In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 21-22, 2024.
During this period, The National Vulnerability Database published 163, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 14
High: 43
Medium: 54
Low: 2
Severity Not Assigned: 50
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-28916
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Xbox Gaming Services Elevation of Privilege Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28916
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-35899
Base Score: 7.0
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.9
Description: IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/259354
https://www.ibm.com/support/pages/node/7030357
CWE-ID: CWE-1236
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-1202
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1.
NOTE: The vendor was contacted and it was learned that the product is not supported.
References: https://www.usom.gov.tr/bildirim/tr-24-0174
CWE-ID: CWE-305
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-24813
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.
References: https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-27105
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.
References: https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-27292
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
References: https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9
https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv
CWE-ID: CWE-706
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-27916
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.
References: https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278
https://github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299
https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-27918
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.
Coder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting.
References: https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-27922
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: TOMP Bare Server implements the TompHTTP bare server. A vulnerability in versions prior to 2.0.2 relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use. The problem has been patched in version 2.0.2. As of time of publication, no specific workaround strategies have been disclosed.
References: https://github.com/tomphttp/bare-server-node/security/advisories/GHSA-86fc-f9gr-v533
CWE-ID: CWE-444
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-27923
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.
References: https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07
https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v
CWE-ID: CWE-287 CWE-434
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-27933
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.
Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.
This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.
Version 1.39.1 fixes the bug.
References: https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99
https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b
https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392
https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-27934
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue.
References: https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-27935
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.
References: https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
https://github.com/denoland/deno/issues/20188
https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp
CWE-ID: CWE-488
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-27936
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41 of the deno_runtime library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41 of the deno_runtime library contains a patch for the issue.
References: https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d
https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5
https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw
CWE-ID: CWE-150
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-28101
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size.
References: https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413
https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj
CWE-ID: CWE-409
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-28123
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn’t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1.
References: https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f
https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-2014
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical was found in Panabit Panalog 202103080942. This vulnerability affects unknown code of the file /Maintain/sprog_upstatus.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255268. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/mashroompc0527/CVE/blob/main/vul.md
https://vuldb.com/?ctiid.255268
https://vuldb.com/?id.255268
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-1538
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.
References: https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager
https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-2161
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
References: https://www.kiloview.com/en/support/download/1779/
https://www.kiloview.com/en/support/download/n20-firmware-download/
https://www.kiloview.com/en/support/download/n3-for-ndi/
https://www.kiloview.com/en/support/download/n3-s-firmware-download/
https://www.kiloview.com/en/support/download/n30-for-ndi/
https://www.kiloview.com/en/support/download/n40/
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-2162
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges.
This issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
References: https://www.kiloview.com/en/support/download/1779/
https://www.kiloview.com/en/support/download/n20-firmware-download/
https://www.kiloview.com/en/support/download/n3-for-ndi/
https://www.kiloview.com/en/support/download/n3-s-firmware-download/
https://www.kiloview.com/en/support/download/n30-for-ndi/
https://www.kiloview.com/en/support/download/n40/
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-1147
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files.
References: https://portal.microfocus.com/s/article/KM000026669
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-1148
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files.
References: https://portal.microfocus.com/s/article/KM000026669
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-29732
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via "user" parameter.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-scanvisio-edocument-suite-web-viewer-abast
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-1394
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
References: https://access.redhat.com/errata/RHSA-2024:1462
https://access.redhat.com/errata/RHSA-2024:1468
https://access.redhat.com/errata/RHSA-2024:1472
https://access.redhat.com/security/cve/CVE-2024-1394
https://bugzilla.redhat.com/show_bug.cgi?id=2262921
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
CWE-ID: CWE-401
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-29870
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-29871
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-29872
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-29873
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-29874
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-29875
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-29876
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
32. CVE-2024-29877
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
33. CVE-2024-29878
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
34. CVE-2024-29879
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-27993
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Typps Calendarista Basic Edition.This issue affects Calendarista Basic Edition: from n/a through 3.0.2.
References: https://patchstack.com/database/vulnerability/calendarista-basic-edition/wordpress-calendarista-basic-edition-plugin-3-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-27994
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.5.0.
References: https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-plugin-4-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-27956
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.3
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
References: https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-sql-execution-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-27962
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Florian 'fkrauthan' Krauthan allows Reflected XSS.This issue affects wp-mpdf: from n/a through 3.7.1.
References: https://patchstack.com/database/vulnerability/wp-mpdf/wordpress-wp-mpdf-plugin-3-7-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
39. CVE-2024-27964
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9.
References: https://patchstack.com/database/vulnerability/zippy/wordpress-zippy-plugin-1-6-9-arbitrary-file-upload-vulnerability?_s_id=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
40. CVE-2024-27968
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.
References: https://patchstack.com/database/vulnerability/wp-cloudflare-page-cache/wordpress-super-page-cache-for-cloudflare-plugin-4-7-5-cross-site-request-forgery-csrf-to-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
41. CVE-2024-29180
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the `unsecaped` path suffix is appended to the `outputPath`. As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use `%2e` and `%2f` sequences to perform path traversal attack.
Developers using `webpack-dev-server` or `webpack-dev-middleware` are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content. If the development server is listening on a public IP address (or `0.0.0.0`), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.
References: https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/setupOutputFileSystem.js#L21
https://github.com/webpack/webpack-dev-middleware/commit/189c4ac7d2344ec132a4689e74dc837ec5be0132
https://github.com/webpack/webpack-dev-middleware/commit/9670b3495da518fe667ff3428c5e4cb9f2f3d353
https://github.com/webpack/webpack-dev-middleware/commit/e10008c762e4d5821ed6990348dabf0d4d93a10e
https://github.com/webpack/webpack-dev-middleware/releases/tag/v5.3.4
https://github.com/webpack/webpack-dev-middleware/releases/tag/v6.1.2
https://github.com/webpack/webpack-dev-middleware/releases/tag/v7.1.0
https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
42. CVE-2024-2763
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.48. Affected by this issue is the function formSetCfm of the file goform/setcfm. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257600. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/AC10U/v1.V15.03.06.48/more/formSetCfm.md
https://vuldb.com/?ctiid.257600
https://vuldb.com/?id.257600
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
43. CVE-2024-2764
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.48. This affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument endIP leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257601 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/AC10U/v1.V15.03.06.48/more/formSetPPTPServer.md
https://vuldb.com/?ctiid.257601
https://vuldb.com/?id.257601
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
44. CVE-2024-25937
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in the script DIAE_tagHandler.ashx.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
45. CVE-2024-27921
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.
References: https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99
https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
46. CVE-2024-28029
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
47. CVE-2024-28116
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
References: https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e
https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh
CWE-ID: CWE-1336 CWE-94
Common Platform Enumerations (CPE): Not Found
48. CVE-2024-28117
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Upgrading to patched version 1.7.45 can mitigate this issue.
References: https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
49. CVE-2024-28118
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a fix for this issue.
References: https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
50. CVE-2024-28119
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.
References: https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58
https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
51. CVE-2024-28891
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in the script Handler_CFG.ashx.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
52. CVE-2024-23494
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in GetDIAE_unListParameters.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
53. CVE-2024-23975
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in GetDIAE_slogListParameters.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
54. CVE-2024-25567
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description:
Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
55. CVE-2024-28040
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in GetDIAE_astListParameters.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
56. CVE-2024-28171
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description:
It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
57. CVE-2024-29031
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue.
References: https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13
https://github.com/meshery/meshery/pull/10207
https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 21-22, 2024.
During this period, The National Vulnerability Database published 163, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 14
High: 43
Medium: 54
Low: 2
Severity Not Assigned: 50
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-28916
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Xbox Gaming Services Elevation of Privilege Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28916
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-35899
Base Score: 7.0
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.9
Description: IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/259354
https://www.ibm.com/support/pages/node/7030357
CWE-ID: CWE-1236
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-1202
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1.
NOTE: The vendor was contacted and it was learned that the product is not supported.
References: https://www.usom.gov.tr/bildirim/tr-24-0174
CWE-ID: CWE-305
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-24813
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.
References: https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-27105
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.
References: https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-27292
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
References: https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9
https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv
CWE-ID: CWE-706
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-27916
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.
References: https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278
https://github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299
https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-27918
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.
Coder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting.
References: https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-27922
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: TOMP Bare Server implements the TompHTTP bare server. A vulnerability in versions prior to 2.0.2 relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use. The problem has been patched in version 2.0.2. As of time of publication, no specific workaround strategies have been disclosed.
References: https://github.com/tomphttp/bare-server-node/security/advisories/GHSA-86fc-f9gr-v533
CWE-ID: CWE-444
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-27923
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.
References: https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07
https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v
CWE-ID: CWE-287 CWE-434
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-27933
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.
Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.
This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.
Version 1.39.1 fixes the bug.
References: https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99
https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b
https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392
https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-27934
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue.
References: https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-27935
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.
References: https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
https://github.com/denoland/deno/issues/20188
https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp
CWE-ID: CWE-488
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-27936
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41 of the deno_runtime library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41 of the deno_runtime library contains a patch for the issue.
References: https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d
https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5
https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw
CWE-ID: CWE-150
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-28101
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size.
References: https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413
https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj
CWE-ID: CWE-409
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-28123
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn’t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1.
References: https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f
https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-2014
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical was found in Panabit Panalog 202103080942. This vulnerability affects unknown code of the file /Maintain/sprog_upstatus.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255268. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/mashroompc0527/CVE/blob/main/vul.md
https://vuldb.com/?ctiid.255268
https://vuldb.com/?id.255268
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-1538
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.
References: https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager
https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-2161
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
References: https://www.kiloview.com/en/support/download/1779/
https://www.kiloview.com/en/support/download/n20-firmware-download/
https://www.kiloview.com/en/support/download/n3-for-ndi/
https://www.kiloview.com/en/support/download/n3-s-firmware-download/
https://www.kiloview.com/en/support/download/n30-for-ndi/
https://www.kiloview.com/en/support/download/n40/
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-2162
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges.
This issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
References: https://www.kiloview.com/en/support/download/1779/
https://www.kiloview.com/en/support/download/n20-firmware-download/
https://www.kiloview.com/en/support/download/n3-for-ndi/
https://www.kiloview.com/en/support/download/n3-s-firmware-download/
https://www.kiloview.com/en/support/download/n30-for-ndi/
https://www.kiloview.com/en/support/download/n40/
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-1147
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files.
References: https://portal.microfocus.com/s/article/KM000026669
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-1148
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files.
References: https://portal.microfocus.com/s/article/KM000026669
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-29732
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via "user" parameter.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-scanvisio-edocument-suite-web-viewer-abast
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-1394
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
References: https://access.redhat.com/errata/RHSA-2024:1462
https://access.redhat.com/errata/RHSA-2024:1468
https://access.redhat.com/errata/RHSA-2024:1472
https://access.redhat.com/security/cve/CVE-2024-1394
https://bugzilla.redhat.com/show_bug.cgi?id=2262921
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
CWE-ID: CWE-401
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-29870
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-29871
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-29872
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-29873
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-29874
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-29875
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-29876
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
32. CVE-2024-29877
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
33. CVE-2024-29878
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
34. CVE-2024-29879
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-27993
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Typps Calendarista Basic Edition.This issue affects Calendarista Basic Edition: from n/a through 3.0.2.
References: https://patchstack.com/database/vulnerability/calendarista-basic-edition/wordpress-calendarista-basic-edition-plugin-3-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-27994
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.5.0.
References: https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-plugin-4-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-27956
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.3
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
References: https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-sql-execution-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-27962
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Florian 'fkrauthan' Krauthan allows Reflected XSS.This issue affects wp-mpdf: from n/a through 3.7.1.
References: https://patchstack.com/database/vulnerability/wp-mpdf/wordpress-wp-mpdf-plugin-3-7-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
39. CVE-2024-27964
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9.
References: https://patchstack.com/database/vulnerability/zippy/wordpress-zippy-plugin-1-6-9-arbitrary-file-upload-vulnerability?_s_id=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
40. CVE-2024-27968
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.
References: https://patchstack.com/database/vulnerability/wp-cloudflare-page-cache/wordpress-super-page-cache-for-cloudflare-plugin-4-7-5-cross-site-request-forgery-csrf-to-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
41. CVE-2024-29180
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the `unsecaped` path suffix is appended to the `outputPath`. As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use `%2e` and `%2f` sequences to perform path traversal attack.
Developers using `webpack-dev-server` or `webpack-dev-middleware` are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content. If the development server is listening on a public IP address (or `0.0.0.0`), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.
References: https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/setupOutputFileSystem.js#L21
https://github.com/webpack/webpack-dev-middleware/commit/189c4ac7d2344ec132a4689e74dc837ec5be0132
https://github.com/webpack/webpack-dev-middleware/commit/9670b3495da518fe667ff3428c5e4cb9f2f3d353
https://github.com/webpack/webpack-dev-middleware/commit/e10008c762e4d5821ed6990348dabf0d4d93a10e
https://github.com/webpack/webpack-dev-middleware/releases/tag/v5.3.4
https://github.com/webpack/webpack-dev-middleware/releases/tag/v6.1.2
https://github.com/webpack/webpack-dev-middleware/releases/tag/v7.1.0
https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
42. CVE-2024-2763
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.48. Affected by this issue is the function formSetCfm of the file goform/setcfm. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257600. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/AC10U/v1.V15.03.06.48/more/formSetCfm.md
https://vuldb.com/?ctiid.257600
https://vuldb.com/?id.257600
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
43. CVE-2024-2764
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.48. This affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument endIP leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257601 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/AC10U/v1.V15.03.06.48/more/formSetPPTPServer.md
https://vuldb.com/?ctiid.257601
https://vuldb.com/?id.257601
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
44. CVE-2024-25937
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in the script DIAE_tagHandler.ashx.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
45. CVE-2024-27921
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.
References: https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99
https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
46. CVE-2024-28029
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
47. CVE-2024-28116
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
References: https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e
https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh
CWE-ID: CWE-1336 CWE-94
Common Platform Enumerations (CPE): Not Found
48. CVE-2024-28117
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Upgrading to patched version 1.7.45 can mitigate this issue.
References: https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
49. CVE-2024-28118
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a fix for this issue.
References: https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
50. CVE-2024-28119
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.
References: https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58
https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
51. CVE-2024-28891
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in the script Handler_CFG.ashx.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
52. CVE-2024-23494
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in GetDIAE_unListParameters.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
53. CVE-2024-23975
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in GetDIAE_slogListParameters.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
54. CVE-2024-25567
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description:
Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
55. CVE-2024-28040
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
SQL injection vulnerability exists in GetDIAE_astListParameters.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
56. CVE-2024-28171
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description:
It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
57. CVE-2024-29031
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue.
References: https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13
https://github.com/meshery/meshery/pull/10207
https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found