In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 06-07, 2024.
During this period, The National Vulnerability Database published 40, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 9
Medium: 17
Low: 6
Severity Not Assigned: 7
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-1385
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to the current time, which may completely take a site offline.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035169%40wp-stateless&new=3035169%40wp-stateless&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a475017-ef45-4614-bdc6-ddd619b8caf3?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-3359
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in SourceCodester Online Library System 1.0. This issue affects some unknown processing of the file admin/login.php. The manipulation of the argument user_email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259463.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-01
https://vuldb.com/?ctiid.259463
https://vuldb.com/?id.259463
https://vuldb.com/?submit.310423
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-3360
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in SourceCodester Online Library System 1.0. Affected is an unknown function of the file admin/books/index.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259464.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-02
https://vuldb.com/?ctiid.259464
https://vuldb.com/?id.259464
https://vuldb.com/?submit.310424
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-3361
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability has been found in SourceCodester Online Library System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file admin/books/deweydecimal.php. The manipulation of the argument category leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259465 was assigned to this vulnerability.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-03
https://vuldb.com/?ctiid.259465
https://vuldb.com/?id.259465
https://vuldb.com/?submit.310425
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-3362
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Online Library System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file admin/books/controller.php. The manipulation of the argument IBSN leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-259466 is the identifier assigned to this vulnerability.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-04
https://vuldb.com/?ctiid.259466
https://vuldb.com/?id.259466
https://vuldb.com/?submit.310426
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3363
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Online Library System 1.0. It has been classified as critical. This affects an unknown part of the file admin/borrowed/index.php. The manipulation of the argument BookPublisher/BookTitle leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259467.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-05
https://vuldb.com/?ctiid.259467
https://vuldb.com/?id.259467
https://vuldb.com/?submit.310429
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-22328
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Maximo Application Suite 8.10 and 8.11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 279950.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/279950
https://www.ibm.com/support/pages/node/7147543
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-25029
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: IBM Personal Communications 14.0.6 through 15.0.1 includes a Windows service that is vulnerable to remote code execution (RCE) and local privilege escalation (LPE). The vulnerability allows any unprivileged user with network access to a target computer to run commands with full privileges in the context of NT AUTHORITY\SYSTEM. This allows for a low privileged attacker to move laterally to affected systems and to escalate their privileges. IBM X-Force ID: 281619.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/281619
https://www.ibm.com/support/pages/node/7147672
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-3376
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part of the file config.php. The manipulation of the argument url leads to execution after redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259497 was assigned to this vulnerability.
References: https://github.com/Sospiro014/zday1/blob/main/Execution_After_Redirect.md
https://vuldb.com/?ctiid.259497
https://vuldb.com/?id.259497
https://vuldb.com/?submit.311154
CWE-ID: CWE-698
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-3413
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability has been found in SourceCodester Human Resource Information System 1.0 and classified as critical. This vulnerability affects unknown code of the file initialize/login_process.php. The manipulation of the argument hr_email/hr_password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259582 is the identifier assigned to this vulnerability.
References: https://github.com/thisissuperann/Vul/blob/Human-Resource-Information-System/Human-Resource-Information-System-01.md
https://vuldb.com/?ctiid.259582
https://vuldb.com/?id.259582
https://vuldb.com/?submit.311431
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 06-07, 2024.
During this period, The National Vulnerability Database published 40, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 9
Medium: 17
Low: 6
Severity Not Assigned: 7
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-1385
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to the current time, which may completely take a site offline.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035169%40wp-stateless&new=3035169%40wp-stateless&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a475017-ef45-4614-bdc6-ddd619b8caf3?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-3359
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in SourceCodester Online Library System 1.0. This issue affects some unknown processing of the file admin/login.php. The manipulation of the argument user_email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259463.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-01
https://vuldb.com/?ctiid.259463
https://vuldb.com/?id.259463
https://vuldb.com/?submit.310423
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-3360
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in SourceCodester Online Library System 1.0. Affected is an unknown function of the file admin/books/index.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259464.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-02
https://vuldb.com/?ctiid.259464
https://vuldb.com/?id.259464
https://vuldb.com/?submit.310424
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-3361
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability has been found in SourceCodester Online Library System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file admin/books/deweydecimal.php. The manipulation of the argument category leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259465 was assigned to this vulnerability.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-03
https://vuldb.com/?ctiid.259465
https://vuldb.com/?id.259465
https://vuldb.com/?submit.310425
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-3362
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Online Library System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file admin/books/controller.php. The manipulation of the argument IBSN leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-259466 is the identifier assigned to this vulnerability.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-04
https://vuldb.com/?ctiid.259466
https://vuldb.com/?id.259466
https://vuldb.com/?submit.310426
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3363
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Online Library System 1.0. It has been classified as critical. This affects an unknown part of the file admin/borrowed/index.php. The manipulation of the argument BookPublisher/BookTitle leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259467.
References: https://github.com/thisissuperann/Vul/blob/main/Online-Library-System-05
https://vuldb.com/?ctiid.259467
https://vuldb.com/?id.259467
https://vuldb.com/?submit.310429
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-22328
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Maximo Application Suite 8.10 and 8.11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 279950.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/279950
https://www.ibm.com/support/pages/node/7147543
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-25029
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: IBM Personal Communications 14.0.6 through 15.0.1 includes a Windows service that is vulnerable to remote code execution (RCE) and local privilege escalation (LPE). The vulnerability allows any unprivileged user with network access to a target computer to run commands with full privileges in the context of NT AUTHORITY\SYSTEM. This allows for a low privileged attacker to move laterally to affected systems and to escalate their privileges. IBM X-Force ID: 281619.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/281619
https://www.ibm.com/support/pages/node/7147672
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-3376
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part of the file config.php. The manipulation of the argument url leads to execution after redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259497 was assigned to this vulnerability.
References: https://github.com/Sospiro014/zday1/blob/main/Execution_After_Redirect.md
https://vuldb.com/?ctiid.259497
https://vuldb.com/?id.259497
https://vuldb.com/?submit.311154
CWE-ID: CWE-698
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-3413
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability has been found in SourceCodester Human Resource Information System 1.0 and classified as critical. This vulnerability affects unknown code of the file initialize/login_process.php. The manipulation of the argument hr_email/hr_password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259582 is the identifier assigned to this vulnerability.
References: https://github.com/thisissuperann/Vul/blob/Human-Resource-Information-System/Human-Resource-Information-System-01.md
https://vuldb.com/?ctiid.259582
https://vuldb.com/?id.259582
https://vuldb.com/?submit.311431
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found