In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 05-06, 2024.
During this period, The National Vulnerability Database published 35, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 8
Medium: 8
Low: 0
Severity Not Assigned: 19
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-4491
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability classified as critical was found in Tenda i21 1.0.0.14(4656). This vulnerability affects the function formGetDiagnoseInfo. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263080. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formGetDiagnoseInfo.md
https://vuldb.com/?ctiid.263080
https://vuldb.com/?id.263080
https://vuldb.com/?submit.323600
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-4492
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, has been found in Tenda i21 1.0.0.14(4656). This issue affects the function formOfflineSet of the file /goform/setStaOffline. The manipulation of the argument GO/ssidIndex leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263081 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formOfflineSet.md
https://vuldb.com/?ctiid.263081
https://vuldb.com/?id.263081
https://vuldb.com/?submit.323601
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-4493
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, was found in Tenda i21 1.0.0.14(4656). Affected is the function formSetAutoPing. The manipulation of the argument ping1/ping2 leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263082 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formSetAutoPing.md
https://vuldb.com/?ctiid.263082
https://vuldb.com/?id.263082
https://vuldb.com/?submit.323602
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-4494
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability has been found in Tenda i21 1.0.0.14(4656) and classified as critical. Affected by this vulnerability is the function formSetUplinkInfo of the file /goform/setUplinkInfo. The manipulation of the argument pingHostIp2 leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263083. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formSetUplinkInfo.md
https://vuldb.com/?ctiid.263083
https://vuldb.com/?id.263083
https://vuldb.com/?submit.323604
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-4495
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability was found in Tenda i21 1.0.0.14(4656) and classified as critical. Affected by this issue is the function formWifiMacFilterGet. The manipulation of the argument index leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263084. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formWifiMacFilterGet.md
https://vuldb.com/?ctiid.263084
https://vuldb.com/?id.263084
https://vuldb.com/?submit.323605
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-4496
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability was found in Tenda i21 1.0.0.14(4656). It has been classified as critical. This affects the function formWifiMacFilterSet. The manipulation of the argument ssidIndex leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263085 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formWifiMacFilterSet.md
https://vuldb.com/?ctiid.263085
https://vuldb.com/?id.263085
https://vuldb.com/?submit.323606
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-4497
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability was found in Tenda i21 1.0.0.14(4656). It has been declared as critical. This vulnerability affects the function formexeCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263086 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formexeCommand.md
https://vuldb.com/?ctiid.263086
https://vuldb.com/?id.263086
https://vuldb.com/?submit.323607
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-34510
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Gradio before 4.20 allows credential leakage on Windows.
References: https://github.com/gradio-app/gradio/
https://www.gradio.app/changelog#4-20-0
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 05-06, 2024.
During this period, The National Vulnerability Database published 35, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 8
Medium: 8
Low: 0
Severity Not Assigned: 19
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-4491
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability classified as critical was found in Tenda i21 1.0.0.14(4656). This vulnerability affects the function formGetDiagnoseInfo. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263080. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formGetDiagnoseInfo.md
https://vuldb.com/?ctiid.263080
https://vuldb.com/?id.263080
https://vuldb.com/?submit.323600
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-4492
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, has been found in Tenda i21 1.0.0.14(4656). This issue affects the function formOfflineSet of the file /goform/setStaOffline. The manipulation of the argument GO/ssidIndex leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263081 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formOfflineSet.md
https://vuldb.com/?ctiid.263081
https://vuldb.com/?id.263081
https://vuldb.com/?submit.323601
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-4493
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, was found in Tenda i21 1.0.0.14(4656). Affected is the function formSetAutoPing. The manipulation of the argument ping1/ping2 leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263082 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formSetAutoPing.md
https://vuldb.com/?ctiid.263082
https://vuldb.com/?id.263082
https://vuldb.com/?submit.323602
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-4494
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability has been found in Tenda i21 1.0.0.14(4656) and classified as critical. Affected by this vulnerability is the function formSetUplinkInfo of the file /goform/setUplinkInfo. The manipulation of the argument pingHostIp2 leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263083. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formSetUplinkInfo.md
https://vuldb.com/?ctiid.263083
https://vuldb.com/?id.263083
https://vuldb.com/?submit.323604
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-4495
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability was found in Tenda i21 1.0.0.14(4656) and classified as critical. Affected by this issue is the function formWifiMacFilterGet. The manipulation of the argument index leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263084. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formWifiMacFilterGet.md
https://vuldb.com/?ctiid.263084
https://vuldb.com/?id.263084
https://vuldb.com/?submit.323605
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-4496
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability was found in Tenda i21 1.0.0.14(4656). It has been classified as critical. This affects the function formWifiMacFilterSet. The manipulation of the argument ssidIndex leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263085 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formWifiMacFilterSet.md
https://vuldb.com/?ctiid.263085
https://vuldb.com/?id.263085
https://vuldb.com/?submit.323606
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-4497
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability was found in Tenda i21 1.0.0.14(4656). It has been declared as critical. This vulnerability affects the function formexeCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263086 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/i/i21/formexeCommand.md
https://vuldb.com/?ctiid.263086
https://vuldb.com/?id.263086
https://vuldb.com/?submit.323607
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-34510
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Gradio before 4.20 allows credential leakage on Windows.
References: https://github.com/gradio-app/gradio/
https://www.gradio.app/changelog#4-20-0
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found