5.4 | CVE-2024-36995 prodsec@splunk.com prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme. | 2024-07-01 | 5.3 | CVE-2024-36996 prodsec@splunk.com |
| Splunk–Splunk Enterprise |
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint. | 2024-07-01 | 4.3 | CVE-2024-36987 prodsec@splunk.com |
| StaxWP–Elementor Addons, Widgets and Enhancements Stax |
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in StaxWP Elementor Addons, Widgets and Enhancements – Stax allows Stored XSS.This issue affects Elementor Addons, Widgets and Enhancements – Stax: from n/a through 1.4.4.1. | 2024-07-06 | 6.5 | CVE-2024-37541 audit@patchstack.com |
| stylemixthemes — cost_calculator_builder |
The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 4.8 | CVE-2024-6011 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| stylemixthemes — cost_calculator_builder |
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ’embed-create-page’ and ’embed-insert-pages’ functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary posts and append arbitrary content to existing posts. | 2024-07-02 | 4.3 | CVE-2024-6012 security@wordfence.com security@wordfence.com security@wordfence.com |
| stylemixthemes — motors_-_car_dealer,_classifieds_&_listing |
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages. | 2024-07-02 | 5.3 | CVE-2024-5545 security@wordfence.com security@wordfence.com |
| supsystic — easy_google_maps |
The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-5219 security@wordfence.com security@wordfence.com security@wordfence.com |
| syedbalkhi — wp_lightbox_2 |
The WP Lightbox 2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 3.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-03 | 5.4 | CVE-2024-6263 security@wordfence.com security@wordfence.com security@wordfence.com |
| thimpress — learnpress |
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the ‘register’ function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role. | 2024-07-02 | 5.3 | CVE-2024-6088 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| thimpress — learnpress |
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the ‘check_validate_fields’ function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. | 2024-07-02 | 5.3 | CVE-2024-6099 security@wordfence.com security@wordfence.com security@wordfence.com |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618 |
In faceid servive, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed | 2024-07-01 | 5.1 | CVE-2024-39429 security@unisoc.com |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618 |
In faceid servive, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed | 2024-07-01 | 5.1 | CVE-2024-39430 security@unisoc.com |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000 |
In trusty service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed | 2024-07-01 | 6.8 | CVE-2024-39428 security@unisoc.com |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000 |
In trusty service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed | 2024-07-01 | 5.1 | CVE-2024-39427 security@unisoc.com |
| voidcoders — void_contact_form_7_widget_for_elementor_page_builder |
The Void Contact Form 7 Widget For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cf7_redirect_page’ attribute within the plugin’s Void Contact From 7 widget in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-5419 security@wordfence.com security@wordfence.com security@wordfence.com |
| WeblateOrg–weblate |
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects. | 2024-07-01 | 4.4 | CVE-2024-39303 security-advisories@github.com security-advisories@github.com |
| WpDevArt–Responsive Image Gallery, Gallery Album |
Missing Authorization vulnerability in WpDevArt Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. | 2024-07-06 | 5.4 | CVE-2024-37542 audit@patchstack.com |
| wpexpertplugins — post_meta_data_manager |
The Post Meta Data Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘$meta_key’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-07-02 | 5.4 | CVE-2024-6264 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
| XjSv–Basil |
The Basil recipe theme for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `post_title` parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. Because the of the default WordPress validation, it is not possible to insert the payload directly but if the Cooked plugin is installed, it is possible to create a recipe post type (cp_recipe) and inject the payload in the title field. Version 2.0.5 contains a patch for the issue. | 2024-07-01 | 5.4 | CVE-2024-39310 security-advisories@github.com security-advisories@github.com |
| yeken — snippet_shortcodes |
The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2024-07-03 | 4.3 | CVE-2024-4543 security@wordfence.com security@wordfence.com |
| zephyrproject-rtos–Zephyr |
A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device | 2024-07-03 | 6.5 | CVE-2024-3332 vulnerabilities@zephyrproject.org |
| zitadel–zitadel |
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user’s sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available. | 2024-07-03 | 5.7 | CVE-2024-39683 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| aimeos–ai-admin-graphql |
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn’t allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue. | 2024-07-02 | 3.8 | CVE-2024-39324 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| CodeIgniter–Ecommerce-CodeIgniter-Bootstrap |
A vulnerability classified as problematic has been found in CodeIgniter Ecommerce-CodeIgniter-Bootstrap up to 1998845073cf433bc6c250b0354461fbd84d0e03. This affects an unknown part. The manipulation of the argument search_title/catName/sub/name/categorie leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 1b3da45308bb6c3f55247d0e99620b600bd85277. It is recommended to apply a patch to fix this issue. The identifier VDB-270369 was assigned to this vulnerability. | 2024-07-05 | 3.5 | CVE-2024-6526 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| discourse–discourse |
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue. | 2024-07-03 | 2.4 | CVE-2024-36122 security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| Johnson Controls–Kantech KT1 Door Controller, Rev01 |
Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information. | 2024-07-04 | 3.1 | CVE-2024-32754 productsecurity@jci.com productsecurity@jci.com |
| Kodezen Limited–Academy LMS |
URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Kodezen Limited Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4. | 2024-07-06 | 3.5 | CVE-2024-37234 audit@patchstack.com |
| mattermost — mattermost |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents. | 2024-07-03 | 2.7 | CVE-2024-39353 responsibledisclosure@mattermost.com |
| n/a–n/a |
The OpenAI ChatGPT app before 2024-07-05 for macOS opts out of the sandbox, and stores conversations in cleartext in a location accessible to other apps. | 2024-07-06 | 2.3 | CVE-2024-40594 cve@mitre.org cve@mitre.org |
| n/a–playSMS |
A vulnerability was found in playSMS 1.4.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php?app=main&inc=feature_inboxgroup&op=list of the component Template Handler. The manipulation of the argument Receiver Number with the input {{`id`}} leads to injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-270278 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2024-07-03 | 2.7 | CVE-2024-6470 cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| openharmony — openharmony |
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause apps crash through type confusion. | 2024-07-02 | 3.3 | CVE-2024-31071 scy@openharmony.io |
| openharmony — openharmony |
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause apps crash through type confusion. | 2024-07-02 | 3.3 | CVE-2024-36278 scy@openharmony.io |
| Red Hat–Red Hat Enterprise Linux 7 |
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env’s user_readenv option, which leads to a denial of service (DoS) attack. | 2024-07-03 | 3.2 | CVE-2024-6126 secalert@redhat.com secalert@redhat.com |
| samsung — android |
Improper authentication in MTP application prior to SMR Jul-2024 Release 1 allows local attackers to enter MTP mode without proper authentication. | 2024-07-02 | 3.3 | CVE-2024-20900 mobile.security@samsung.com |
| samsung — android |
Improper access control in system property prior to SMR Jul-2024 Release 1 allows local attackers to get device identifier. | 2024-07-02 | 3.3 | CVE-2024-34583 mobile.security@samsung.com |
| samsung — android |
Improper access control in KnoxCustomManagerService prior to SMR Jul-2024 Release 1 allows local attackers to configure Knox privacy policy. | 2024-07-02 | 3.3 | CVE-2024-34586 mobile.security@samsung.com |
| samsung — flow |
Improper verification of intent by broadcast receiver vulnerability in Samsung Flow prior to version 4.9.13.0 allows local attackers to copy image files to external storage. | 2024-07-02 | 3.3 | CVE-2024-34600 mobile.security@samsung.com |
| samsung — health |
Improper input validation in Samsung Health prior to version 6.27.0.113 allows local attackers to write arbitrary document files to the sandbox of Samsung Health. User interaction is required for triggering this vulnerability. | 2024-07-02 | 3.3 | CVE-2024-34597 mobile.security@samsung.com |
| samsung — tips |
Improper input validation in Tips prior to version 6.2.9.4 in Android 14 allows local attacker to send broadcast with Tips' privilege. | 2024-07-02 | 3.3 | CVE-2024-34599 mobile.security@samsung.com |
| y_project–RuoYi |
A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function isJsonRequest of the component Content-Type Handler. The manipulation of the argument HttpHeaders.CONTENT_TYPE leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270343. | 2024-07-04 | 3.5 | CVE-2024-6511 cna@vuldb.com cna@vuldb.com cna@vuldb.com |
| ZKTeco–BioTime |
A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert(‘XSS’)</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2024-07-05 | 3.5 | CVE-2024-6523 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ABB–ASPECT-Enterprise |
Unauthorized file access in WEB Server in ABB ASPECT – Enterprise v <=3.08.01; NEXUS Series v <=3.08.01 ; MATRIX Series v<=3.08.01 allows Attacker to access files unauthorized | 2024-07-05 | not yet calculated | CVE-2024-6209 cybersecurity@ch.abb.com |
| ABB–ASPECT-Enterprise |
Improper Input Validation vulnerability in ABB ASPECT-Enterprise on Linux, ABB NEXUS Series on Linux, ABB MATRIX Series on Linux allows Remote Code Inclusion.This issue affects ASPECT-Enterprise: through 3.08.01; NEXUS Series: through 3.08.01; MATRIX Series: through 3.08.01. | 2024-07-05 | not yet calculated | CVE-2024-6298 cybersecurity@ch.abb.com |
| Akana–Akana |
In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality. | 2024-07-02 | not yet calculated | CVE-2024-3826 security@puppet.com |
| Apache Software Foundation–Apache CloudStack |
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access to the cluster service port (default 9090) on a CloudStack management server host to only its peer CloudStack management server hosts. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue. | 2024-07-05 | not yet calculated | CVE-2024-38346 security@apache.org security@apache.org security@apache.org security@apache.org |
| Apache Software Foundation–Apache CloudStack |
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue. | 2024-07-05 | not yet calculated | CVE-2024-39864 security@apache.org security@apache.org security@apache.org security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. | 2024-07-01 | not yet calculated | CVE-2024-36387 security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive “UNCList” to allow access during request processing. | 2024-07-01 | not yet calculated | CVE-2024-38472 security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue. | 2024-07-01 | not yet calculated | CVE-2024-38473 security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag “UnsafeAllow3F” is specified. | 2024-07-01 | not yet calculated | CVE-2024-38474 security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag “UnsafePrefixStat” can be used to opt back in once ensuring the substitution is appropriately constrained. | 2024-07-01 | not yet calculated | CVE-2024-38475 security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. | 2024-07-01 | not yet calculated | CVE-2024-38476 security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. | 2024-07-01 | not yet calculated | CVE-2024-38477 security@apache.org |
| Apache Software Foundation–Apache HTTP Server |
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.  “AddType” and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. | 2024-07-04 | not yet calculated | CVE-2024-39884 security@apache.org |
| Apache Software Foundation–Apache Tomcat |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. | 2024-07-03 | not yet calculated | CVE-2024-34750 security@apache.org |
| ethyca–fides |
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard. | 2024-07-02 | not yet calculated | CVE-2024-38537 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
| Go standard library–net/http |
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an “Expect: 100-continue” header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending “Expect: 100-continue” requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. | 2024-07-02 | not yet calculated | CVE-2024-24791 security@golang.org security@golang.org security@golang.org security@golang.org |
| Go toolchain–cmd/go |
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn’t sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making “go env” print them out. | 2024-07-02 | not yet calculated | CVE-2023-24531 security@golang.org security@golang.org security@golang.org security@golang.org security@golang.org |
| golang.org/x/crypto–golang.org/x/crypto/acme/autocert |
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator ( vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/….asd becomes ….asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix. | 2024-07-02 | not yet calculated | CVE-2022-30636 security@golang.org security@golang.org security@golang.org |
| Google–https://github.com/google/nftables |
In https://github.com/google/nftables  IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which does not work as intended (might block or not block the desired addresses). This issue affects: https://pkg.go.dev/github.com/google/nftables@v0.1.0 The bug was fixed in the next released version: https://pkg.go.dev/github.com/google/nftables@v0.2.0 | 2024-07-03 | not yet calculated | CVE-2024-6284 cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com |
| Kakao piccoma Corp.–“Piccoma” App for Android |
“Piccoma” App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability. | 2024-07-01 | not yet calculated | CVE-2024-38480 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: xfs: fix log recovery buffer allocation for the legacy h_size fixup Commit a70f9fe52daa (“xfs: detect and handle invalid iclog size set by mkfs”) added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 (“xfs: clean up calculation of LR header blocks”) cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation. | 2024-07-05 | not yet calculated | CVE-2024-39472 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension If a process module does not have base config extension then the same format applies to all of it’s inputs and the process->base_config_ext is NULL, causing NULL dereference when specifically crafted topology and sequences used. | 2024-07-05 | not yet calculated | CVE-2024-39473 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL commit a421ef303008 (“mm: allow !GFP_KERNEL allocations for kvmalloc”) includes support for __GFP_NOFAIL, but it presents a conflict with commit dd544141b9eb (“vmalloc: back off when the current task is OOM-killed”). A possible scenario is as follows: process-a __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL) __vmalloc_area_node() vm_area_alloc_pages() –> oom-killer send SIGKILL to process-a if (fatal_signal_pending(current)) break; –> return NULL; To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages() if __GFP_NOFAIL set. This issue occurred during OPLUS KASAN TEST. Below is part of the log -> oom-killer sends signal to process [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198 [65731.259685] [T32454] Call trace: [65731.259698] [T32454] dump_backtrace+0xf4/0x118 [65731.259734] [T32454] show_stack+0x18/0x24 [65731.259756] [T32454] dump_stack_lvl+0x60/0x7c [65731.259781] [T32454] dump_stack+0x18/0x38 [65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump] [65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump] [65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc [65731.260047] [T32454] notify_die+0x114/0x198 [65731.260073] [T32454] die+0xf4/0x5b4 [65731.260098] [T32454] die_kernel_fault+0x80/0x98 [65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8 [65731.260146] [T32454] do_bad_area+0x68/0x148 [65731.260174] [T32454] do_mem_abort+0x151c/0x1b34 [65731.260204] [T32454] el1_abort+0x3c/0x5c [65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90 [65731.260248] [T32454] el1h_64_sync+0x68/0x6c [65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258 –> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL); kernel panic by NULL pointer dereference. erofs assume kvmalloc with __GFP_NOFAIL never return NULL. [65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c [65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968 [65731.260339] [T32454] read_pages+0x170/0xadc [65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30 [65731.260388] [T32454] page_cache_ra_order+0x24c/0x714 [65731.260411] [T32454] filemap_fault+0xbf0/0x1a74 [65731.260437] [T32454] __do_fault+0xd0/0x33c [65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0 [65731.260486] [T32454] do_mem_abort+0x54c/0x1b34 [65731.260509] [T32454] el0_da+0x44/0x94 [65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4 [65731.260553] [T32454] el0t_64_sync+0x198/0x19c | 2024-07-05 | not yet calculated | CVE-2024-39474 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: fbdev: savage: Handle err return when savagefb_check_var failed The commit 04e5eac8f3ab(“fbdev: savage: Error out if pixclock equals zero”) checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn’t handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error. | 2024-07-05 | not yet calculated | CVE-2024-39475 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with small possibility, the root cause is exactly the same as commit bed9e27baf52 (“Revert “md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d””) However, Dan reported another hang after that, and junxiao investigated the problem and found out that this is caused by plugged bio can’t issue from raid5d(). Current implementation in raid5d() has a weird dependence: 1) md_check_recovery() from raid5d() must hold ‘reconfig_mutex’ to clear MD_SB_CHANGE_PENDING; 2) raid5d() handles IO in a deadloop, until all IO are issued; 3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared; This behaviour is introduce before v2.6, and for consequence, if other context hold ‘reconfig_mutex’, and md_check_recovery() can’t update super_block, then raid5d() will waste one cpu 100% by the deadloop, until ‘reconfig_mutex’ is released. Refer to the implementation from raid1 and raid10, fix this problem by skipping issue IO if MD_SB_CHANGE_PENDING is still set after md_check_recovery(), daemon thread will be woken up when ‘reconfig_mutex’ is released. Meanwhile, the hang problem will be fixed as well. | 2024-07-05 | not yet calculated | CVE-2024-39476 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: do not call vma_add_reservation upon ENOMEM sysbot reported a splat [1] on __unmap_hugepage_range(). This is because vma_needs_reservation() can return -ENOMEM if allocate_file_region_entries() fails to allocate the file_region struct for the reservation. Check for that and do not call vma_add_reservation() if that is the case, otherwise region_abort() and region_del() will see that we do not have any file_regions. If we detect that vma_needs_reservation() returned -ENOMEM, we clear the hugetlb_restore_reserve flag as if this reservation was still consumed, so free_huge_folio() will not increment the resv count. [1] https://lore.kernel.org/linux-mm/0000000000004096100617c58d54@google.com/T/#ma5983bc1ab18a54910da83416b3f89f3c7ee43aa | 2024-07-05 | not yet calculated | CVE-2024-39477 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: crypto: starfive – Do not free stack buffer RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations. | 2024-07-05 | not yet calculated | CVE-2024-39478 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn’t. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi) | 2024-07-05 | not yet calculated | CVE-2024-39479 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: kdb: Fix buffer overflow during tab-complete Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. | 2024-07-05 | not yet calculated | CVE-2024-39480 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: media: mc: Fix graph walk in media_pipeline_start The graph walk tries to follow all links, even if they are not between pads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link. Fix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK links. | 2024-07-05 | not yet calculated | CVE-2024-39481 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with a fixed size MAX_BSETS, or from a mempool with a dynamic size based on the specific cache set. Previously, the struct had a fixed-length array of size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized iterators, which causes UBSAN to complain. This patch uses the same approach as in bcachefs’s sort_iter and splits the iterator into a btree_iter with a flexible array member and a btree_iter_stack which embeds a btree_iter as well as a fixed-length data array. | 2024-07-05 | not yet calculated | CVE-2024-39482 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked When requesting an NMI window, WARN on vNMI support being enabled if and only if NMIs are actually masked, i.e. if the vCPU is already handling an NMI. KVM’s ABI for NMIs that arrive simultanesouly (from KVM’s point of view) is to inject one NMI and pend the other. When using vNMI, KVM pends the second NMI simply by setting V_NMI_PENDING, and lets the CPU do the rest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected). However, if KVM can’t immediately inject an NMI, e.g. because the vCPU is in an STI shadow or is running with GIF=0, then KVM will request an NMI window and trigger the WARN (but still function correctly). Whether or not the GIF=0 case makes sense is debatable, as the intent of KVM’s behavior is to provide functionality that is as close to real hardware as possible. E.g. if two NMIs are sent in quick succession, the probability of both NMIs arriving in an STI shadow is infinitesimally low on real hardware, but significantly larger in a virtual environment, e.g. if the vCPU is preempted in the STI shadow. For GIF=0, the argument isn’t as clear cut, because the window where two NMIs can collide is much larger in bare metal (though still small). That said, KVM should not have divergent behavior for the GIF=0 case based on whether or not vNMI support is enabled. And KVM has allowed simultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400 (“KVM: Fix simultaneous NMIs”). I.e. KVM’s GIF=0 handling shouldn’t be modified without a *really* good reason to do so, and if KVM’s behavior were to be modified, it should be done irrespective of vNMI support. | 2024-07-05 | not yet calculated | CVE-2024-39483 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don’t strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text) | 2024-07-05 | not yet calculated | CVE-2024-39484 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Properly re-initialise notifier entry in unregister The notifier_entry of a notifier is not re-initialised after unregistering the notifier. This leads to dangling pointers being left there so use list_del_init() to return the notifier_entry an empty list. | 2024-07-05 | not yet calculated | CVE-2024-39485 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: drm/drm_file: Fix pid refcounting race filp->pid is supposed to be a refcounted pointer; however, before this patch, drm_file_update_pid() only increments the refcount of a struct pid after storing a pointer to it in filp->pid and dropping the dev->filelist_mutex, making the following race possible: process A process B ========= ========= begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid B>, 1) mutex_unlock(&dev->filelist_mutex) begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid A>, 1) mutex_unlock(&dev->filelist_mutex) get_pid(<pid A>) synchronize_rcu() put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here *** get_pid(<pid B>) *** UAF *** synchronize_rcu() put_pid(<pid A>) As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y because it requires RCU to detect a quiescent state in code that is not explicitly calling into the scheduler. This race leads to use-after-free of a “struct pid”. It is probably somewhat hard to hit because process A has to pass through a synchronize_rcu() operation while process B is between mutex_unlock() and get_pid(). Fix it by ensuring that by the time a pointer to the current task’s pid is stored in the file, an extra reference to the pid has been taken. This fix also removes the condition for synchronize_rcu(); I think that optimization is unnecessary complexity, since in that case we would usually have bailed out on the lockless check above. | 2024-07-06 | not yet calculated | CVE-2024-39486 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
| MediaTek, Inc.–MT2735, MT2737, MT6761, MT6765, MT6768, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6980, MT6983, MT6985, MT6989, MT6990, MT8666, MT8667, MT8673, MT8676, MT8678 |
In gnss service, there is a possible escalation of privilege due to improper certificate validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08720039; Issue ID: MSV-1424. | 2024-07-01 | not yet calculated | CVE-2024-20080 security@mediatek.com |
| MediaTek, Inc.–MT2735, MT2737, MT6761, MT6765, MT6768, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6980, MT6983, MT6985, MT6989, MT6990, MT8666, MT8667, MT8673, MT8676, MT8678 |
In gnss service, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08719602; Issue ID: MSV-1412. | 2024-07-01 | not yet calculated | CVE-2024-20081 security@mediatek.com |
| MediaTek, Inc.–MT6761, MT6765, MT6768, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT6989, MT8666, MT8667, MT8673, MT8676, MT8678 |
In gnss service, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08044040; Issue ID: MSV-1491. | 2024-07-01 | not yet calculated | CVE-2024-20079 security@mediatek.com |
| mudler–mudler/localai |
A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as ‘gpt-4-vision-preview’, without the victim’s consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality. | 2024-07-06 | not yet calculated | CVE-2024-5616 security@huntr.dev security@huntr.dev |
| mudler–mudler/localai |
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17. | 2024-07-06 | not yet calculated | CVE-2024-6095 security@huntr.dev security@huntr.dev |
| n/a–n/a |
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 leaks driver logs that contain addresses of kernel mode objects, weakening KASLR. | 2024-07-02 | not yet calculated | CVE-2022-25477 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 provides read and write access to the PCI configuration space of the device. | 2024-07-02 | not yet calculated | CVE-2022-25478 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 allows for the leakage of kernel memory from both the stack and the heap. | 2024-07-02 | not yet calculated | CVE-2022-25479 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 allows writing to kernel memory beyond the SystemBuffer of the IRP. | 2024-07-02 | not yet calculated | CVE-2022-25480 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. | 2024-07-03 | not yet calculated | CVE-2023-52168 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. | 2024-07-03 | not yet calculated | CVE-2023-52169 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket. | 2024-07-05 | not yet calculated | CVE-2023-52340 cve@mitre.org cve@mitre.org |
| n/a–n/a |
Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Confluence allows attackers to manipulate a user’s S/MIME certificate of PGP key via malicious link or email. | 2024-07-01 | not yet calculated | CVE-2024-23736 cve@mitre.org |
| n/a–n/a |
Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Jira allows attackers to allows attackers to manipulate a user’s S/MIME certificate of PGP key via malicious link or email. | 2024-07-01 | not yet calculated | CVE-2024-23737 cve@mitre.org |
| n/a–n/a |
Lukas Bach yana =<1.0.16 is vulnerable to Cross Site Scripting (XSS) via src/electron-main.ts. | 2024-07-05 | not yet calculated | CVE-2024-23997 cve@mitre.org |
| n/a–n/a |
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.vue. | 2024-07-05 | not yet calculated | CVE-2024-23998 cve@mitre.org |
| n/a–n/a |
SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component. | 2024-07-05 | not yet calculated | CVE-2024-27709 cve@mitre.org |
| n/a–n/a |
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the authentication mechanism. | 2024-07-05 | not yet calculated | CVE-2024-27710 cve@mitre.org |
| n/a–n/a |
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the Sin-up process function in the account settings. | 2024-07-05 | not yet calculated | CVE-2024-27711 cve@mitre.org |
| n/a–n/a |
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the User Account Mangemnt component in the authentication mechanism. | 2024-07-05 | not yet calculated | CVE-2024-27712 cve@mitre.org |
| n/a–n/a |
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the HTTP Response Header Settings component. | 2024-07-05 | not yet calculated | CVE-2024-27713 cve@mitre.org |
| n/a–n/a |
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism. | 2024-07-05 | not yet calculated | CVE-2024-27715 cve@mitre.org |
| n/a–n/a |
Cross Site Scripting vulnerability in Eskooly Web Product v.3.0 and before allows a remote attacker to execute arbitrary code via the message sending and user input fields. | 2024-07-05 | not yet calculated | CVE-2024-27716 cve@mitre.org |
| n/a–n/a |
Cross Site Request Forgery vulnerability in Eskooly Free Online School Management Software v.3.0 and before allows a remote attacker to escalate privileges via the Token Handling component. | 2024-07-05 | not yet calculated | CVE-2024-27717 cve@mitre.org |
| n/a–n/a |
Volmarg Personal Management System 1.4.64 is vulnerable to stored cross site scripting (XSS) via upload of a SVG file with embedded javascript code. | 2024-07-05 | not yet calculated | CVE-2024-29318 cve@mitre.org |
| n/a–n/a |
Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls. | 2024-07-05 | not yet calculated | CVE-2024-29319 cve@mitre.org |
| n/a–n/a |
Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name. | 2024-07-03 | not yet calculated | CVE-2024-29506 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters. | 2024-07-03 | not yet calculated | CVE-2024-29507 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc. | 2024-07-03 | not yet calculated | CVE-2024-29508 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a �00 byte in the middle. | 2024-07-03 | not yet calculated | CVE-2024-29509 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. | 2024-07-03 | not yet calculated | CVE-2024-29510 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd. | 2024-07-03 | not yet calculated | CVE-2024-29511 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_tiltandshift.c:189:5 in copy_column. | 2024-07-01 | not yet calculated | CVE-2024-32229 cve@mitre.org |
| n/a–n/a |
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0 | 2024-07-01 | not yet calculated | CVE-2024-32230 cve@mitre.org |
| n/a–n/a |
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file’s contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected. | 2024-07-05 | not yet calculated | CVE-2024-32498 cve@mitre.org cve@mitre.org |
| n/a–n/a |
A buffer-management vulnerability in OPC Foundation OPCFoundation.NetStandard.Opc.Ua.Core before 1.05.374.54 could allow remote attackers to exhaust memory resources. It is triggered when the system receives an excessive number of messages from a remote source. This could potentially lead to a denial of service (DoS) condition, disrupting the normal operation of the system. | 2024-07-05 | not yet calculated | CVE-2024-33862 cve@mitre.org |
| n/a–n/a |
An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. | 2024-07-03 | not yet calculated | CVE-2024-33869 cve@mitre.org cve@mitre.org |
| n/a–n/a |
An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. | 2024-07-03 | not yet calculated | CVE-2024-33870 cve@mitre.org cve@mitre.org |
| n/a–n/a |
An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded. | 2024-07-03 | not yet calculated | CVE-2024-33871 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page. | 2024-07-05 | not yet calculated | CVE-2024-34481 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory. | 2024-07-05 | not yet calculated | CVE-2024-36041 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Insecure Permissions vulnerability in Micro-Star International Co., Ltd MSI Center v.2.0.36.0 allows a local attacker to escalate privileges via the Export System Info function in MSI.CentralServer.exe | 2024-07-03 | not yet calculated | CVE-2024-37726 cve@mitre.org |
| n/a–n/a |
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution. | 2024-07-01 | not yet calculated | CVE-2024-37762 cve@mitre.org |
| n/a–n/a |
MachForm up to version 19 is affected by an unauthenticated stored cross-site scripting which affects users with valid sessions whom can view compiled forms results. | 2024-07-01 | not yet calculated | CVE-2024-37763 cve@mitre.org |
| n/a–n/a |
Machform up to version 19 is affected by an authenticated Blind SQL injection in the user account settings page. | 2024-07-01 | not yet calculated | CVE-2024-37765 cve@mitre.org |
| n/a–n/a |
Insecure permissions in the component /api/admin/user of 14Finger v1.1 allows attackers to access all user information via a crafted GET request. | 2024-07-05 | not yet calculated | CVE-2024-37767 cve@mitre.org |
| n/a–n/a |
14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id. | 2024-07-05 | not yet calculated | CVE-2024-37768 cve@mitre.org |
| n/a–n/a |
Insecure permissions in 14Finger v1.1 allow attackers to escalate privileges from normal user to Administrator via a crafted POST request. | 2024-07-05 | not yet calculated | CVE-2024-37769 cve@mitre.org |
| n/a–n/a |
The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024. | 2024-07-03 | not yet calculated | CVE-2024-38453 cve@mitre.org cve@mitre.org |
| n/a–n/a |
phpok 6.4.003 contains a Cross Site Scripting (XSS) vulnerability in the ok_f() method under the framework/api/upload_control.php file. | 2024-07-01 | not yet calculated | CVE-2024-38953 cve@mitre.org |
| n/a–n/a |
aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-38987 cve@mitre.org cve@mitre.org |
| n/a–n/a |
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-38999 cve@mitre.org |
| n/a–n/a |
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-39001 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function util.clone. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-39002 cve@mitre.org |
| n/a–n/a |
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-39008 cve@mitre.org |
| n/a–n/a |
2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-39013 cve@mitre.org |
| n/a–n/a |
ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-39014 cve@mitre.org |
| n/a–n/a |
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function “query”. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | 2024-07-01 | not yet calculated | CVE-2024-39018 cve@mitre.org |
| n/a–n/a |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/idcProData_deal.php?mudi=del | 2024-07-05 | not yet calculated | CVE-2024-39019 cve@mitre.org |
| n/a–n/a |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/vpsApiData_deal.php?mudi=rev&nohrefStr=close | 2024-07-05 | not yet calculated | CVE-2024-39020 cve@mitre.org |
| n/a–n/a |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://127.0.0.1:80/admin/vpsApiData_deal.php?mudi=del | 2024-07-05 | not yet calculated | CVE-2024-39021 cve@mitre.org |
| n/a–n/a |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/infoSys_deal.php?mudi=deal | 2024-07-05 | not yet calculated | CVE-2024-39022 cve@mitre.org |
| n/a–n/a |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via admin/info_deal.php?mudi=add&nohrefStr=close | 2024-07-05 | not yet calculated | CVE-2024-39023 cve@mitre.org |
| n/a–n/a |
SeaCMS v12.9 has an unauthorized SQL injection vulnerability. The vulnerability is caused by the SQL injection through the cid parameter at /js/player/dmplayer/dmku/index.php?ac=edit, which can cause sensitive database information to be leaked. | 2024-07-05 | not yet calculated | CVE-2024-39027 cve@mitre.org |
| n/a–n/a |
An issue was discovered in SeaCMS <=12.9 which allows remote attackers to execute arbitrary code via admin_ping.php. | 2024-07-05 | not yet calculated | CVE-2024-39028 cve@mitre.org |
| n/a–n/a |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/info_deal.php?mudi=rev&nohrefStr=close. | 2024-07-02 | not yet calculated | CVE-2024-39119 cve@mitre.org |
| n/a–n/a |
vditor v.3.9.8 and before is vulnerable to Arbitrary file read via a crafted data packet. | 2024-07-05 | not yet calculated | CVE-2024-39150 cve@mitre.org |
| n/a–n/a |
QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. | 2024-07-04 | not yet calculated | CVE-2024-39165 cve@mitre.org |
| n/a–n/a |
A cross-site scripting (XSS) vulnerability in the Publish Article function of yzmcms v7.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a published article. | 2024-07-05 | not yet calculated | CVE-2024-39174 cve@mitre.org |
| n/a–n/a |
MyPower vc8100 V100R001C00B030 was discovered to contain an arbitrary file read vulnerability via the component /tcpdump/tcpdump.php?menu_uuid. | 2024-07-05 | not yet calculated | CVE-2024-39178 cve@mitre.org |
| n/a–n/a |
An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user’s session via an arbitrary command (ISP6-1779). | 2024-07-05 | not yet calculated | CVE-2024-39182 cve@mitre.org |
| n/a–n/a |
An issue discovered in MSP360 Backup Agent v7.8.5.15 and v7.9.4.84 allows attackers to obtain network share credentials used in a backup due to enginesettings.list being encrypted with a hard coded key. | 2024-07-02 | not yet calculated | CVE-2024-39206 cve@mitre.org |
| n/a–n/a |
Best House Rental Management System v1.0 was discovered to contain an arbitrary file read vulnerability via the Page parameter at index.php. This vulnerability allows attackers to read arbitrary PHP files and access other sensitive information within the application. | 2024-07-05 | not yet calculated | CVE-2024-39210 cve@mitre.org |
| n/a–n/a |
Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists. | 2024-07-04 | not yet calculated | CVE-2024-39211 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD before firmware v3.9.2 allows authenticated attackers to read SIP account passwords via a crafted GET request. | 2024-07-03 | not yet calculated | CVE-2024-39220 cve@mitre.org cve@mitre.org |
| n/a–n/a |
An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey | 2024-07-03 | not yet calculated | CVE-2024-39223 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
A cross-site scripting (XSS) vulnerability in SimpCMS v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field at /admin.php. | 2024-07-03 | not yet calculated | CVE-2024-39248 cve@mitre.org cve@mitre.org |
| n/a–n/a |
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. | 2024-07-01 | not yet calculated | CVE-2024-39249 cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
An issue in the component ControlCenter.sys/ControlCenter64.sys of ThundeRobot Control Center v2.0.0.10 allows attackers to access sensitive information, execute arbitrary code, or escalate privileges via sending crafted IOCTL requests. | 2024-07-01 | not yet calculated | CVE-2024-39251 cve@mitre.org |
| n/a–n/a |
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. | 2024-07-03 | not yet calculated | CVE-2024-39844 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur. | 2024-07-02 | not yet calculated | CVE-2024-39894 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
The TCP protocol in RFC 9293 has a timing side channel that makes it easier for remote attackers to infer the content of one TCP connection from a client system (to any server), when that client system is concurrently obtaining TCP data at a slow rate from an attacker-controlled server, aka the “SnailLoad” issue. For example, the attack can begin by measuring RTTs via the TCP segments whose role is to provide an ACK control bit and an Acknowledgment Number. | 2024-07-03 | not yet calculated | CVE-2024-39920 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users. | 2024-07-04 | not yet calculated | CVE-2024-39929 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
| n/a–n/a |
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS provider configuration. NOTE: this is not part of any NGINX software shipped by F5. | 2024-07-04 | not yet calculated | CVE-2024-39935 cve@mitre.org cve@mitre.org cve@mitre.org |
| parisneo–parisneo/lollms-webui |
parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application’s ‘binding_zoo’ feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application’s handling of model files in the ‘bindings_zoo’ feature, specifically when processing gguf format model files. | 2024-07-02 | not yet calculated | CVE-2024-4897 security@huntr.dev |
| Samsung Open Source–Walrus |
Improper Validation of Array Index vulnerability in Samsung Open Source Walrus Webassembly runtime engine allows a segmentation fault issue. This issue affects Walrus: before 72c7230f32a0b791355bbdfc78669701024b0956. | 2024-07-03 | not yet calculated | CVE-2024-32673 PSIRT@samsung.com |
| SOKRATES-software–SOWA OPAC |
Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user’s browser. This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12. | 2024-07-01 | not yet calculated | CVE-2024-6050 cvd@cert.pl cvd@cert.pl |
| Sola Plugins–Sola Testimonials |
A cross-site request forgery vulnerability exists in Sola Testimonials versions prior to 3.0.0. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site. | 2024-07-04 | not yet calculated | CVE-2024-38345 vultures@jpcert.or.jp vultures@jpcert.or.jp |
| Sola Plugins–WP Tweet Walls |
A cross-site request forgery vulnerability exists in WP Tweet Walls versions prior to 1.0.4. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site. | 2024-07-04 | not yet calculated | CVE-2024-38344 vultures@jpcert.or.jp vultures@jpcert.or.jp |
| stitionai–stitionai/devika |
Improper Access Control in stitionai/devika | 2024-07-03 | not yet calculated | CVE-2024-5821 security@huntr.dev |
| stitionai–stitionai/devika |
Cross-Site Request Forgery (CSRF) in stitionai/devika | 2024-07-03 | not yet calculated | CVE-2024-5887 security@huntr.dev |
| TP-LINK–Archer AX3000 |
Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi. | 2024-07-04 | not yet calculated | CVE-2024-38471 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp |
| Unknown–Form Maker by 10Web |
The Form Maker by 10Web WordPress plugin before 1.15.26 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2024-07-01 | not yet calculated | CVE-2024-6130 contact@wpscan.com |
| Unknown–Himer |
The allows any authenticated user to join a private group due to a missing authorization check on a function | 2024-07-03 | not yet calculated | CVE-2024-2231 contact@wpscan.com |
| Unknown–Quiz and Survey Master (QSM) |
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 2024-07-01 | not yet calculated | CVE-2024-4934 contact@wpscan.com |
| vanna-ai–vanna-ai/vanna |
vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API. | 2024-07-05 | not yet calculated | CVE-2024-5753 security@huntr.dev |