In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 12-13, 2024.
During this period, The National Vulnerability Database published 129, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 25
Medium: 75
Low: 4
Severity Not Assigned: 21
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-2279
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/448469
https://hackerone.com/reports/2404710
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-3092
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/452510
https://hackerone.com/reports/2441257
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-3400
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
References: https://security.paloaltonetworks.com/CVE-2024-3400
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-3054
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient path validation on the tree_node[node][id] parameter. This makes it possible for authenticated attackers, with admin-level access and above, to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3067224%40wpvivid-backuprestore&new=3067224%40wpvivid-backuprestore&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf26fc68-9fd4-4e4e-b34f-c947d95891f9?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-3211
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to SQL Injection via the 'productid' attribute of the ec_addtocart shortcode in all versions up to, and including, 5.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset/3068711/wp-easycart/trunk/wpeasycart.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/576ca901-45e2-4e6d-9bc4-370bf1f68077?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-51409
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
References: https://patchstack.com/database/vulnerability/ai-engine/wordpress-ai-engine-plugin-1-9-98-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-3704
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-3705
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Unrestricted file upload vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to send a POST request to the endpoint '/opengnsys/images/M_Icons.php' modifying the file extension, due to lack of file extension verification, resulting in a webshell injection.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-51515
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Missing Authorization vulnerability in Undsgn Uncode Core allows Privilege Escalation.This issue affects Uncode Core: from n/a through 2.8.8.
References: https://patchstack.com/database/vulnerability/uncode-core/wordpress-uncode-core-plugin-2-8-8-privilege-escalation-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-21598
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Validation of Syntactic Correctness of Input vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based, unauthenticated attacker to cause a Denial of Service (DoS).
If a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart.
This issue affects Juniper Networks
Junos OS:
* 20.4 versions 20.4R1 and later versions earlier than 20.4R3-S9;
* 21.2 versions earlier than 21.2R3-S7;
* 21.3 versions earlier than 21.3R3-S5;
* 21.4 versions earlier than 21.4R3-S5;
* 22.1 versions earlier than 22.1R3-S4;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S1;
* 22.4 versions earlier than 22.4R3;
* 23.2 versions earlier than 23.2R1-S2, 23.2R2;
Junos OS Evolved:
* 20.4-EVO versions 20.4R1-EVO and later versions earlier than 20.4R3-S9-EVO;
* 21.2-EVO versions earlier than 21.2R3-S7-EVO;
* 21.3-EVO versions earlier than 21.3R3-S5-EVO;
* 21.4-EVO versions earlier than 21.4R3-S5-EVO;
* 22.1-EVO versions earlier than 22.1R3-S4-EVO;
* 22.2-EVO versions earlier than 22.2R3-S3-EVO;
* 22.3-EVO versions earlier than 22.3R3-S1-EVO;
* 22.4-EVO versions earlier than 22.4R3-EVO;
* 23.2-EVO versions earlier than 23.2R1-S2-EVO, 23.2R2-EVO;
This issue does not affect Juniper Networks
* Junos OS versions earlier than 20.4R1;
* Junos OS Evolved versions earlier than 20.4R1-EVO.
This is a related but separate issue than the one described in JSA79095.
References: http://supportportal.juniper.netJSA75739
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CWE-ID: CWE-1286
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-30381
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Juniper Networks Paragon Active Assurance Control Center allows a network-adjacent attacker with root access to a Test Agent Appliance the ability to access sensitive information about downstream devices.
The "netrounds-probe-login" daemon (also called probe_serviced) exposes functions where the Test Agent (TA) Appliance pushes interface state/config, unregister itself, etc. The remote service accidentally exposes an internal database object that can be used for direct database access on the Paragon Active Assurance Control Center.
This issue affects Paragon Active Assurance: 4.1.0, 4.2.0.
References: https://supportportal.juniper.net/JSA79173
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-30394
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A Stack-based Buffer Overflow vulnerability in the Routing Protocol Daemon (RPD) component of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an rpd crash, leading to Denial of Service (DoS).
On all Junos OS and Junos OS Evolved platforms, when EVPN is configured, and a specific EVPN type-5 route is received via BGP, rpd crashes and restarts. Continuous receipt of this specific route will lead to a sustained Denial of Service (DoS) condition.
This issue affects:
Junos OS:
* all versions before 21.2R3-S7,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S4,
* from 22.2 before 22.2R3-S2,
* from 22.3 before 22.3R3-S1,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R2.
Junos OS Evolved:
* all versions before 21.4R3-S5-EVO,
* from 22.1-EVO before 22.1R3-S4-EVO,
* from 22.2-EVO before 22.2R3-S2-EVO,
* from 22.3-EVO before 22.3R3-S1-EVO,
* from 22.4-EVO before 22.4R3-EVO,
* from 23.2-EVO before 23.2R2-EVO.
References: https://supportportal.juniper.net/JSA79094
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-30395
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Validation of Specified Type of Input vulnerability in Routing Protocol Daemon (RPD) of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).
If a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart.
This issue affects:
Junos OS:
* all versions before 21.2R3-S7,
* from 21.3 before 21.3R3-S5,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S5,
* from 22.2 before 22.2R3-S3,
* from 22.3 before 22.3R3-S2,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R1-S2, 23.2R2.
Junos OS Evolved:
* all versions before 21.2R3-S7-EVO,
* from 21.3-EVO before 21.3R3-S5-EVO,
* from 21.4-EVO before 21.4R3-S5-EVO,
* from 22.2-EVO before 22.2R3-S3-EVO,
* from 22.3-EVO before 22.3R3-S2-EVO,
* from 22.4-EVO before 22.4R3-EVO,
* from 23.2-EVO before 23.2R1-S2-EVO, 23.2R2-EVO.
This is a related but separate issue than the one described in JSA75739
References: https://supportportal.juniper.net/JSA79095
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-1287
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-30405
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Incorrect Calculation of Buffer Size vulnerability in Juniper Networks Junos OS SRX 5000 Series devices using SPC2 line cards while ALGs are enabled allows an attacker sending specific crafted packets to cause a transit traffic Denial of Service (DoS).
Continued receipt and processing of these specific packets will sustain the Denial of Service condition.
This issue affects:
Juniper Networks Junos OS SRX 5000 Series with SPC2 with ALGs enabled.
* All versions earlier than 21.2R3-S7;
* 21.4 versions earlier than 21.4R3-S6;
* 22.1 versions earlier than 22.1R3-S5;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S2;
* 22.4 versions earlier than 22.4R3;
* 23.2 versions earlier than 23.2R2.
References: https://supportportal.juniper.net/JSA79105
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Green
CWE-ID: CWE-131
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-30407
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Use of a Hard-coded Cryptographic Key vulnerability in Juniper Networks Juniper Cloud Native Router (JCNR) and containerized routing Protocol Deamon (cRPD) products allows an attacker to perform Person-in-the-Middle (PitM) attacks which results in complete compromise of the container.
Due to hardcoded SSH host keys being present on the container, a PitM attacker can intercept SSH traffic without being detected.
This issue affects Juniper Networks JCNR:
* All versions before 23.4.
This issue affects Juniper Networks cRPD:
* All versions before 23.4R1.
References: https://supportportal.juniper.net/JSA79106
https://supportportal.juniper.net/JSA79107
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-28878
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description:
IO-1020 Micro ELD downloads source code or an executable from an
adjacent location and executes the code without sufficiently verifying
the origin or integrity of the code.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01
CWE-ID: CWE-494
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-30210
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: IO-1020 Micro ELD uses a default WIFI password that could allow an adjacent attacker to connect to the device.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01
CWE-ID: CWE-1392
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-30382
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Handling of Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based, unauthenticated attacker to send a specific routing update, causing an rpd core due to memory corruption, leading to a Denial of Service (DoS).
This issue can only be triggered when the system is configured for CoS-based forwarding (CBF) with a policy map containing a cos-next-hop-map action (see below).
This issue affects:
Junos OS:
* all versions before 20.4R3-S10,
* from 21.2 before 21.2R3-S8,
* from 21.3 before 21.3R3,
* from 21.4 before 21.4R3,
* from 22.1 before 22.1R2;
Junos OS Evolved:
* all versions before 21.2R3-S8-EVO,
* from 21.3 before 21.3R3-EVO,
* from 21.4 before 21.4R3-EVO,
* from 22.1 before 22.1R2-EVO.
References: https://supportportal.juniper.net/JSA79174
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CWE-ID: CWE-755
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-30392
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A Stack-based Buffer Overflow vulnerability in Flow Processing Daemon (flowd) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).
On all Junos OS MX Series platforms with SPC3 and MS-MPC/-MIC, when URL filtering is enabled and a specific URL request is received and processed, flowd will crash and restart. Continuous reception of the specific URL request will lead to a sustained Denial of Service (DoS) condition.
This issue affects:
Junos OS:
* all versions before 21.2R3-S6,
* from 21.3 before 21.3R3-S5,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S3,
* from 22.2 before 22.2R3-S1,
* from 22.3 before 22.3R2-S2, 22.3R3,
* from 22.4 before 22.4R2-S1, 22.4R3.
References: https://supportportal.juniper.net/JSA79092
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-30397
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Check for Unusual or Exceptional Conditions vulnerability in the the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).
The pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.
This CPU utilization of pkid can be checked using this command:
root@srx> show system processes extensive | match pkid
xxxxx root 103 0 846M 136M CPU1 1 569:00 100.00% pkid
This issue affects:
Juniper Networks Junos OS
All versions prior to 20.4R3-S10;
21.2 versions prior to 21.2R3-S7;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S3;
22.3 versions prior to 22.3R3-S1;
22.4 versions prior to 22.4R3;
23.2 versions prior to 23.2R1-S2, 23.2R2.
References: https://supportportal.juniper.net/JSA79179
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-754
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-30398
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
When a high amount of specific traffic is received on a SRX4600 device, due to an error in internal packet handling, a consistent rise in CPU memory utilization occurs. This results in packet drops in the traffic and eventually the PFE crashes. A manual reboot of the PFE will be required to restore the device to original state.
This issue affects Junos OS:
21.2 before 21.2R3-S7,
21.4 before 21.4R3-S6,
22.1 before 22.1R3-S5,
22.2 before 22.2R3-S3,
22.3 before 22.3R3-S2,
22.4 before 22.4R3,
23.2 before 23.2R1-S2, 23.2R2.
References: https://supportportal.juniper.net/JSA79176
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-31069
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: IO-1020 Micro ELD web server uses a default password for authentication.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01
CWE-ID: CWE-1392
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-3691
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in PHPGurukul Small CRM 3.0. Affected by this issue is some unknown functionality of the component Registration Page. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260480.
References: https://github.com/nikhil-aniill/Small-CRM-CVE
https://vuldb.com/?ctiid.260480
https://vuldb.com/?id.260480
https://vuldb.com/?submit.312975
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-29022
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue.
References: https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff
https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq
https://xibosignage.com/blog/security-advisory-2024-04
CWE-ID: CWE-117 CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-29023
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this vulnerability.
References: https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff
https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde
https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7
https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39
https://xibosignage.com/blog/security-advisory-2024-04
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-32003
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: wn-dusk-plugin (Dusk plugin) is a plugin which integrates Laravel Dusk browser testing into Winter CMS. The Dusk plugin provides some special routes as part of its testing framework to allow a browser environment (such as headless Chrome) to act as a user in the Backend or User plugin without having to go through authentication. This route is `[[URL]]/_dusk/login/[[USER ID]]/[[MANAGER]]` - where `[[URL]]` is the base URL of the site, `[[USER ID]]` is the ID of the user account and `[[MANAGER]]` is the authentication manager (either `backend` for Backend, or `user` for the User plugin). If a configuration of a site using the Dusk plugin is set up in such a way that the Dusk plugin is available publicly and the test cases in Dusk are run with live data, this route may potentially be used to gain access to any user account in either the Backend or User plugin without authentication. As indicated in the `README`, this plugin should only be used in development and should *NOT* be used in a production instance. It is specifically recommended that the plugin be installed as a development dependency only in Composer. In order to remediate this issue, the special routes used above will now no longer be registered unless the `APP_ENV` environment variable is specifically set to `dusk`. Since Winter by default does not use this environment variable and it is not populated by default, it will only exist if Dusk's automatic configuration is used (which won't exhibit this vulnerability) or if a developer manually specifies it in their configuration. The automatic configuration performed by the Dusk plugin has also been hardened by default to use sane defaults and not allow external environment variables to leak into this configuration. This will only affect users in which the Winter CMS installation meets ALL the following criteria: 1. The Dusk plugin is installed in the Winter CMS instance. 2. The application is in production mode (ie. the `debug` config value is set to `true` in `config/app.php`). 3. The Dusk plugin's automatic configuration has been overridden, either by providing a custom `.env.dusk` file or by providing custom configuration in the `config/dusk` folder, or by providing configuration environment variables externally. 4. The environment has been configured to use production data in the database for testing, and not the temporary SQLite database that Dusk uses by default. 5. The application is connectable via the web. This issue has been fixed in version 2.1.0. Users are advised to upgrade.
References: https://github.com/wintercms/wn-dusk-plugin/blob/main/README.md
https://github.com/wintercms/wn-dusk-plugin/security/advisories/GHSA-chcp-g9j5-3xxx
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-32005
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea9d330
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj
https://huntr.com/bounties/29ec621a-bd69-4225-ab0f-5bb8a1d10c67
CWE-ID: CWE-22 CWE-23
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-32019
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/netdata/netdata/pull/17377
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
CWE-ID: CWE-426
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-28869
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
References: https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts
https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6
https://github.com/traefik/traefik/releases/tag/v2.11.2
https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw
CWE-ID: CWE-755
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 12-13, 2024.
During this period, The National Vulnerability Database published 129, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 25
Medium: 75
Low: 4
Severity Not Assigned: 21
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-2279
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/448469
https://hackerone.com/reports/2404710
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-3092
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/452510
https://hackerone.com/reports/2441257
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-3400
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
References: https://security.paloaltonetworks.com/CVE-2024-3400
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-3054
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient path validation on the tree_node[node][id] parameter. This makes it possible for authenticated attackers, with admin-level access and above, to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3067224%40wpvivid-backuprestore&new=3067224%40wpvivid-backuprestore&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf26fc68-9fd4-4e4e-b34f-c947d95891f9?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-3211
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to SQL Injection via the 'productid' attribute of the ec_addtocart shortcode in all versions up to, and including, 5.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset/3068711/wp-easycart/trunk/wpeasycart.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/576ca901-45e2-4e6d-9bc4-370bf1f68077?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-51409
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
References: https://patchstack.com/database/vulnerability/ai-engine/wordpress-ai-engine-plugin-1-9-98-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-3704
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-3705
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Unrestricted file upload vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to send a POST request to the endpoint '/opengnsys/images/M_Icons.php' modifying the file extension, due to lack of file extension verification, resulting in a webshell injection.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-51515
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Missing Authorization vulnerability in Undsgn Uncode Core allows Privilege Escalation.This issue affects Uncode Core: from n/a through 2.8.8.
References: https://patchstack.com/database/vulnerability/uncode-core/wordpress-uncode-core-plugin-2-8-8-privilege-escalation-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-21598
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Validation of Syntactic Correctness of Input vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based, unauthenticated attacker to cause a Denial of Service (DoS).
If a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart.
This issue affects Juniper Networks
Junos OS:
* 20.4 versions 20.4R1 and later versions earlier than 20.4R3-S9;
* 21.2 versions earlier than 21.2R3-S7;
* 21.3 versions earlier than 21.3R3-S5;
* 21.4 versions earlier than 21.4R3-S5;
* 22.1 versions earlier than 22.1R3-S4;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S1;
* 22.4 versions earlier than 22.4R3;
* 23.2 versions earlier than 23.2R1-S2, 23.2R2;
Junos OS Evolved:
* 20.4-EVO versions 20.4R1-EVO and later versions earlier than 20.4R3-S9-EVO;
* 21.2-EVO versions earlier than 21.2R3-S7-EVO;
* 21.3-EVO versions earlier than 21.3R3-S5-EVO;
* 21.4-EVO versions earlier than 21.4R3-S5-EVO;
* 22.1-EVO versions earlier than 22.1R3-S4-EVO;
* 22.2-EVO versions earlier than 22.2R3-S3-EVO;
* 22.3-EVO versions earlier than 22.3R3-S1-EVO;
* 22.4-EVO versions earlier than 22.4R3-EVO;
* 23.2-EVO versions earlier than 23.2R1-S2-EVO, 23.2R2-EVO;
This issue does not affect Juniper Networks
* Junos OS versions earlier than 20.4R1;
* Junos OS Evolved versions earlier than 20.4R1-EVO.
This is a related but separate issue than the one described in JSA79095.
References: http://supportportal.juniper.netJSA75739
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CWE-ID: CWE-1286
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-30381
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Juniper Networks Paragon Active Assurance Control Center allows a network-adjacent attacker with root access to a Test Agent Appliance the ability to access sensitive information about downstream devices.
The "netrounds-probe-login" daemon (also called probe_serviced) exposes functions where the Test Agent (TA) Appliance pushes interface state/config, unregister itself, etc. The remote service accidentally exposes an internal database object that can be used for direct database access on the Paragon Active Assurance Control Center.
This issue affects Paragon Active Assurance: 4.1.0, 4.2.0.
References: https://supportportal.juniper.net/JSA79173
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-30394
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A Stack-based Buffer Overflow vulnerability in the Routing Protocol Daemon (RPD) component of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an rpd crash, leading to Denial of Service (DoS).
On all Junos OS and Junos OS Evolved platforms, when EVPN is configured, and a specific EVPN type-5 route is received via BGP, rpd crashes and restarts. Continuous receipt of this specific route will lead to a sustained Denial of Service (DoS) condition.
This issue affects:
Junos OS:
* all versions before 21.2R3-S7,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S4,
* from 22.2 before 22.2R3-S2,
* from 22.3 before 22.3R3-S1,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R2.
Junos OS Evolved:
* all versions before 21.4R3-S5-EVO,
* from 22.1-EVO before 22.1R3-S4-EVO,
* from 22.2-EVO before 22.2R3-S2-EVO,
* from 22.3-EVO before 22.3R3-S1-EVO,
* from 22.4-EVO before 22.4R3-EVO,
* from 23.2-EVO before 23.2R2-EVO.
References: https://supportportal.juniper.net/JSA79094
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-30395
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Validation of Specified Type of Input vulnerability in Routing Protocol Daemon (RPD) of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).
If a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart.
This issue affects:
Junos OS:
* all versions before 21.2R3-S7,
* from 21.3 before 21.3R3-S5,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S5,
* from 22.2 before 22.2R3-S3,
* from 22.3 before 22.3R3-S2,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R1-S2, 23.2R2.
Junos OS Evolved:
* all versions before 21.2R3-S7-EVO,
* from 21.3-EVO before 21.3R3-S5-EVO,
* from 21.4-EVO before 21.4R3-S5-EVO,
* from 22.2-EVO before 22.2R3-S3-EVO,
* from 22.3-EVO before 22.3R3-S2-EVO,
* from 22.4-EVO before 22.4R3-EVO,
* from 23.2-EVO before 23.2R1-S2-EVO, 23.2R2-EVO.
This is a related but separate issue than the one described in JSA75739
References: https://supportportal.juniper.net/JSA79095
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-1287
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-30405
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Incorrect Calculation of Buffer Size vulnerability in Juniper Networks Junos OS SRX 5000 Series devices using SPC2 line cards while ALGs are enabled allows an attacker sending specific crafted packets to cause a transit traffic Denial of Service (DoS).
Continued receipt and processing of these specific packets will sustain the Denial of Service condition.
This issue affects:
Juniper Networks Junos OS SRX 5000 Series with SPC2 with ALGs enabled.
* All versions earlier than 21.2R3-S7;
* 21.4 versions earlier than 21.4R3-S6;
* 22.1 versions earlier than 22.1R3-S5;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S2;
* 22.4 versions earlier than 22.4R3;
* 23.2 versions earlier than 23.2R2.
References: https://supportportal.juniper.net/JSA79105
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Green
CWE-ID: CWE-131
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-30407
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Use of a Hard-coded Cryptographic Key vulnerability in Juniper Networks Juniper Cloud Native Router (JCNR) and containerized routing Protocol Deamon (cRPD) products allows an attacker to perform Person-in-the-Middle (PitM) attacks which results in complete compromise of the container.
Due to hardcoded SSH host keys being present on the container, a PitM attacker can intercept SSH traffic without being detected.
This issue affects Juniper Networks JCNR:
* All versions before 23.4.
This issue affects Juniper Networks cRPD:
* All versions before 23.4R1.
References: https://supportportal.juniper.net/JSA79106
https://supportportal.juniper.net/JSA79107
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-28878
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description:
IO-1020 Micro ELD downloads source code or an executable from an
adjacent location and executes the code without sufficiently verifying
the origin or integrity of the code.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01
CWE-ID: CWE-494
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-30210
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: IO-1020 Micro ELD uses a default WIFI password that could allow an adjacent attacker to connect to the device.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01
CWE-ID: CWE-1392
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-30382
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Handling of Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based, unauthenticated attacker to send a specific routing update, causing an rpd core due to memory corruption, leading to a Denial of Service (DoS).
This issue can only be triggered when the system is configured for CoS-based forwarding (CBF) with a policy map containing a cos-next-hop-map action (see below).
This issue affects:
Junos OS:
* all versions before 20.4R3-S10,
* from 21.2 before 21.2R3-S8,
* from 21.3 before 21.3R3,
* from 21.4 before 21.4R3,
* from 22.1 before 22.1R2;
Junos OS Evolved:
* all versions before 21.2R3-S8-EVO,
* from 21.3 before 21.3R3-EVO,
* from 21.4 before 21.4R3-EVO,
* from 22.1 before 22.1R2-EVO.
References: https://supportportal.juniper.net/JSA79174
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CWE-ID: CWE-755
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-30392
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A Stack-based Buffer Overflow vulnerability in Flow Processing Daemon (flowd) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).
On all Junos OS MX Series platforms with SPC3 and MS-MPC/-MIC, when URL filtering is enabled and a specific URL request is received and processed, flowd will crash and restart. Continuous reception of the specific URL request will lead to a sustained Denial of Service (DoS) condition.
This issue affects:
Junos OS:
* all versions before 21.2R3-S6,
* from 21.3 before 21.3R3-S5,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S3,
* from 22.2 before 22.2R3-S1,
* from 22.3 before 22.3R2-S2, 22.3R3,
* from 22.4 before 22.4R2-S1, 22.4R3.
References: https://supportportal.juniper.net/JSA79092
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-30397
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Check for Unusual or Exceptional Conditions vulnerability in the the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).
The pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.
This CPU utilization of pkid can be checked using this command:
root@srx> show system processes extensive | match pkid
xxxxx root 103 0 846M 136M CPU1 1 569:00 100.00% pkid
This issue affects:
Juniper Networks Junos OS
All versions prior to 20.4R3-S10;
21.2 versions prior to 21.2R3-S7;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S3;
22.3 versions prior to 22.3R3-S1;
22.4 versions prior to 22.4R3;
23.2 versions prior to 23.2R1-S2, 23.2R2.
References: https://supportportal.juniper.net/JSA79179
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-754
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-30398
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
When a high amount of specific traffic is received on a SRX4600 device, due to an error in internal packet handling, a consistent rise in CPU memory utilization occurs. This results in packet drops in the traffic and eventually the PFE crashes. A manual reboot of the PFE will be required to restore the device to original state.
This issue affects Junos OS:
21.2 before 21.2R3-S7,
21.4 before 21.4R3-S6,
22.1 before 22.1R3-S5,
22.2 before 22.2R3-S3,
22.3 before 22.3R3-S2,
22.4 before 22.4R3,
23.2 before 23.2R1-S2, 23.2R2.
References: https://supportportal.juniper.net/JSA79176
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-31069
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: IO-1020 Micro ELD web server uses a default password for authentication.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01
CWE-ID: CWE-1392
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-3691
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in PHPGurukul Small CRM 3.0. Affected by this issue is some unknown functionality of the component Registration Page. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260480.
References: https://github.com/nikhil-aniill/Small-CRM-CVE
https://vuldb.com/?ctiid.260480
https://vuldb.com/?id.260480
https://vuldb.com/?submit.312975
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-29022
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue.
References: https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff
https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq
https://xibosignage.com/blog/security-advisory-2024-04
CWE-ID: CWE-117 CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-29023
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this vulnerability.
References: https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff
https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde
https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7
https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39
https://xibosignage.com/blog/security-advisory-2024-04
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-32003
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: wn-dusk-plugin (Dusk plugin) is a plugin which integrates Laravel Dusk browser testing into Winter CMS. The Dusk plugin provides some special routes as part of its testing framework to allow a browser environment (such as headless Chrome) to act as a user in the Backend or User plugin without having to go through authentication. This route is `[[URL]]/_dusk/login/[[USER ID]]/[[MANAGER]]` - where `[[URL]]` is the base URL of the site, `[[USER ID]]` is the ID of the user account and `[[MANAGER]]` is the authentication manager (either `backend` for Backend, or `user` for the User plugin). If a configuration of a site using the Dusk plugin is set up in such a way that the Dusk plugin is available publicly and the test cases in Dusk are run with live data, this route may potentially be used to gain access to any user account in either the Backend or User plugin without authentication. As indicated in the `README`, this plugin should only be used in development and should *NOT* be used in a production instance. It is specifically recommended that the plugin be installed as a development dependency only in Composer. In order to remediate this issue, the special routes used above will now no longer be registered unless the `APP_ENV` environment variable is specifically set to `dusk`. Since Winter by default does not use this environment variable and it is not populated by default, it will only exist if Dusk's automatic configuration is used (which won't exhibit this vulnerability) or if a developer manually specifies it in their configuration. The automatic configuration performed by the Dusk plugin has also been hardened by default to use sane defaults and not allow external environment variables to leak into this configuration. This will only affect users in which the Winter CMS installation meets ALL the following criteria: 1. The Dusk plugin is installed in the Winter CMS instance. 2. The application is in production mode (ie. the `debug` config value is set to `true` in `config/app.php`). 3. The Dusk plugin's automatic configuration has been overridden, either by providing a custom `.env.dusk` file or by providing custom configuration in the `config/dusk` folder, or by providing configuration environment variables externally. 4. The environment has been configured to use production data in the database for testing, and not the temporary SQLite database that Dusk uses by default. 5. The application is connectable via the web. This issue has been fixed in version 2.1.0. Users are advised to upgrade.
References: https://github.com/wintercms/wn-dusk-plugin/blob/main/README.md
https://github.com/wintercms/wn-dusk-plugin/security/advisories/GHSA-chcp-g9j5-3xxx
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-32005
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea9d330
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj
https://huntr.com/bounties/29ec621a-bd69-4225-ab0f-5bb8a1d10c67
CWE-ID: CWE-22 CWE-23
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-32019
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/netdata/netdata/pull/17377
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
CWE-ID: CWE-426
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-28869
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
References: https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts
https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6
https://github.com/traefik/traefik/releases/tag/v2.11.2
https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw
CWE-ID: CWE-755
Common Platform Enumerations (CPE): Not Found