In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 02-03, 2024.
During this period, The National Vulnerability Database published 147, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 7
High: 31
Medium: 58
Low: 20
Severity Not Assigned: 31
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-50939
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 275129.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275129
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-327
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
2. CVE-2024-21764
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the product uses hard-coded credentials, which may allow an attacker to connect to a specific port.
References: https://rapidscada.org/contact/
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-22016
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an authorized user can write directly to the Scada directory. This may allow privilege escalation.
References: https://rapidscada.org/contact/
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-50326
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 275107.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275107
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-307
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
5. CVE-2023-50936
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275116
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-613
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
6. CVE-2023-50937
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 275117.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275117
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-327
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
7. CVE-2023-50940
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275130
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-697
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
8. CVE-2024-21399
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21399
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-22779
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Directory Traversal vulnerability in Kihron ServerRPExposer v.1.0.2 and before allows a remote attacker to execute arbitrary code via the loadServerPack in ServerResourcePackProviderMixin.java.
References: https://gist.github.com/apple502j/193358682885fe1a6708309ce934e4ed
https://github.com/Kihron/ServerRPExposer/commit/8f7b829df633f59e828d677f736c53652d6f1b8f
https://modrinth.com/mod/serverrpexposer
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-22319
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote attacker to conduct an LDAP injection. By sending a request with a specially crafted request, an attacker could exploit this vulnerability to inject unsanitized content into the LDAP filter. IBM X-Force ID: 279145.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/279145
https://www.ibm.com/support/pages/node/7112382
CWE-ID: CWE-90
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-22320
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/279146
https://www.ibm.com/support/pages/node/7112382
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-38019
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 260575.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/260575
https://www.ibm.com/support/pages/node/7111679
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
13. CVE-2020-24681
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.
References: https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
14. CVE-2021-22282
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12.
References: https://www.br-automation.com/fileadmin/2021-12_RCE_Vulnerability_in_BnR_Automation_Studio-1b993aeb.pdf
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-21860
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description:
in OpenHarmony v4.0.0 and prior versions
allow an adjacent attacker arbitrary code execution in any apps through use after free.
References: https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
16. CVE-2020-24682
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 0.6
Impact Score: 6.0
Description: Unquoted Search Path or Element vulnerability in B&R Industrial Automation Automation Studio, B&R Industrial Automation NET/PVI allows Target Programs with Elevated Privileges.This issue affects Automation Studio: from 4.0 through 4.6, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP; NET/PVI: from 4.0 through 4.6, from 4.7.0 before 4.7.7, from 4.8.0 before 4.8.6, from 4.9.0 before 4.9.4.
References: https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf
CWE-ID: CWE-428
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-0338
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description: A buffer overflow vulnerability has been found in XAMPP affecting version 8.2.4 and earlier. An attacker could execute arbitrary code through a long file debug argument that controls the Structured Exception Handler (SEH).
References: https://www.incibe.es/en/incibe-cert/notices/aviso/buffer-overflow-vulnerability-xampp
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-23895
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationcreate.php, in the locationid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-1201
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Search path or unquoted item vulnerability in HDD Health affecting versions 4.2.0.112 and earlier. This vulnerability could allow a local attacker to store a malicious executable file within the unquoted search path, resulting in privilege escalation.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/panterasoft-hdd-health-search-path-or-unquoted-item-vulnerability
CWE-ID: CWE-428
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-47143
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 270270.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/270270
https://www.ibm.com/support/pages/node/7105139
CWE-ID: CWE-644
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-6675
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Unrestricted Upload of File with Dangerous Type vulnerability in National Keep Cyber Security Services CyberMath allows Upload a Web Shell to a Web Server.This issue affects CyberMath: from v.1.4 before v.1.5.
References: https://www.usom.gov.tr/bildirim/tr-24-0080
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-6676
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Cross-Site Request Forgery (CSRF) vulnerability in National Keep Cyber Security Services CyberMath allows Cross Site Request Forgery.This issue affects CyberMath: from v1.4 before v1.5.
References: https://www.usom.gov.tr/bildirim/tr-24-0080
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-0253
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
References: https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-0269
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.
References: https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-47142
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 could allow an attacker on the organization's local network to escalate their privileges due to unauthorized API access. IBM X-Force ID: 270267.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/270267
https://www.ibm.com/support/pages/node/7105139
CWE-ID: CWE-264
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-38273
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/260733
https://www.ibm.com/support/pages/node/7105357
CWE-ID: CWE-307
Common Platform Enumerations (CPE): Not Found
27. CVE-2020-29504
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.2
Description:
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Missing Required Cryptographic Step Vulnerability.
References: https://www.dell.com/support/kbdoc/en-us/000181115/dsa-2020-286-dell-bsafe-crypto-c-micro-edition-4-1-5-and-dell-bsafe-micro-edition-suite-4-6-multiple-security-vulnerabilities
CWE-ID: CWE-295
Common Platform Enumerations (CPE): Not Found
28. CVE-2022-34381
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
Dell BSAFE SSL-J version 7.0 and all versions prior to 6.5, and Dell BSAFE Crypto-J versions prior to 6.2.6.1 contain an unmaintained third-party component vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to the compromise of the impacted system. This is a Critical vulnerability and Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000203278/dsa-2022-208-dell-bsafe-ssl-j-6-5-and-7-1-and-dell-bsafe-crypto-j-6-2-6-1-and-7-0-security-vulnerability
CWE-ID: CWE-1329
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-39297
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.4.2596 build 20231128 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.4.2596 build 20231128 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References: https://www.qnap.com/en/security-advisory/qsa-23-30
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-45025
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.4.2596 build 20231128 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.4.2596 build 20231128 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References: https://www.qnap.com/en/security-advisory/qsa-23-47
CWE-ID: CWE-77 CWE-78
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-47562
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following version:
Photo Station 6.4.2 ( 2023/12/15 ) and later
References: https://www.qnap.com/en/security-advisory/qsa-24-08
CWE-ID: CWE-77 CWE-78
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-47564
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.
We have already fixed the vulnerability in the following versions:
Qsync Central 4.4.0.15 ( 2024/01/04 ) and later
Qsync Central 4.3.0.11 ( 2024/01/11 ) and later
References: https://www.qnap.com/en/security-advisory/qsa-24-03
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-47568
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References: https://www.qnap.com/en/security-advisory/qsa-24-05
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-6387
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: A potential buffer overflow exists in the Bluetooth LE HCI CPC sample application in the Gecko SDK which may result in a denial of service or remote code execution
References: https://community.silabs.com/069Vm000000WNKuIAO
https://github.com/SiliconLabs/gecko_sdk/releases/tag/v4.4.0
CWE-ID: CWE-131
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-23831
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
References: https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165
https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-24757
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.
References: https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-24760
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`.
References: https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6
CWE-ID: CWE-610
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-1197
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in SourceCodester Testimonial Page Manager 1.0. This issue affects some unknown processing of the file delete-testimonial.php of the component HTTP GET Request Handler. The manipulation of the argument testimony leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-252695.
References: https://vuldb.com/?ctiid.252695
https://vuldb.com/?id.252695
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 02-03, 2024.
During this period, The National Vulnerability Database published 147, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 7
High: 31
Medium: 58
Low: 20
Severity Not Assigned: 31
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-50939
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 275129.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275129
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-327
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
2. CVE-2024-21764
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the product uses hard-coded credentials, which may allow an attacker to connect to a specific port.
References: https://rapidscada.org/contact/
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-22016
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an authorized user can write directly to the Scada directory. This may allow privilege escalation.
References: https://rapidscada.org/contact/
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-50326
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 275107.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275107
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-307
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
5. CVE-2023-50936
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275116
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-613
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
6. CVE-2023-50937
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 275117.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275117
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-327
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
7. CVE-2023-50940
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/275130
https://www.ibm.com/support/pages/node/7113759
CWE-ID: CWE-697
Common Platform Enumerations (CPE): cpe:2.3:a:ibm:powersc:1.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:powersc:2.1:*:*:*:*:*:*:*
8. CVE-2024-21399
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21399
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-22779
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Directory Traversal vulnerability in Kihron ServerRPExposer v.1.0.2 and before allows a remote attacker to execute arbitrary code via the loadServerPack in ServerResourcePackProviderMixin.java.
References: https://gist.github.com/apple502j/193358682885fe1a6708309ce934e4ed
https://github.com/Kihron/ServerRPExposer/commit/8f7b829df633f59e828d677f736c53652d6f1b8f
https://modrinth.com/mod/serverrpexposer
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-22319
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote attacker to conduct an LDAP injection. By sending a request with a specially crafted request, an attacker could exploit this vulnerability to inject unsanitized content into the LDAP filter. IBM X-Force ID: 279145.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/279145
https://www.ibm.com/support/pages/node/7112382
CWE-ID: CWE-90
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-22320
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/279146
https://www.ibm.com/support/pages/node/7112382
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-38019
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 260575.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/260575
https://www.ibm.com/support/pages/node/7111679
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
13. CVE-2020-24681
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.
References: https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
14. CVE-2021-22282
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12.
References: https://www.br-automation.com/fileadmin/2021-12_RCE_Vulnerability_in_BnR_Automation_Studio-1b993aeb.pdf
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-21860
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description:
in OpenHarmony v4.0.0 and prior versions
allow an adjacent attacker arbitrary code execution in any apps through use after free.
References: https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
16. CVE-2020-24682
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 0.6
Impact Score: 6.0
Description: Unquoted Search Path or Element vulnerability in B&R Industrial Automation Automation Studio, B&R Industrial Automation NET/PVI allows Target Programs with Elevated Privileges.This issue affects Automation Studio: from 4.0 through 4.6, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP; NET/PVI: from 4.0 through 4.6, from 4.7.0 before 4.7.7, from 4.8.0 before 4.8.6, from 4.9.0 before 4.9.4.
References: https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf
CWE-ID: CWE-428
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-0338
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description: A buffer overflow vulnerability has been found in XAMPP affecting version 8.2.4 and earlier. An attacker could execute arbitrary code through a long file debug argument that controls the Structured Exception Handler (SEH).
References: https://www.incibe.es/en/incibe-cert/notices/aviso/buffer-overflow-vulnerability-xampp
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-23895
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationcreate.php, in the locationid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-1201
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Search path or unquoted item vulnerability in HDD Health affecting versions 4.2.0.112 and earlier. This vulnerability could allow a local attacker to store a malicious executable file within the unquoted search path, resulting in privilege escalation.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/panterasoft-hdd-health-search-path-or-unquoted-item-vulnerability
CWE-ID: CWE-428
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-47143
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 270270.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/270270
https://www.ibm.com/support/pages/node/7105139
CWE-ID: CWE-644
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-6675
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Unrestricted Upload of File with Dangerous Type vulnerability in National Keep Cyber Security Services CyberMath allows Upload a Web Shell to a Web Server.This issue affects CyberMath: from v.1.4 before v.1.5.
References: https://www.usom.gov.tr/bildirim/tr-24-0080
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-6676
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Cross-Site Request Forgery (CSRF) vulnerability in National Keep Cyber Security Services CyberMath allows Cross Site Request Forgery.This issue affects CyberMath: from v1.4 before v1.5.
References: https://www.usom.gov.tr/bildirim/tr-24-0080
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-0253
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
References: https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-0269
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.
References: https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-47142
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 could allow an attacker on the organization's local network to escalate their privileges due to unauthorized API access. IBM X-Force ID: 270267.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/270267
https://www.ibm.com/support/pages/node/7105139
CWE-ID: CWE-264
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-38273
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/260733
https://www.ibm.com/support/pages/node/7105357
CWE-ID: CWE-307
Common Platform Enumerations (CPE): Not Found
27. CVE-2020-29504
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.2
Description:
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Missing Required Cryptographic Step Vulnerability.
References: https://www.dell.com/support/kbdoc/en-us/000181115/dsa-2020-286-dell-bsafe-crypto-c-micro-edition-4-1-5-and-dell-bsafe-micro-edition-suite-4-6-multiple-security-vulnerabilities
CWE-ID: CWE-295
Common Platform Enumerations (CPE): Not Found
28. CVE-2022-34381
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
Dell BSAFE SSL-J version 7.0 and all versions prior to 6.5, and Dell BSAFE Crypto-J versions prior to 6.2.6.1 contain an unmaintained third-party component vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to the compromise of the impacted system. This is a Critical vulnerability and Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000203278/dsa-2022-208-dell-bsafe-ssl-j-6-5-and-7-1-and-dell-bsafe-crypto-j-6-2-6-1-and-7-0-security-vulnerability
CWE-ID: CWE-1329
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-39297
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.4.2596 build 20231128 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.4.2596 build 20231128 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References: https://www.qnap.com/en/security-advisory/qsa-23-30
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-45025
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.4.2596 build 20231128 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.4.2596 build 20231128 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References: https://www.qnap.com/en/security-advisory/qsa-23-47
CWE-ID: CWE-77 CWE-78
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-47562
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following version:
Photo Station 6.4.2 ( 2023/12/15 ) and later
References: https://www.qnap.com/en/security-advisory/qsa-24-08
CWE-ID: CWE-77 CWE-78
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-47564
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.
We have already fixed the vulnerability in the following versions:
Qsync Central 4.4.0.15 ( 2024/01/04 ) and later
Qsync Central 4.3.0.11 ( 2024/01/11 ) and later
References: https://www.qnap.com/en/security-advisory/qsa-24-03
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-47568
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References: https://www.qnap.com/en/security-advisory/qsa-24-05
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-6387
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: A potential buffer overflow exists in the Bluetooth LE HCI CPC sample application in the Gecko SDK which may result in a denial of service or remote code execution
References: https://community.silabs.com/069Vm000000WNKuIAO
https://github.com/SiliconLabs/gecko_sdk/releases/tag/v4.4.0
CWE-ID: CWE-131
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-23831
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
References: https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165
https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-24757
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.
References: https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-24760
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`.
References: https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6
CWE-ID: CWE-610
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-1197
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in SourceCodester Testimonial Page Manager 1.0. This issue affects some unknown processing of the file delete-testimonial.php of the component HTTP GET Request Handler. The manipulation of the argument testimony leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-252695.
References: https://vuldb.com/?ctiid.252695
https://vuldb.com/?id.252695
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found