In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 08-09, 2024.
During this period, The National Vulnerability Database published 133, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 5
Medium: 27
Low: 4
Severity Not Assigned: 96
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-3438
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Prison Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /Admin/login.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259691.
References: https://github.com/fubxx/CVE/blob/main/PrisonManagementSystemSQL1.md
https://vuldb.com/?ctiid.259691
https://vuldb.com/?id.259691
https://vuldb.com/?submit.312203
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-3439
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Prison Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /Account/login.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259692.
References: https://github.com/fubxx/CVE/blob/main/PrisonManagementSystemSQL2.md
https://vuldb.com/?ctiid.259692
https://vuldb.com/?id.259692
https://vuldb.com/?submit.312204
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2834
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited.
References: https://portal.microfocus.com/s/article/KM000028275
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-31224
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.
References: https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35
https://github.com/binary-husky/gpt_academic/pull/1648
https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-31442
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Redon Hub is a Roblox Product Delivery Bot, also known as a Hub. In all hubs before version 1.0.2, all commands are capable of being ran by all users, including admin commands. This allows users to receive products for free and delete/create/update products/tags/etc. The only non-affected command is `/products admin clear` as this was already programmed for bot owners only. All users should upgrade to version 1.0.2 to receive a patch.
References: https://github.com/Redon-Tech/Redon-Hub/commit/38cb7c08d4d890e8a1badadbd46f459f06e3cdcd
https://github.com/Redon-Tech/Redon-Hub/security/advisories/GHSA-3rx8-6453-7q26
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-0082
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause improper privilege management by sending open file requests to the application. A successful exploit of this vulnerability might lead to local escalation of privileges, information disclosure, and data tampering
References: https://nvidia.custhelp.com/app/answers/detail/a_id/5532
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 08-09, 2024.
During this period, The National Vulnerability Database published 133, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 5
Medium: 27
Low: 4
Severity Not Assigned: 96
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-3438
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Prison Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /Admin/login.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259691.
References: https://github.com/fubxx/CVE/blob/main/PrisonManagementSystemSQL1.md
https://vuldb.com/?ctiid.259691
https://vuldb.com/?id.259691
https://vuldb.com/?submit.312203
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-3439
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Prison Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /Account/login.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259692.
References: https://github.com/fubxx/CVE/blob/main/PrisonManagementSystemSQL2.md
https://vuldb.com/?ctiid.259692
https://vuldb.com/?id.259692
https://vuldb.com/?submit.312204
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2834
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited.
References: https://portal.microfocus.com/s/article/KM000028275
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-31224
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.
References: https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35
https://github.com/binary-husky/gpt_academic/pull/1648
https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-31442
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Redon Hub is a Roblox Product Delivery Bot, also known as a Hub. In all hubs before version 1.0.2, all commands are capable of being ran by all users, including admin commands. This allows users to receive products for free and delete/create/update products/tags/etc. The only non-affected command is `/products admin clear` as this was already programmed for bot owners only. All users should upgrade to version 1.0.2 to receive a patch.
References: https://github.com/Redon-Tech/Redon-Hub/commit/38cb7c08d4d890e8a1badadbd46f459f06e3cdcd
https://github.com/Redon-Tech/Redon-Hub/security/advisories/GHSA-3rx8-6453-7q26
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-0082
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause improper privilege management by sending open file requests to the application. A successful exploit of this vulnerability might lead to local escalation of privileges, information disclosure, and data tampering
References: https://nvidia.custhelp.com/app/answers/detail/a_id/5532
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found