Bulletins: Vulnerability Summary for the Week of September 9, 2024

Source URL: https://www.cisa.gov/news-events/bulletins/sb24-260
Source: Bulletins
Title: Vulnerability Summary for the Week of September 9, 2024

Feedly Summary:
High Vulnerabilities

PrimaryVendor — Product
Description
Published
CVSS Score
Source Info
Patch Info

Siemens–Industrial Edge Management Pro 
A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validate the device tokens. This could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system. 2024-09-10 10 CVE-2024-45032 productcert@siemens.com  SAML-Toolkits--ruby-saml  The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3. 2024-09-10 10 CVE-2024-45409 security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com  Baxter--Connex Health Portal  In Connex health portal released before8/30/2024, SQL injection vulnerabilities were found that could have allowed an unauthenticated attacker to gain unauthorized access to Connex portal's database.  An attacker could have submitted a crafted payload to Connex portal that could have resulted in modification and disclosure of database content and/or perform administrative operations including shutting down the database. 2024-09-09 10 CVE-2024-6795 productsecurity@baxter.com  nik00726--video carousel slider with lightbox  The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-09-11 9.1 CVE-2019-25212 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  n/a--n/a  Loftware Spectrum before 4.6 HF14 has Missing Authentication for a Critical Function. 2024-09-10 9.8 CVE-2023-37226 cve@mitre.orgcve@mitre.orgcve@mitre.org  n/a--n/a  Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. 2024-09-10 9.8 CVE-2023-37227 cve@mitre.orgcve@mitre.orgcve@mitre.org  n/a--n/a  Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password. 2024-09-10 9.8 CVE-2023-37231 cve@mitre.orgcve@mitre.orgcve@mitre.org  Simple Online Planning--SO Planning  A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02. 2024-09-11 9.8 CVE-2024-27114 csirt@divd.nl  gitlab -- gitlab  An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables. 2024-09-12 9.1 CVE-2024-2743 cve@gitlab.comcve@gitlab.com  SolarWinds--Access Rights Manager  SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution. 2024-09-12 9 CVE-2024-28991 psirt@solarwinds.compsirt@solarwinds.com  ivanti -- endpoint_manager  Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. 2024-09-12 9.8 CVE-2024-29847 support@hackerone.com  Siemens--SIMATIC Information Server 2022  A vulnerability has been identified in SIMATIC Information Server 2022 (All versions), SIMATIC Information Server 2024 (All versions), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code. 2024-09-10 9.8 CVE-2024-33698 productcert@siemens.com  n/a--n/a  ORDAT FOSS-Online before v2.24.01 was discovered to contain a SQL injection vulnerability via the forgot password function. 2024-09-12 9.3 CVE-2024-34334 cve@mitre.orgcve@mitre.orgcve@mitre.org  Siemens--SIMATIC BATCH V9.1  A vulnerability has been identified in SIMATIC BATCH V9.1 (All versions), SIMATIC Information Server 2020 (All versions), SIMATIC Information Server 2022 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC Process Historian 2020 (All versions), SIMATIC Process Historian 2022 (All versions), SIMATIC WinCC Runtime Professional V18 (All versions), SIMATIC WinCC Runtime Professional V19 (All versions), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 18), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products run their DB server with elevated privileges which could allow an authenticated attacker to execute arbitrary OS commands with administrative privileges. 2024-09-10 9.1 CVE-2024-35783 productcert@siemens.com  Elastic--Kibana  A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security's built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html  and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html . 2024-09-09 9.9 CVE-2024-37288 bressers@elastic.co  Microsoft--Azure Stack Hub  Azure Stack Hub Elevation of Privilege Vulnerability 2024-09-10 9 CVE-2024-38220 secure@microsoft.com  n/a--n/a  No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior. 2024-09-12 9.1 CVE-2024-40457 cve@mitre.orgcve@mitre.org  laurent22--joplin  Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag. 2024-09-09 9.6 CVE-2024-40643 security-advisories@github.comsecurity-advisories@github.com  Samsung Open Source--Escargot  Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0. 2024-09-10 9.8 CVE-2024-40754 PSIRT@samsung.com  adobe -- coldfusion  ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction. 2024-09-13 9.8 CVE-2024-41874 psirt@adobe.com  Hewlett Packard Enterprise (HPE)--HPE HP-UX ONCplus  HPE has identified a denial of service vulnerability in HPE HP-UX System's Network File System (NFSv4) services. 2024-09-09 9.3 CVE-2024-42500 security-alert@hpe.com  n/a--n/a  Renwoxing Enterprise Intelligent Management System before v3.0 was discovered to contain a SQL injection vulnerability via the parid parameter at /fx/baseinfo/SearchInfo. 2024-09-10 9.1 CVE-2024-43040 cve@mitre.org  microsoft -- windows_server_2008  Windows Remote Desktop Licensing Service Spoofing Vulnerability 2024-09-10 9.8 CVE-2024-43455 secure@microsoft.com  microsoft -- windows_10_1507  Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024-KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support. 2024-09-10 9.8 CVE-2024-43491 secure@microsoft.com  dlink -- di-8300_firmware  D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the upgrade_filter_asp function. 2024-09-09 9.8 CVE-2024-44410 cve@mitre.orgcve@mitre.orgcve@mitre.org  n/a--n/a  D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function. 2024-09-09 9.8 CVE-2024-44411 cve@mitre.orgcve@mitre.orgcve@mitre.org  comfast -- cf-xr11_firmware  COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter iface. 2024-09-11 9.8 CVE-2024-44466 cve@mitre.org  n/a--n/a  evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin." 2024-09-11 9.8 CVE-2024-44541 cve@mitre.orgcve@mitre.org  n/a--n/a  eladmin v2.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the DatabaseController.java component. 2024-09-10 9.8 CVE-2024-44677 cve@mitre.orgcve@mitre.org  n/a--n/a  SeaCMS v13.1 was discovered to a Server-Side Request Forgery (SSRF) via the url parameter at /admin_reslib.php. 2024-09-09 9.8 CVE-2024-44721 cve@mitre.org  n/a--n/a  Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php. 2024-09-09 9.8 CVE-2024-44849 cve@mitre.orgcve@mitre.org  n/a--n/a  An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request. 2024-09-10 9.8 CVE-2024-44893 cve@mitre.org  n/a--n/a  A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. 2024-09-09 9.8 CVE-2024-44902 cve@mitre.orgcve@mitre.org  NixOS--nix  Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6. 2024-09-10 9 CVE-2024-45593 security-advisories@github.comsecurity-advisories@github.com  Rockwell Automation--FactoryTalk View Site Edition  CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue. 2024-09-12 9.8 CVE-2024-45824 PSIRT@rockwellautomation.com  mindsdb--mindsdb  A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI. 2024-09-12 9 CVE-2024-45856 6f8de1f0-f67e-45a6-b68f-98777fdb759c  Endress+Hauser--Echo Curve Viewer  An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context. 2024-09-10 9.8 CVE-2024-6596 info@cert.vde.com  GitLab--GitLab  An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances. 2024-09-12 9.9 CVE-2024-6678 cve@gitlab.comcve@gitlab.com  ivanti -- endpoint_manager  SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. 2024-09-10 9.8 CVE-2024-8191 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  villatheme--WooCommerce Photo Reviews Premium  The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully. 2024-09-11 9.8 CVE-2024-8277 security@wordfence.comsecurity@wordfence.com  VICIdial--VICIdial  An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database. 2024-09-10 9.8 CVE-2024-8503 bbf0bd87-ece2-41be-b873-96928ee8fab9bbf0bd87-ece2-41be-b873-96928ee8fab9  learningdigital -- orca_hcm  Orca HCM from LEARNING DIGITAL does not properly restrict access to a specific functionality, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. ( The vendor is currently addressing the vulnerability. Once the fix is completed, we will provide information on the affected versions.) 2024-09-09 9.8 CVE-2024-8584 twcert@cert.org.twtwcert@cert.org.tw  softaculous--Backuply Backup, Restore, Migrate and Clone  The Backuply - Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter passed to the backuply_wp_clone_sql() function in all versions up to, and including, 1.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-09-14 9.1 CVE-2024-8669 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  docker -- desktop  A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. 2024-09-12 9.8 CVE-2024-8695 security@docker.com  docker -- desktop  A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. 2024-09-12 9.8 CVE-2024-8696 security@docker.com  code-projects -- crud_operation_system  A vulnerability was found in code-projects Crud Operation System 1.0. It has been classified as critical. This affects an unknown part of the file /updatedata.php. The manipulation of the argument sid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2024-09-13 9.8 CVE-2024-8762 cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com  n/a--n/a  Command Injection vulnerability in goform/SetIPTVCfg interface of Tenda AC15 V15.03.05.20 allows remote attackers to run arbitrary commands via crafted POST request. 2024-09-10 8 CVE-2023-36103 cve@mitre.org  n/a--n/a  Loftware Spectrum before 5.1 allows SSRF. 2024-09-10 8.8 CVE-2023-37229 cve@mitre.orgcve@mitre.org  n/a--n/a  Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF. 2024-09-10 8.8 CVE-2023-37230 cve@mitre.orgcve@mitre.org  n/a--n/a  Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks. 2024-09-10 8.8 CVE-2023-37233 cve@mitre.orgcve@mitre.orgcve@mitre.org  Cisco--Cisco IOS XR Software  A vulnerability in the multicast traceroute version 2 (Mtrace2) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust the UDP packet memory of an affected device. This vulnerability exists because the Mtrace2 code does not properly handle packet memory. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to exhaust the incoming UDP packet memory. The affected device would not be able to process higher-level UDP-based protocols packets, possibly causing a denial of service (DoS) condition. Note: This vulnerability can be exploited using IPv4 or IPv6. 2024-09-11 8.6 CVE-2024-20304 ykramarz@cisco.com  Cisco--Cisco IOS XR Software  A vulnerability in the JSON-RPC API feature in ConfD that is used by the web-based management interfaces of Cisco Crosswork Network Services Orchestrator (NSO), Cisco Optical Site Manager, and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the configuration of an affected application or device. This vulnerability is due to improper authorization checks on the API. An attacker with privileges sufficient to access the affected application or device could exploit this vulnerability by sending malicious requests to the JSON-RPC API. A successful exploit could allow the attacker to make unauthorized modifications to the configuration of the affected application or device, including creating new user accounts or elevating their own privileges on an affected system. 2024-09-11 8.8 CVE-2024-20381 ykramarz@cisco.com  Cisco--Cisco IOS XR Software  A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to obtain read/write file system access on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root. 2024-09-11 8.8 CVE-2024-20398 ykramarz@cisco.com  Cisco--Cisco IOS XR Software  A vulnerability in the storage method of the PON Controller configuration file could allow an authenticated, local attacker with low privileges to obtain the MongoDB credentials. This vulnerability is due to improper storage of the unencrypted database credentials on the device that is running Cisco IOS XR Software. An attacker could exploit this vulnerability by accessing the configuration files on an affected system. A successful exploit could allow the attacker to view MongoDB credentials. 2024-09-11 8.4 CVE-2024-20489 ykramarz@cisco.com  Microsoft--Windows 10 Version 1809  Windows TCP/IP Remote Code Execution Vulnerability 2024-09-10 8.1 CVE-2024-21416 secure@microsoft.com  n/a--dset  Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. 2024-09-11 8.2 CVE-2024-21529 report@snyk.ioreport@snyk.io  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-26186 secure@microsoft.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-26191 secure@microsoft.com  Hitachi Vantara--Pentaho Data Integration & Analytics  Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when searching metadata injectable fields. 2024-09-12 8.5 CVE-2024-28981 security.vulnerabilities@hitachivantara.com  Google--Android  In PVRSRVBridgeRGXKickTA3D2 of server_rgxta3d_bridge.c, there is a possible arbitrary code execution due to improper input validation. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-09-11 8.4 CVE-2024-31336 security@android.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-37335 secure@microsoft.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-37338 secure@microsoft.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-37339 secure@microsoft.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-37340 secure@microsoft.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Elevation of Privilege Vulnerability 2024-09-10 8.8 CVE-2024-37341 secure@microsoft.com  Ivanti--EPM  An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. 2024-09-12 8.2 CVE-2024-37397 support@hackerone.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Elevation of Privilege Vulnerability 2024-09-10 8.8 CVE-2024-37965 secure@microsoft.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Elevation of Privilege Vulnerability 2024-09-10 8.8 CVE-2024-37980 secure@microsoft.com  Microsoft--Microsoft SharePoint Enterprise Server 2016  Microsoft SharePoint Server Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-38018 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Windows TCP/IP Remote Code Execution Vulnerability 2024-09-10 8.1 CVE-2024-38045 secure@microsoft.com  Microsoft--Azure Web Apps  An authenticated attacker can exploit an improper authorization vulnerability in Azure Web Apps to elevate privileges over a network. 2024-09-10 8.4 CVE-2024-38194 secure@microsoft.com  Microsoft--Azure Stack Hub  Azure Stack Hub Elevation of Privilege Vulnerability 2024-09-10 8.2 CVE-2024-38216 secure@microsoft.com  Microsoft--Microsoft Dynamics 365 Business Central 2023 Release Wave 1  Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability 2024-09-10 8.8 CVE-2024-38225 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Windows Remote Access Connection Manager Elevation of Privilege Vulnerability 2024-09-10 8.1 CVE-2024-38240 secure@microsoft.com  microsoft -- windows_11_21h2  Microsoft Management Console Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-38259 secure@microsoft.com  microsoft -- windows_server_2008  Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-38260 secure@microsoft.com  Dell--PowerScale InsightIQ  Dell PowerScale InsightIQ, versions 5.0 through 5.1, contains a Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. 2024-09-10 8.1 CVE-2024-39583 security_alert@emc.com  Siemens--SINUMERIK 828D V4  A vulnerability has been identified in SINUMERIK 828D V4 (All versions), SINUMERIK 828D V5 (All versions < V5.24), SINUMERIK 840D sl V4 (All versions), SINUMERIK ONE (All versions < V6.24). Affected devices do not properly enforce access restrictions to scripts that are regularly executed by the system with elevated privileges. This could allow an authenticated local attacker to escalate their privileges in the underlying system. 2024-09-10 8.8 CVE-2024-41171 productcert@siemens.com  AutomationDirect--DirectLogic H2-DM1E  The session hijacking attack targets the application layer's control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can inject traffic into an ongoing authenticated session. To successfully achieve this, the attacker also needs to spoof both the IP address and MAC address of the originating host which is typical of a session-based attack. 2024-09-13 8.8 CVE-2024-43099 ics-cert@hq.dhs.gov  PHOENIX CONTACT--FL MGUARD 2102  A low privileged remote attacker can trigger the execution of arbitrary OS commands as root due to improper neutralization of special elements in the variable PROXY_HTTP_PORT in mGuard devices. 2024-09-10 8.8 CVE-2024-43385 info@cert.vde.com  PHOENIX CONTACT--FL MGUARD 2102  A low privileged remote attacker can trigger the execution of arbitrary OS commands as root due to improper neutralization of special elements in the variable EMAIL_NOTIFICATION.TO in mGuard devices. 2024-09-10 8.8 CVE-2024-43386 info@cert.vde.com  PHOENIX CONTACT--FL MGUARD 2102  A low privileged remote attacker can read and write files as root due to improper neutralization of special elements in the variable EMAIL_RELAY_PASSWORD in mGuard devices. 2024-09-10 8.8 CVE-2024-43387 info@cert.vde.com  PHOENIX CONTACT--FL MGUARD 2102  A low privileged remote attacker with write permissions can reconfigure the SNMP service due to improper input validation. 2024-09-10 8.8 CVE-2024-43388 info@cert.vde.com  Microsoft--Windows 11 Version 24H2  Windows MSHTML Platform Spoofing Vulnerability 2024-09-10 8.8 CVE-2024-43461 secure@microsoft.com  Microsoft--Azure CycleCloud 8.2.0  Azure CycleCloud Remote Code Execution Vulnerability 2024-09-10 8.8 CVE-2024-43469 secure@microsoft.com  microsoft -- power_automate  Microsoft Power Automate Desktop Remote Code Execution Vulnerability 2024-09-10 8.5 CVE-2024-43479 secure@microsoft.com  Gallagher--Command Centre Server  Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE). This issue affects: Command Centre Server and Command Centre Workstations 9.10 prior to vEL9.10.1530 (MR2), 9.00 prior to vEL9.00.2168 (MR4), 8.90 prior to vEL8.90.2155 (MR5), 8.80 prior to vEL8.80.1938 (MR6), all versions of 8.70 and prior. 2024-09-11 8 CVE-2024-43690 disclosures@gallagher.com  Siemens--Automation License Manager V5  A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6.0 (All versions), Automation License Manager V6.2 (All versions < V6.2 Upd3). Affected applications do not properly validate certain fields in incoming network packets on port 4410/tcp. This could allow an unauthenticated remote attacker to cause an integer overflow and crash of the application. This denial of service condition could prevent legitimate users from using subsequent products that rely on the affected application for license verification. 2024-09-10 8.6 CVE-2024-44087 productcert@siemens.com  Ivanti--Workspace Control  DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. 2024-09-10 8.8 CVE-2024-44103 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  Ivanti--Workspace Control  An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. 2024-09-10 8.8 CVE-2024-44104 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  Ivanti--Workspace Control  Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to obtain OS credentials. 2024-09-10 8.2 CVE-2024-44105 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  Ivanti--Workspace Control  Insufficient server-side controls in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. 2024-09-10 8.8 CVE-2024-44106 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  Ivanti--Workspace Control  DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges and achieve arbitrary code execution. 2024-09-10 8.8 CVE-2024-44107 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  n/a--n/a  D-Link DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution. An attacker can achieve arbitrary command execution by sending a carefully crafted malicious string to the CGI function responsible for handling usb_paswd.asp. 2024-09-09 8.8 CVE-2024-44333 cve@mitre.orgcve@mitre.org  n/a--n/a  D-Link DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution due to insufficient parameter filtering in the CGI handling function of upgrade_filter.asp. 2024-09-09 8.8 CVE-2024-44334 cve@mitre.orgcve@mitre.org  n/a--n/a  D-Link DI-7003G v19.12.24A1, DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution (RCE) via version_upgrade.asp. 2024-09-09 8.8 CVE-2024-44335 cve@mitre.orgcve@mitre.org  n/a--n/a  RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injection vulnerability via the getParams function in phpinf.php. 2024-09-11 8.8 CVE-2024-44570 cve@mitre.orgcve@mitre.org  n/a--n/a  RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php. 2024-09-11 8.8 CVE-2024-44571 cve@mitre.orgcve@mitre.org  n/a--n/a  RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_mgmt function. 2024-09-11 8.8 CVE-2024-44572 cve@mitre.orgcve@mitre.org  n/a--n/a  RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_conf function. 2024-09-11 8.8 CVE-2024-44574 cve@mitre.orgcve@mitre.org  n/a--n/a  RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the time_date function. 2024-09-11 8.8 CVE-2024-44577 cve@mitre.orgcve@mitre.org  n/a--n/a  Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root shell access. 2024-09-10 8 CVE-2024-44667 cve@mitre.orgcve@mitre.org  n/a--n/a  Vulnerability in Hathway Skyworth Router CM5100 v.4.1.1.24 allows a physically proximate attacker to obtain user credentials via SPI flash Firmware W25Q64JV. 2024-09-10 8 CVE-2024-44815 cve@mitre.org  external-secrets--external-secrets  External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2. 2024-09-09 8.3 CVE-2024-45041 security-advisories@github.comsecurity-advisories@github.com  bareos--bareos  Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur. 2024-09-10 8.8 CVE-2024-45044 security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com  n/a--n/a  An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70. An improper bounds check allows crafted packets to cause an arbitrary address write, resulting in kernel memory corruption. 2024-09-12 8.8 CVE-2024-45181 cve@mitre.orgcve@mitre.org  AutomationDirect--DirectLogic H2-DM1E  The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there's an observed anomaly in the H2-DM1E PLC's protocol execution, namely its acceptance of multiple distinct packets as valid authentication responses. This behavior deviates from standard security practices where a single, specific response or encoding pattern is expected for successful authentication. 2024-09-13 8.8 CVE-2024-45368 ics-cert@hq.dhs.gov  twigphp--Twig  Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0. 2024-09-09 8.5 CVE-2024-45411 security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com  DamienHarper--auditor-bundle  auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to 6.0.0, there is an unescaped entity property enabling Javascript injection. This is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in 6.0.0. 2024-09-10 8.2 CVE-2024-45592 security-advisories@github.comsecurity-advisories@github.com  Rockwell Automation--FactoryTalk Batch View  CVE-2024-45823 IMPACT An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication. 2024-09-12 8.1 CVE-2024-45823 PSIRT@rockwellautomation.com  mindsdb--mindsdb  An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted 'SELECT WHERE' clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server. 2024-09-12 8.8 CVE-2024-45846 6f8de1f0-f67e-45a6-b68f-98777fdb759c  mindsdb--mindsdb  An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted 'UPDATE' query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server. 2024-09-12 8.8 CVE-2024-45847 6f8de1f0-f67e-45a6-b68f-98777fdb759c  mindsdb--mindsdb  An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted 'INSERT' query containing Python code is run against a database created with the ChromaDB engine, the code will be passed to an eval function and executed on the server. 2024-09-12 8.8 CVE-2024-45848 6f8de1f0-f67e-45a6-b68f-98777fdb759c  mindsdb--mindsdb  An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an 'INSERT' query can be used for list creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server. 2024-09-12 8.8 CVE-2024-45849 6f8de1f0-f67e-45a6-b68f-98777fdb759c  mindsdb--mindsdb  An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an 'INSERT' query can be used for site column creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server. 2024-09-12 8.8 CVE-2024-45850 6f8de1f0-f67e-45a6-b68f-98777fdb759c  mindsdb--mindsdb  An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an 'INSERT' query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server. 2024-09-12 8.8 CVE-2024-45851 6f8de1f0-f67e-45a6-b68f-98777fdb759c  mindsdb--mindsdb  Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. 2024-09-12 8.8 CVE-2024-45852 6f8de1f0-f67e-45a6-b68f-98777fdb759c  n/a--n/a  Tenda FH451 v1.0.0.9 has a command injection vulnerability in the formexeCommand function i 2024-09-13 8.8 CVE-2024-46048 cve@mitre.org  zephyrproject-rtos--Zephyr  BT: Encryption procedure host vulnerability 2024-09-13 8.2 CVE-2024-5754 vulnerabilities@zephyrproject.org  glboy--Login with phone number  The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the 'lwp_update_password_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49. 2024-09-14 8.8 CVE-2024-6482 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  Progress--LoadMaster  Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.0 (inclusive) ?  From 7.2.49.0 to 7.2.54.11 (inclusive) ?  7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.11 and all prior versions ECS All prior versions to 7.2.60.0 (inclusive) 2024-09-12 8.4 CVE-2024-6658 security@progress.com  Baxter--Connex Health Portal  In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content. 2024-09-09 8.2 CVE-2024-6796 productsecurity@baxter.com  Unknown--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin  The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins 2024-09-13 8.8 CVE-2024-7129 contact@wpscan.com  xwp--Stream  The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can lead to DoS or privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-09-13 8.8 CVE-2024-7423 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  wpdelicious--WP Delicious Recipe Plugin for Food Bloggers (formerly Delicious Recipes)  The WP Delicious - Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php. 2024-09-11 8.1 CVE-2024-7626 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  PHOENIX CONTACT--FL MGUARD 2102  An low privileged remote attacker can execute OS commands with root privileges due to improper neutralization of special elements in user data. 2024-09-10 8.8 CVE-2024-7699 info@cert.vde.com  bitpressadmin--Bit File Manager 100% Free & Open Source File Manager and Code Editor for WordPress  The Bit File Manager - 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. 2024-09-10 8.8 CVE-2024-7770 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  Unknown--Favicon Generator (CLOSED)  The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server 2024-09-13 8.1 CVE-2024-7863 contact@wpscan.com  svenl77--Post Form Registration Form Profile Form for User Profiles Frontend Content Forms for User Submissions (UGC)  The Post Form - Registration Form - Profile Form for User Profiles - Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators. 2024-09-14 8.8 CVE-2024-8246 security@wordfence.comsecurity@wordfence.com  pickplugins--Post Grid and Gutenberg Blocks  The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator. 2024-09-11 8.8 CVE-2024-8253 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  vinoth06--Frontend Dashboard  The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords. 2024-09-10 8.8 CVE-2024-8268 security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com  ivanti -- endpoint_manager  Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. 2024-09-10 8.6 CVE-2024-8321 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  ivanti -- endpoint_manager  Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. 2024-09-10 8.8 CVE-2024-8322 3c1d8aa1-5a33-4ea4-8992-aadd6440af75  VICIdial--VICIdial  An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. 2024-09-10 8.8 CVE-2024-8504 bbf0bd87-ece2-41be-b873-96928ee8fab9bbf0bd87-ece2-41be-b873-96928ee8fab9  google -- chrome  Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2024-09-11 8.8 CVE-2024-8636 chrome-cve-admin@google.comchrome-cve-admin@google.com  google -- chrome  Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2024-09-11 8.8 CVE-2024-8637 chrome-cve-admin@google.comchrome-cve-admin@google.com  google -- chrome  Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) 2024-09-11 8.8 CVE-2024-8638 chrome-cve-admin@google.comchrome-cve-admin@google.com  google -- chrome  Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2024-09-11 8.8 CVE-2024-8639 chrome-cve-admin@google.comchrome-cve-admin@google.com  gitlab -- gitlab  An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server. 2024-09-12 8.8 CVE-2024-8640 cve@gitlab.comcve@gitlab.com  mayurik -- best_house_rental_management_system  A vulnerability classified as critical has been found in SourceCodester Best House Rental Management System 1.0. Affected is the function delete_user/save_user of the file /admin_class.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2024-09-12 8.8 CVE-2024-8709 cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com  code-projects -- inventory_management  A vulnerability classified as critical was found in code-projects Inventory Management 1.0. Affected by this vulnerability is an unknown functionality of the file /model/viewProduct.php of the component Products Table Page. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2024-09-12 8.8 CVE-2024-8710 cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com  Synetics--Idoit pro  SQL injection vulnerability in idoit pro version 28. This vulnerability could allow an attacker to send a specially crafted query to the ID parameter in /var/www/html/src/classes/modules/api/model/cmdb/isys_api_model_cmdb_objects_by_relation.class.php and retrieve all the information stored in the database. 2024-09-12 8.8 CVE-2024-8749 cve-coordination@incibe.es  gitlab -- gitlab  An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured. 2024-09-12 8.1 CVE-2024-8754 cve@gitlab.com  OpenText--eDirectory  Possible NLDAP Denial of Service attack Vulnerability in eDirectory has been discovered in OpenText™ eDirectory before 9.2.4.0000. 2024-09-12 7.6 CVE-2021-22532 security@opentext.com  OpenText--eDirectory  Possible External Service Interaction attack in eDirectory has been discovered in OpenText™ eDirectory. This impact all version before 9.2.6.0000. 2024-09-12 7.4 CVE-2021-38133 security@opentext.com  benjaminprojas--WP Editor  The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. 2024-09-13 7.2 CVE-2022-2446 security@wordfence.comsecurity@wordfence.com  n/a--n/a  Loftware Spectrum through 4.6 exposes Sensitive Information (Logs) to an Unauthorized Actor. 2024-09-10 7.5 CVE-2023-37232 cve@mitre.orgcve@mitre.org  n/a--n/a  Loftware Spectrum through 4.6 has unprotected JMX Registry. 2024-09-10 7.5 CVE-2023-37234 cve@mitre.orgcve@mitre.org  Cisco--Cisco IOS XR Software  A vulnerability in the handling of specific Ethernet frames by Cisco IOS XR Software for various Cisco Network Convergence System (NCS) platforms could allow an unauthenticated, adjacent attacker to cause critical priority packets to be dropped, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect classification of certain types of Ethernet frames that are received on an interface. An attacker could exploit this vulnerability by sending specific types of Ethernet frames to or through the affected device. A successful exploit could allow the attacker to cause control plane protocol relationships to fail, resulting in a DoS condition. For more information, see the section of this advisory. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. 2024-09-11 7.4 CVE-2024-20317 ykramarz@cisco.com  Cisco--Cisco IOS XR Software  A vulnerability in the segment routing feature for the Intermediate System-to-Intermediate System (IS-IS) protocol of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation of ingress IS-IS packets. An attacker could exploit this vulnerability by sending specific IS-IS packets to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the IS-IS process on all affected devices that are participating in the Flexible Algorithm to crash and restart, resulting in a DoS condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and must have formed an adjacency. This vulnerability affects segment routing for IS-IS over IPv4 and IPv6 control planes as well as devices that are configured as level 1, level 2, or multi-level routing IS-IS type. 2024-09-11 7.4 CVE-2024-20406 ykramarz@cisco.com  Cisco--Cisco Meraki Systems Manager Agent  A vulnerability in Cisco Meraki Systems Manager (SM) Agent for Windows could allow an authenticated, local attacker to execute arbitrary code with elevated privileges.&nbsp; This vulnerability is due to incorrect handling of directory search paths at runtime. A low-privileged attacker could exploit this vulnerability by placing both malicious configuration files and malicious DLL files on an affected system, which would read and execute the files when Cisco Meraki SM launches on startup. A successful exploit could allow the attacker to execute arbitrary code on the affected system with SYSTEM privileges.&nbsp; 2024-09-12 7.3 CVE-2024-20430 ykramarz@cisco.com  Cisco--Cisco IOS XR Software  Multiple vulnerabilities in Cisco Routed PON Controller Software, which runs as a docker container on hardware that is supported by Cisco IOS XR Software, could allow an authenticated, remote attacker with Administrator-level privileges on the PON Manager or direct access to the PON Manager MongoDB instance to perform command injection attacks on the PON Controller container and execute arbitrary commands as root. These vulnerabilities are due to insufficient validation of arguments that are passed to specific configuration commands. An attacker could exploit these vulnerabilities by including crafted input as the argument of an affected configuration command. A successful exploit could allow the attacker to execute arbitrary commands as root on the PON controller. 2024-09-11 7.2 CVE-2024-20483 ykramarz@cisco.com  Open-Xchange GmbH--OX Dovecot Pro  Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known. 2024-09-10 7.5 CVE-2024-23185 security@open-xchange.com  Google--Android  In DevmemIntPFNotify of devicemem_server.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-09-11 7.4 CVE-2024-23716 security@android.com  Refuel--autolabel  An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it. 2024-09-12 7.8 CVE-2024-27320 6f8de1f0-f67e-45a6-b68f-98777fdb759c  Refuel--autolabel  An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it. 2024-09-12 7.8 CVE-2024-27321 6f8de1f0-f67e-45a6-b68f-98777fdb759c  samsung -- exynos_980_firmware  An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_get_scan_extra_ies(), there is no input validation check on default_ies coming from userspace, which can lead to a heap overwrite. 2024-09-09 7.8 CVE-2024-27383 cve@mitre.org  samsung -- exynos_1080_firmware  An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_rx_range_done_ind(), there is no input validation check on rtt_id coming from userspace, which can lead to a heap overwrite. 2024-09-09 7.8 CVE-2024-27387 cve@mitre.orgcve@mitre.org  Microsoft--Windows 11 Version 24H2  Windows Security Zone Mapping Security Feature Bypass Vulnerability 2024-09-10 7.8 CVE-2024-30073 secure@microsoft.com  n/a--n/a  An issue was discovered in Samsung Mobile Processor Exynos 1480, Exynos 2400. The xclipse amdgpu driver has a reference count bug. This can lead to a use after free. 2024-09-10 7.8 CVE-2024-31960 cve@mitre.orgcve@mitre.org  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-32840 support@hackerone.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-32842 support@hackerone.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-32843 support@hackerone.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-32845 support@hackerone.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-32846 support@hackerone.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-32848 support@hackerone.com  Fortinet--FortiClientEMS  An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in Fortinet FortiClientEMS 7.2.0 through 7.2.4, 7.0.0 through 7.0.12 may allow an unauthenticated attacker to execute limited and temporary operations on the underlying database via crafted requests. 2024-09-10 7.3 CVE-2024-33508 psirt@fortinet.com  adobe -- illustrator  Illustrator versions 28.6, 27.9.5 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-34121 psirt@adobe.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-34779 support@hackerone.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-34783 support@hackerone.com  ivanti -- endpoint_manager  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 2024-09-12 7.2 CVE-2024-34785 support@hackerone.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Information Disclosure Vulnerability 2024-09-10 7.1 CVE-2024-37337 secure@microsoft.com  Microsoft--Microsoft SQL Server 2019 (CU 28)  Microsoft SQL Server Native Scoring Information Disclosure Vulnerability 2024-09-10 7.1 CVE-2024-37342 secure@microsoft.com  n/a--n/a  Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface 2024-09-10 7.5 CVE-2024-37728 cve@mitre.orgcve@mitre.org  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Native Scoring Information Disclosure Vulnerability 2024-09-10 7.1 CVE-2024-37966 secure@microsoft.com  microsoft -- windows_10_1507  Windows Installer Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38014 secure@microsoft.com  Microsoft--Windows 10 Version 1809  PowerShell Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38046 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Windows Network Address Translation (NAT) Remote Code Execution Vulnerability 2024-09-10 7.5 CVE-2024-38119 secure@microsoft.com  Microsoft--Azure Network Watcher VM Extension  Azure Network Watcher VM Agent Elevation of Privilege Vulnerability 2024-09-10 7.1 CVE-2024-38188 secure@microsoft.com  microsoft -- office  Microsoft Publisher Security Feature Bypass Vulnerability 2024-09-10 7.3 CVE-2024-38226 secure@microsoft.com  Microsoft--Microsoft SharePoint Enterprise Server 2016  Microsoft SharePoint Server Remote Code Execution Vulnerability 2024-09-10 7.2 CVE-2024-38227 secure@microsoft.com  Microsoft--Microsoft SharePoint Enterprise Server 2016  Microsoft SharePoint Server Remote Code Execution Vulnerability 2024-09-10 7.2 CVE-2024-38228 secure@microsoft.com  Microsoft--Windows 10 Version 1607  Windows Networking Denial of Service Vulnerability 2024-09-10 7.5 CVE-2024-38232 secure@microsoft.com  Microsoft--Windows 10 Version 1607  Windows Networking Denial of Service Vulnerability 2024-09-10 7.5 CVE-2024-38233 secure@microsoft.com  Microsoft--Windows Server 2019  DHCP Server Service Denial of Service Vulnerability 2024-09-10 7.5 CVE-2024-38236 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38237 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Kernel Streaming Service Driver Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38238 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Windows Kerberos Elevation of Privilege Vulnerability 2024-09-10 7.2 CVE-2024-38239 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Kernel Streaming Service Driver Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38241 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Kernel Streaming Service Driver Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38242 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Kernel Streaming Service Driver Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38243 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Kernel Streaming Service Driver Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38244 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Kernel Streaming Service Driver Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38245 secure@microsoft.com  Microsoft--Windows Server 2022  Win32k Elevation of Privilege Vulnerability 2024-09-10 7 CVE-2024-38246 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Windows Graphics Component Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38247 secure@microsoft.com  Microsoft--Windows Server 2022  Windows Storage Elevation of Privilege Vulnerability 2024-09-10 7 CVE-2024-38248 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Windows Graphics Component Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38249 secure@microsoft.com  Microsoft--Windows 10 Version 1809  Windows Graphics Component Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38250 secure@microsoft.com  microsoft -- windows_10_1607  Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38252 secure@microsoft.com  microsoft -- windows_11_21h2  Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-38253 secure@microsoft.com  microsoft -- windows_10_1607  Microsoft AllJoyn API Information Disclosure Vulnerability 2024-09-10 7.5 CVE-2024-38257 secure@microsoft.com  microsoft -- windows_server_2008  Windows Remote Desktop Licensing Service Information Disclosure Vulnerability 2024-09-10 7.5 CVE-2024-38258 secure@microsoft.com  microsoft -- windows_server_2008  Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability 2024-09-10 7.5 CVE-2024-38263 secure@microsoft.com  Spring--Spring  Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use * the application runs on Tomcat or Jetty 2024-09-13 7.5 CVE-2024-38816 security@vmware.com  adobe -- media_encoder  Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-39377 psirt@adobe.com  Adobe--Audition  Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-11 7.8 CVE-2024-39378 psirt@adobe.com  adobe -- after_effects  After Effects versions 23.6.6, 24.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-39380 psirt@adobe.com  adobe -- after_effects  After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-39381 psirt@adobe.com  Adobe--Premiere Pro  Premiere Pro versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-39384 psirt@adobe.com  Dell--PowerScale InsightIQ  Dell PowerScale InsightIQ, versions 5.0 through 5.1, contains a File or Directories Accessible to External Parties vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to read, modify, and delete arbitrary files. 2024-09-10 7.3 CVE-2024-39581 security_alert@emc.com  n/a--n/a  An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period. 2024-09-13 7.5 CVE-2024-39924 cve@mitre.orgcve@mitre.org  n/a--n/a  An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data. 2024-09-13 7.5 CVE-2024-39925 cve@mitre.orgcve@mitre.org  n/a--n/a  An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact. 2024-09-13 7.5 CVE-2024-39926 cve@mitre.orgcve@mitre.org  Google--Android  In wifi_item_edit_content of styles.xml , there is a possible FRP bypass due to Missing check for FRP state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-09-11 7.8 CVE-2024-40650 security@android.comsecurity@android.com  Google--Android  In onCreate of SettingsHomepageActivity.java, there is a possible way to access the Settings app while the device is provisioning due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. 2024-09-11 7.3 CVE-2024-40652 security@android.comsecurity@android.com  Google--Android  In bindAndGetCallIdentification of CallScreeningServiceHelper.java, there is a possible way to maintain a while-in-use permission in the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. 2024-09-11 7.8 CVE-2024-40655 security@android.comsecurity@android.com  Google--Android  In addPreferencesForType of AccountTypePreferenceLoader.java, there is a possible way to disable apps for other users due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-09-11 7.8 CVE-2024-40657 security@android.comsecurity@android.com  Google--Android  In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-09-11 7.8 CVE-2024-40658 security@android.comsecurity@android.com  Google--Android  In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-09-11 7.8 CVE-2024-40662 security@android.comsecurity@android.com  Siemens--Tecnomatix Plant Simulation V2302  A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0015), Tecnomatix Plant Simulation V2404 (All versions < V2404.0004). The affected applications contain a stack based overflow vulnerability while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. 2024-09-10 7.8 CVE-2024-41170 productcert@siemens.com  Adobe--Illustrator  Illustrator versions 28.6, 27.9.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-41857 psirt@adobe.com  adobe -- after_effects  After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-41859 psirt@adobe.com  Adobe--Acrobat Reader  Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-41869 psirt@adobe.com  adobe -- media_encoder  Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-41871 psirt@adobe.com  Dell--Wyse Proprietary OS (Modern ThinOS)  Dell ThinOS versions 2402 and 2405, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Elevation of privileges. 2024-09-10 7.6 CVE-2024-42427 security_alert@emc.com  n/a--n/a  SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote attacker to obtain sensitive information via the /api/mob/instrucao/conta/destinatarios component. 2024-09-11 7.5 CVE-2024-42760 cve@mitre.orgcve@mitre.org  microsoft -- windows_server_2008  Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability 2024-09-10 7.1 CVE-2024-43454 secure@microsoft.com  Microsoft--Windows 11 Version 24H2  Windows Setup and Deployment Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-43457 secure@microsoft.com  Microsoft--Windows 10 Version 1607  Windows Networking Information Disclosure Vulnerability 2024-09-10 7.7 CVE-2024-43458 secure@microsoft.com  Microsoft--Microsoft Office 2019  Microsoft Office Visio Remote Code Execution Vulnerability 2024-09-10 7.8 CVE-2024-43463 secure@microsoft.com  microsoft -- sharepoint_server  Microsoft SharePoint Server Remote Code Execution Vulnerability 2024-09-10 7.2 CVE-2024-43464 secure@microsoft.com  microsoft -- 365_apps  Microsoft Excel Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-43465 secure@microsoft.com  microsoft -- sharepoint_server  Microsoft SharePoint Server Denial of Service Vulnerability 2024-09-10 7.5 CVE-2024-43466 secure@microsoft.com  Microsoft--Windows Server 2019  Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability 2024-09-10 7.5 CVE-2024-43467 secure@microsoft.com  Microsoft--Azure Network Watcher VM Extension  Azure Network Watcher VM Agent Elevation of Privilege Vulnerability 2024-09-10 7.3 CVE-2024-43470 secure@microsoft.com  Microsoft--Microsoft SQL Server 2017 (GDR)  Microsoft SQL Server Information Disclosure Vulnerability 2024-09-10 7.6 CVE-2024-43474 secure@microsoft.com  microsoft -- windows_server_2008  Microsoft Windows Admin Center Information Disclosure Vulnerability 2024-09-10 7.3 CVE-2024-43475 secure@microsoft.com  Microsoft--Microsoft AutoUpdate for Mac  Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability 2024-09-10 7.8 CVE-2024-43492 secure@microsoft.com  Microsoft--Windows 11 version 22H2  Windows libarchive Remote Code Execution Vulnerability 2024-09-10 7.3 CVE-2024-43495 secure@microsoft.com  Siemens--SIMATIC S7-200 SMART CPU CR40  A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA1) (All versions), SIMATIC S7-200 SMART CPU SR30 (6ES7288-1SR30-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR30 (6ES7288-1SR30-0AA1) (All versions), SIMATIC S7-200 SMART CPU SR40 (6ES7288-1SR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR40 (6ES7288-1SR40-0AA1) (All versions), SIMATIC S7-200 SMART CPU SR60 (6ES7288-1SR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR60 (6ES7288-1SR60-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST20 (6ES7288-1ST20-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST20 (6ES7288-1ST20-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST30 (6ES7288-1ST30-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST30 (6ES7288-1ST30-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST40 (6ES7288-1ST40-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST40 (6ES7288-1ST40-0AA1) (All versions), SIMATIC S7-200 SMART CPU ST60 (6ES7288-1ST60-0AA0) (All versions), SIMATIC S7-200 SMART CPU ST60 (6ES7288-1ST60-0AA1) (All versions). Affected devices do not properly handle TCP packets with an incorrect structure. This could allow an unauthenticated remote attacker to cause a denial of service condition. To restore normal operations, the network cable of the device needs to be unplugged and re-plugged. 2024-09-10 7.5 CVE-2024-43647 productcert@siemens.com  adobe -- photoshop  Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-43756 psirt@adobe.com  adobe -- illustrator  Illustrator versions 28.6, 27.9.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-43758 psirt@adobe.com  adobe -- photoshop  Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-09-13 7.8 CVE-2024-43760 psirt@adobe.com  Mohammad Arif--Opor Ayam  Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mohammad Arif Opor Ayam allows Reflected XSS.This issue affects Opor Ayam: from n/a through 1.8. 2024-09-15 7.1 CVE-2024-44053 audit@patchstack.com  Jennifer Hall--Filmix  Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jennifer Hall Filmix allows Reflected XSS.This issue affects Filmix: from n/a through 1.1. 2024-09-15 7.1 CVE-2024-44060 audit@patchstack.com  n/a--n/a  SeaCMS v13.1 was discovered to an arbitrary file read vulnerability via the component admin_safe.php. 2024-09-09 7.5 CVE-2024-44720 cve@mitre.org  n/a--n/a  AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsite_url parameter at /admin/site_add.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted value. 2024-09-09 7.2 CVE-2024-44724 cve@mitre.org  n/a--n/a  AutoCMS v5.4 was discovered to contain a SQL injection vulnerability via the sidebar parameter at /admin/robot.php. 2024-09-09 7.2 CVE-2024-44725 cve@mitre.org  n/a--n/a  phpok v3.0 was discovered to contain an arbitrary file read vulnerability via the component /autoload/file.php. 2024-09-10 7.5 CVE-2024-44867 cve@mitre.orgcve@mitre.org  mozilo -- mozilocms  An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file. 2024-09-10 7.2 CVE-2024-44871 cve@mitre.orgcve@mitre.org  linux -- linux_kernel  In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix data corruption for degraded array with slow disk read_balance() will avoid reading from slow disks as much as possible, however, if valid data only lands in slow disks, and a new normal disk is still in recovery, unrecovered data can be read: raid1_read_request read_balance raid1_should_read_first -> return false choose_best_rdev -> normal disk is not recovered, return -1 choose_bb_rdev -> missing the checking of recovery, return the normal disk -> read unrecovered data Root cause is that the checking of recovery is missing in choose_bb_rdev(). Hence add such checking to fix the problem. Also fix similar problem in choose_slow_rdev().
2024-09-11
7.1
CVE-2024-45023
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error recovery leading to data corruption on ESE devices Extent Space Efficient (ESE) or thin provisioned volumes need to be formatted on demand during usual IO processing. The dasd_ese_needs_format function checks for error codes that signal the non existence of a proper track format. The check for incorrect length is to imprecise since other error cases leading to transport of insufficient data also have this flag set. This might lead to data corruption in certain error cases for example during a storage server warmstart. Fix by removing the check for incorrect length and replacing by explicitly checking for invalid track format in transport mode. Also remove the check for file protected since this is not a valid ESE handling case.
2024-09-11
7.8
CVE-2024-45026
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

adobe — photoshop 
Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
7.8
CVE-2024-45108
psirt@adobe.com 

adobe — photoshop 
Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
7.8
CVE-2024-45109
psirt@adobe.com 

Adobe–Acrobat Reader 
Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Type Confusion vulnerability that could result in arbitrary code execution in the context of the current user. This issue occurs when a resource is accessed using a type that is not compatible with the actual object type, leading to a logic error that an attacker could exploit. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
7.8
CVE-2024-45112
psirt@adobe.com 

adobe — coldfusion 
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access and affect the integrity of the application. Exploitation of this issue does not require user interaction.
2024-09-13
7.5
CVE-2024-45113
psirt@adobe.com 

pillarjs–path-to-regexp 
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
2024-09-09
7.5
CVE-2024-45296
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

Fortinet–FortiSOAR 
An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.
2024-09-11
7.5
CVE-2024-45327
psirt@fortinet.com 

Spiffy Plugins–Spiffy Calendar 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Spiffy Plugins Spiffy Calendar allows Reflected XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13.
2024-09-15
7.1
CVE-2024-45458
audit@patchstack.com 

PickPlugins–Product Slider for WooCommerce 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in PickPlugins Product Slider for WooCommerce allows Reflected XSS.This issue affects Product Slider for WooCommerce: from n/a through 1.13.50.
2024-09-15
7.1
CVE-2024-45459
audit@patchstack.com 

expressjs–body-parser 
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
2024-09-10
7.5
CVE-2024-45590
security-advisories@github.comsecurity-advisories@github.com 

directus–directus 
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.
2024-09-10
7.4
CVE-2024-45596
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

PgPool Global Development Group–Pgpool-II 
Exposure of sensitive information due to incompatible policies issue exists in Pgpool-II. If a database user accesses a query cache, table data unauthorized for the user may be retrieved.
2024-09-12
7.5
CVE-2024-45624
vultures@jpcert.or.jpvultures@jpcert.or.jp 

Rockwell Automation–5015-U8IHFT 
CVE-2024-45825 IMPACT A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.
2024-09-12
7.5
CVE-2024-45825
PSIRT@rockwellautomation.com 

mindsdb–mindsdb 
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.
2024-09-12
7.1
CVE-2024-45853
6f8de1f0-f67e-45a6-b68f-98777fdb759c 

mindsdb–mindsdb 
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.
2024-09-12
7.1
CVE-2024-45854
6f8de1f0-f67e-45a6-b68f-98777fdb759c 

mindsdb–mindsdb 
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.
2024-09-12
7.1
CVE-2024-45855
6f8de1f0-f67e-45a6-b68f-98777fdb759c 

Cleanlab–cleanlab 
Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded.
2024-09-12
7.8
CVE-2024-45857
6f8de1f0-f67e-45a6-b68f-98777fdb759c 

gitlab — gitlab 
An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.
2024-09-12
7.5
CVE-2024-4660
cve@gitlab.comcve@gitlab.com 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: scsi: aacraid: Fix double-free on probe failure aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but does not clear that member. After the hardware-specific init function returns an error, aac_probe_one() goes down an error path that frees the memory pointed to by aac_dev::queues, resulting.in a double-free.
2024-09-13
7.8
CVE-2024-46673
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thus error path "undo_platform_dev_alloc" is entirely bogus. It drops the reference count from the platform device being probed. If error path is triggered, this will lead to unbalanced device reference counts and premature release of device resources, thus possible use-after-free when releasing remaining devm-managed resources.
2024-09-13
7.8
CVE-2024-46674
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: drm/xe: prevent UAF around preempt fence The fence lock is part of the queue, therefore in the current design anything locking the fence should then also hold a ref to the queue to prevent the queue from being freed. However, currently it looks like we signal the fence and then drop the queue ref, but if something is waiting on the fence, the waiter is kicked to wake up at some later point, where upon waking up it first grabs the lock before checking the fence state. But if we have already dropped the queue ref, then the lock might already be freed as part of the queue, leading to uaf. To prevent this, move the fence lock into the fence itself so we don’t run into lifetime issues. Alternative might be to have device level lock, or only release the queue in the fence release callback, however that might require pushing to another worker to avoid locking issues. References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020 (cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)
2024-09-13
7.8
CVE-2024-46683
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() [BUG] There is an internal report that KASAN is reporting use-after-free, with the following backtrace: BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x5e/0x2f0 print_report+0x118/0x216 kasan_report+0x11d/0x1f0 btrfs_check_read_bio+0xa68/0xb70 [btrfs] process_one_work+0xce0/0x12a0 worker_thread+0x717/0x1250 kthread+0x2e3/0x3c0 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 Allocated by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x7d/0x80 kmem_cache_alloc_noprof+0x16e/0x3e0 mempool_alloc_noprof+0x12e/0x310 bio_alloc_bioset+0x3f0/0x7a0 btrfs_bio_alloc+0x2e/0x50 [btrfs] submit_extent_page+0x4d1/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x4b/0x60 kmem_cache_free+0x214/0x5d0 bio_free+0xed/0x180 end_bbio_data_read+0x1cc/0x580 [btrfs] btrfs_submit_chunk+0x98d/0x1880 [btrfs] btrfs_submit_bio+0x33/0x70 [btrfs] submit_one_bio+0xd4/0x130 [btrfs] submit_extent_page+0x3ea/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [CAUSE] Although I cannot reproduce the error, the report itself is good enough to pin down the cause. The call trace is the regular endio workqueue context, but the free-by-task trace is showing that during btrfs_submit_chunk() we already hit a critical error, and is calling btrfs_bio_end_io() to error out. And the original endio function called bio_put() to free the whole bio. This means a double freeing thus causing use-after-free, e.g.: 1. Enter btrfs_submit_bio() with a read bio The read bio length is 128K, crossing two 64K stripes. 2. The first run of btrfs_submit_chunk() 2.1 Call btrfs_map_block(), which returns 64K 2.2 Call btrfs_split_bio() Now there are two bios, one referring to the first 64K, the other referring to the second 64K. 2.3 The first half is submitted. 3. The second run of btrfs_submit_chunk() 3.1 Call btrfs_map_block(), which by somehow failed Now we call btrfs_bio_end_io() to handle the error 3.2 btrfs_bio_end_io() calls the original endio function Which is end_bbio_data_read(), and it calls bio_put() for the original bio. Now the original bio is freed. 4. The submitted first 64K bio finished Now we call into btrfs_check_read_bio() and tries to advance the bio iter. But since the original bio (thus its iter) is already freed, we trigger the above use-after free. And even if the memory is not poisoned/corrupted, we will later call the original endio function, causing a double freeing. [FIX] Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(), which has the extra check on split bios and do the pr —truncated—
2024-09-13
7.8
CVE-2024-46687
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix potential UAF in nfsd4_cb_getattr_release Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last.
2024-09-13
7.8
CVE-2024-46696
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable preemption while updating GPU stats We forgot to disable preemption around the write_seqcount_begin/end() pair while updating GPU stats: [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched] <…snip…> [ ] Call trace: [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d] [ ] v3d_bin_job_run+0x23c/0x388 [v3d] [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched] [ ] process_one_work+0x62c/0xb48 [ ] worker_thread+0x468/0x5b0 [ ] kthread+0x1c4/0x1e0 [ ] ret_from_fork+0x10/0x20 Fix it.
2024-09-13
7.8
CVE-2024-46699
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/mes: fix mes ring buffer overflow wait memory room until enough before writing mes packets to avoid ring buffer overflow. v2: squash in sched_hw_submission fix (cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13)
2024-09-13
7.8
CVE-2024-46700
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

samsung — universal_print_driver 
The Samsung Universal Print Driver for Windows is potentially vulnerable to escalation of privilege allowing the creation of a reverse shell in the tool. This is only applicable for products in the application released or manufactured before 2018.
2024-09-11
7.8
CVE-2024-5760
hp-security-alert@hp.com 

zephyrproject-rtos–Zephyr 
BT:Classic: Multiple missing buf length checks
2024-09-13
7.6
CVE-2024-6135
vulnerabilities@zephyrproject.org 

zephyrproject-rtos–Zephyr 
BT: Classic: SDP OOB access in get_att_search_list
2024-09-13
7.6
CVE-2024-6137
vulnerabilities@zephyrproject.org 

zephyrproject-rtos–Zephyr 
BT: HCI: adv_ext_report Improper discarding in adv_ext_report
2024-09-13
7.6
CVE-2024-6259
vulnerabilities@zephyrproject.org 

AVG–Internet Security 
Local Privilege Escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM-Hijacking.
2024-09-12
7.8
CVE-2024-6510
a341c0d1-ebf7-493f-a84e-38cf86618674 

Checkmk GmbH–Checkmk 
Improper host key checking in active check ‘Check SFTP Service’ and special agent ‘VNX quotas and filesystem’ in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic
2024-09-09
7.4
CVE-2024-6572
security@checkmk.com 

Red Hat–Red Hat Build of Keycloak 
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
2024-09-09
7.1
CVE-2024-7341
secalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.com 

Unknown–Adicon Server 
The Adicon Server WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
2024-09-12
7.2
CVE-2024-7766
contact@wpscan.com 

Ivanti–Workspace Control 
An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.
2024-09-10
7.8
CVE-2024-8012
3c1d8aa1-5a33-4ea4-8992-aadd6440af75 

gitlab — gitlab 
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a large `glm_source` parameter.
2024-09-12
7.5
CVE-2024-8124
cve@gitlab.comcve@gitlab.com 

Ivanti–CSA (Cloud Services Appliance) 
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
2024-09-10
7.2
CVE-2024-8190
3c1d8aa1-5a33-4ea4-8992-aadd6440af75 

iniNet Solutions GmbH–SpiderControl SCADA Web Server 
SpiderControl SCADA Web Server has a vulnerability that could allow an attacker to upload specially crafted malicious files without authentication.
2024-09-10
7.5
CVE-2024-8232
ics-cert@hq.dhs.gov 

inspireui–MStore API Create Native Android & iOS Apps On The Cloud 
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated.
2024-09-13
7.3
CVE-2024-8269
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

realmag777–FOX Currency Switcher Professional for WooCommerce 
The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the ‘woocs_get_custom_price_html’ function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
2024-09-14
7.3
CVE-2024-8271
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Lenovo–HX5530 Appliance (ThinkAgile) XCC 
A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands.
2024-09-13
7.2
CVE-2024-8278
psirt@lenovo.com 

Lenovo–HX5530 Appliance (ThinkAgile) XCC 
A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads.
2024-09-13
7.2
CVE-2024-8279
psirt@lenovo.com 

Lenovo–HX5530 Appliance (ThinkAgile) XCC 
An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection or cause a recoverable denial of service using a specially crafted file.
2024-09-13
7.2
CVE-2024-8280
psirt@lenovo.com 

Lenovo–HX5530 Appliance (ThinkAgile) XCC 
An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection through specially crafted command line input in the XCC SSH captive shell.
2024-09-13
7.2
CVE-2024-8281
psirt@lenovo.com 

Schneider Electric–Vijeo Designer 
CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries.
2024-09-11
7.8
CVE-2024-8306
cybersecurity@se.com 

worschtebrot–Affiliate Super Assistent 
The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the ‘Parse comments’ option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
2024-09-10
7.3
CVE-2024-8478
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

webliberty–Simple Spoiler 
The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter(‘comment_text’, ‘do_shortcode’); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
2024-09-14
7.3
CVE-2024-8479
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

thimpress — learnpress 
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘c_only_fields’ parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
2024-09-12
7.5
CVE-2024-8522
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

thimpress — learnpress 
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘c_fields’ parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
2024-09-12
7.5
CVE-2024-8529
security@wordfence.comsecurity@wordfence.com 

gitlab — gitlab 
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.
2024-09-12
7.2
CVE-2024-8631
cve@gitlab.comcve@gitlab.com 

oretnom23 — food_ordering_management_system 
A vulnerability, which was classified as problematic, has been found in SourceCodester Food Ordering Management System 1.0. Affected by this issue is some unknown functionality of the file /includes/. The manipulation leads to exposure of information through directory listing. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
2024-09-12
7.5
CVE-2024-8711
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

SICK AG–SICK MSC800 
A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP address over Sopas ET. This can lead to Denial of Service. Users are recommended to upgrade both MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue.
2024-09-12
7.5
CVE-2024-8751
psirt@sick.depsirt@sick.depsirt@sick.depsirt@sick.depsirt@sick.de 

h2oai–h2o-3 
A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-14
7.3
CVE-2024-8862
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

code-projects–Crud Operation System 
A vulnerability was found in code-projects Crud Operation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file savedata.php. The manipulation of the argument sname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
2024-09-15
7.3
CVE-2024-8868
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

Back to top

Medium Vulnerabilities

PrimaryVendor — Product
Description
Published
CVSS Score
Source Info
Patch Info

OpenText–eDirectory 
Possible Insertion of Sensitive Information into Log File Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.4.0000.
2024-09-12
6.5
CVE-2021-22533
security@opentext.com 

n/a–n/a 
ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446.
2024-09-09
6.1
CVE-2023-50883
cve@mitre.orgcve@mitre.orgcve@mitre.org 

Red Hat–Red Hat build of Quarkus 
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
2024-09-10
6.5
CVE-2023-6841
secalert@redhat.comsecalert@redhat.com 

Gallagher–Controller 6000 and Controller 7000 
Improper Neutralization of Input During Web Page Generation (CWE-79) in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator’s session. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior.
2024-09-11
6.1
CVE-2024-23906
disclosures@gallagher.com 

Gallagher–Controller 6000 and Controller 7000 
Buffer Copy without Checking Size of Input (CWE-120) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authorised and authenticated operator to reboot the Controller, causing a Denial of Service. Gallagher recommend the diagnostic web page is not enabled (default is off) unless advised by Gallagher Technical support. This interface is intended only for diagnostic purposes. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior.
2024-09-11
6.5
CVE-2024-24972
disclosures@gallagher.com 

SolarWinds–Access Rights Manager 
SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
2024-09-12
6.3
CVE-2024-28990
psirt@solarwinds.compsirt@solarwinds.com 

Lenovo–100w Gen 3 Laptop (Lenovo) BIOS 
A potential buffer overflow vulnerability was reported in some Lenovo Notebook products that could allow a local attacker with elevated privileges to execute arbitrary code.
2024-09-13
6.7
CVE-2024-3100
psirt@lenovo.com 

Eaton–Foreseer 
The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the input fields for this feature in the Eaton Foreseer software lacked proper input sanitization on the server-side, which could lead to injection and execution of malicious scripts when abused by bad actors.
2024-09-13
6.7
CVE-2024-31414
CybersecurityCOE@eaton.com 

Eaton–Foreseer 
The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration.
2024-09-13
6.3
CVE-2024-31415
CybersecurityCOE@eaton.com 

Fortinet–FortiClientMac 
AAn improper certificate validation vulnerability [CWE-295] in FortiClientWindows 7.2.0 through 7.2.2, 7.0.0 through 7.0.11, FortiClientLinux 7.2.0, 7.0.0 through 7.0.11 and FortiClientMac 7.0.0 through 7.0.11, 7.2.0 through 7.2.4 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiGate and the FortiClient during the ZTNA tunnel creation
2024-09-10
6.8
CVE-2024-31489
psirt@fortinet.com 

n/a–n/a 
ORDAT FOSS-Online before version 2.24.01 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login page.
2024-09-12
6.1
CVE-2024-34335
cve@mitre.orgcve@mitre.orgcve@mitre.org 

n/a–n/a 
cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.
2024-09-10
6.1
CVE-2024-34831
cve@mitre.org 

Siemens–SIMATIC Reader RF610R CMIIT 
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected applications contain configuration files which can be modified. An attacker with privilege access can modify these files and enable features that are not released for this device.
2024-09-10
6.5
CVE-2024-37990
productcert@siemens.com 

Microsoft–Microsoft Edge (Chromium-based) 
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
2024-09-12
6.5
CVE-2024-38222
secure@microsoft.com 

Microsoft–Windows Server 2019 
Windows Standards-Based Storage Management Service Denial of Service Vulnerability
2024-09-10
6.5
CVE-2024-38230
secure@microsoft.com 

Microsoft–Windows Server 2019 
Windows Remote Desktop Licensing Service Denial of Service Vulnerability
2024-09-10
6.5
CVE-2024-38231
secure@microsoft.com 

Microsoft–Windows 10 Version 1809 
Windows Networking Denial of Service Vulnerability
2024-09-10
6.5
CVE-2024-38234
secure@microsoft.com 

Microsoft–Windows 10 Version 1809 
Windows Hyper-V Denial of Service Vulnerability
2024-09-10
6.5
CVE-2024-38235
secure@microsoft.com 

microsoft — windows_10_1507 
Windows Authentication Information Disclosure Vulnerability
2024-09-10
6.2
CVE-2024-38254
secure@microsoft.com 

Dell–PowerScale InsightIQ 
Dell PowerScale InsightIQ, version 5.1, contain an Improper Privilege Management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service.
2024-09-10
6.7
CVE-2024-39574
security_alert@emc.com 

Dell–PowerScale InsightIQ 
Dell PowerScale InsightIQ, versions 5.0 through 5.1, contains an Improper Access Control vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
2024-09-10
6.7
CVE-2024-39580
security_alert@emc.com 

SAP_SE–SAP S/4HANA eProcurement 
Due to weak encoding of user-controlled inputs, eProcurement on SAP S/4HANA allows malicious scripts to be executed in the application, potentially leading to a Reflected Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity.
2024-09-10
6.1
CVE-2024-42378
cna@sap.comcna@sap.com 

Dell–Wyse Proprietary OS (Modern ThinOS) 
Citrix Workspace App version 23.9.0.24.4 on Dell ThinOS 2311 contains an Incorrect Authorization vulnerability when Citrix CEB is enabled for WebLogin. A local unauthenticated user with low privileges may potentially exploit this vulnerability to bypass existing controls and perform unauthorized actions leading to information disclosure and tampering.
2024-09-10
6.1
CVE-2024-42423
security_alert@emc.com 

espressif–esp-now 
ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2.
2024-09-12
6.5
CVE-2024-42483
security-advisories@github.comsecurity-advisories@github.com 

espressif–esp-now 
ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An Out-of-Bound (OOB) vulnerability was discovered in the implementation of the ESP-NOW group type message because there is no check for the addrs_num field of the group type message. This can result in memory corruption related attacks. Normally there are two fields in the group information that need to be checked, i.e., the addrs_num field and the addrs_list fileld. Since we only checked the addrs_list field, an attacker can send a group type message with an invalid addrs_num field, which will cause the message handled by the firmware to be much larger than the current buffer, thus causing a memory corruption issue that goes beyond the payload length.
2024-09-12
6.5
CVE-2024-42484
security-advisories@github.comsecurity-advisories@github.com 

n/a–n/a 
An issue in Ellevo v.6.2.0.38160 allows a remote attacker to escalate privileges via the /api/usuario/cadastrodesuplente endpoint.
2024-09-09
6.3
CVE-2024-42759
cve@mitre.orgcve@mitre.org 

PHOENIX CONTACT–FL MGUARD 2102 
A low privileged remote attacker can perform configuration changes of the ospf service through OSPF_INTERFACE.SIMPLE_KEY, OSPF_INTERFACE.DIGEST_KEY environment variables which can lead to a DoS.
2024-09-10
6.5
CVE-2024-43389
info@cert.vde.com 

PHOENIX CONTACT–FL MGUARD 2102 
A low privileged remote attacker can perform configuration changes of the firewall services, including packet forwarding or NAT through the FW_NAT.IN_IP environment variable which can lead to a DoS.
2024-09-10
6.5
CVE-2024-43390
info@cert.vde.com 

PHOENIX CONTACT–FL MGUARD 2102 
A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_PORTFORWARDING.SRC_IP environment variable which can lead to a DoS.
2024-09-10
6.5
CVE-2024-43391
info@cert.vde.com 

PHOENIX CONTACT–FL MGUARD 2102 
A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW_OUTGOING.IN_IP environment variable which can lead to a DoS.
2024-09-10
6.5
CVE-2024-43392
info@cert.vde.com 

PHOENIX CONTACT–FL MGUARD 2102 
A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW_OUTGOING.IN_IP FW_RULESETS.FROM_IP FW_RULESETS.IN_IP environment variable which can lead to a DoS.
2024-09-10
6.5
CVE-2024-43393
info@cert.vde.com 

Microsoft–Outlook for iOS 
Microsoft Outlook for iOS Information Disclosure Vulnerability
2024-09-10
6.5
CVE-2024-43482
secure@microsoft.com 

Microsoft–Windows 10 Version 1809 
Windows Mark of the Web Security Feature Bypass Vulnerability
2024-09-10
6.5
CVE-2024-43487
secure@microsoft.com 

halo-dev–halo 
Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user’s browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0.
2024-09-11
6.3
CVE-2024-43793
security-advisories@github.com 

CryoutCreations–Fluida 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Fluida allows Stored XSS.This issue affects Fluida: from n/a through 1.8.8.
2024-09-15
6.5
CVE-2024-44054
audit@patchstack.com 

CryoutCreations–Mantra 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Mantra allows Stored XSS.This issue affects Mantra: from n/a through 3.3.2.
2024-09-15
6.5
CVE-2024-44056
audit@patchstack.com 

CryoutCreations–Nirvana 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Nirvana allows Stored XSS.This issue affects Nirvana: from n/a through 1.6.3.
2024-09-15
6.5
CVE-2024-44057
audit@patchstack.com 

CryoutCreations–Parabola 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in CryoutCreations Parabola allows Stored XSS.This issue affects Parabola: from n/a through 2.4.1.
2024-09-15
6.5
CVE-2024-44058
audit@patchstack.com 

MediaRon LLC–Custom Query Blocks 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in MediaRon LLC Custom Query Blocks allows Stored XSS.This issue affects Custom Query Blocks: from n/a through 5.3.1.
2024-09-15
6.5
CVE-2024-44059
audit@patchstack.com 

Hiroaki Miyashita–Custom Field Template 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6.5.
2024-09-15
6.5
CVE-2024-44062
audit@patchstack.com 

Happyforms–Happyforms 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Happyforms allows Stored XSS.This issue affects Happyforms: from n/a through 1.26.0.
2024-09-15
6.5
CVE-2024-44063
audit@patchstack.com 

n/a–n/a 
ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression (IIFE) for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883.
2024-09-09
6.1
CVE-2024-44085
cve@mitre.orgcve@mitre.orgcve@mitre.org 

Nozomi Networks–Guardian 
An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server.
2024-09-11
6
CVE-2024-4465
prodsec@nozominetworks.com 

n/a–n/a 
eladmin v2.7 and before is vulnerable to Cross Site Scripting (XSS) which allows an attacker to execute arbitrary code via LocalStoreController. java.
2024-09-10
6.1
CVE-2024-44676
cve@mitre.orgcve@mitre.org 

n/a–n/a 
phpgurukul Bus Pass Management System 1.0 is vulnerable to Cross-site scripting (XSS) in /admin/pass-bwdates-reports-details.php via fromdate and todate parameters.
2024-09-13
6.3
CVE-2024-44798
cve@mitre.org 

mozilo — mozilocms 
A reflected cross-site scripting (XSS) vulnerability in moziloCMS v3.0 allows attackers to execute arbitrary code in the context of a user’s browser via injecting a crafted payload.
2024-09-10
6.1
CVE-2024-44872
cve@mitre.orgcve@mitre.org 

Lenovo–XClarity Administrator 
A privilege escalation vulnerability was discovered when Single Sign On (SSO) is enabled that could allow an attacker to intercept a valid, authenticated LXCA user’s XCC session if they can convince the user to click on a specially crafted URL.
2024-09-13
6.8
CVE-2024-45101
psirt@lenovo.com 

Lenovo–XClarity Administrator 
A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.
2024-09-13
6.3
CVE-2024-45104
psirt@lenovo.com 

Lenovo–HX5530 Appliance (ThinkAgile) BIOS 
An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.
2024-09-13
6.7
CVE-2024-45105
psirt@lenovo.com 

SAP_SE–SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel) 
Due to insufficient input validation, CRM Blueprint Application Builder Panel of SAP NetWeaver Application Server for ABAP allows an unauthenticated attacker to craft a URL link which could embed a malicious JavaScript. When a victim clicks on this link, the script will be executed in the victim’s browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
2024-09-10
6.1
CVE-2024-45279
cna@sap.comcna@sap.com 

SAP_SE–SAP NetWeaver AS for Java (Destination Service) 
SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data.
2024-09-10
6
CVE-2024-45283
cna@sap.comcna@sap.com 

SAP_SE–SAP Production and Revenue Accounting (Tobin interface) 
Due to lack of proper authorization checks when calling user, a function module in obsolete Tobin interface in SAP Production and Revenue Accounting allows unauthorized access that could lead to disclosure of highly sensitive data. There is no impact on integrity or availability.
2024-09-10
6.5
CVE-2024-45286
cna@sap.comcna@sap.com 

discourse–discourse-calendar 
Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin.
2024-09-12
6.1
CVE-2024-45303
security-advisories@github.comsecurity-advisories@github.com 

cvat-ai–cvat 
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, typically including full details about the object on which an action was performed (such as the task for an "update:task" event), and the user who performed the action. In addition, the attacker can redeliver any past delivery of any webhook, and trigger a ping event for any webhook. Upgrade to CVAT 2.18.0 or any later version.
2024-09-10
6.4
CVE-2024-45393
security-advisories@github.comsecurity-advisories@github.com 

LizardByte–Sunshine 
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.
2024-09-10
6.5
CVE-2024-45407
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

JoomUnited–WP Meta SEO 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in JoomUnited WP Meta SEO allows Stored XSS.This issue affects WP Meta SEO: from n/a through 4.5.13.
2024-09-15
6.5
CVE-2024-45456
audit@patchstack.com 

Spiffy Plugins–Spiffy Calendar 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Spiffy Plugins Spiffy Calendar allows Stored XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13.
2024-09-15
6.5
CVE-2024-45457
audit@patchstack.com 

Lenovo–P360 Workstation (ThinkStation) BIOS 
A potential buffer overflow vulnerability was reported in some Lenovo ThinkSystem and ThinkStation products that could allow a local attacker with elevated privileges to execute arbitrary code.
2024-09-13
6.7
CVE-2024-4550
psirt@lenovo.com 

man-group–dtale 
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.
2024-09-10
6.1
CVE-2024-45595
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

incsub — forminator 
Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator.
2024-09-09
6.1
CVE-2024-45625
vultures@jpcert.or.jpvultures@jpcert.or.jpvultures@jpcert.or.jpvultures@jpcert.or.jp 

Rockwell Automation–ThinManager 
CVE-2024-45826 IMPACT Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.
2024-09-12
6.8
CVE-2024-45826
PSIRT@rockwellautomation.com 

n/a–n/a 
Tenda FH451 v1.0.0.9 has a stack overflow vulnerability located in the RouteStatic function.
2024-09-13
6.5
CVE-2024-46046
cve@mitre.org 

n/a–n/a 
Tenda FH451 v1.0.0.9 has a stack overflow vulnerability in the fromDhcpListClient function.
2024-09-13
6.5
CVE-2024-46047
cve@mitre.org 

gitlab — gitlab 
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
2024-09-12
6.1
CVE-2024-4612
cve@gitlab.comcve@gitlab.com 

gitlab — gitlab 
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.
2024-09-12
6.5
CVE-2024-5435
cve@gitlab.comcve@gitlab.com 

MuffinGroup–Betheme 
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
2024-09-13
6.4
CVE-2024-5567
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

themefusion–Fusion Builder 
The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version 3.11.10.
2024-09-13
6.4
CVE-2024-5628
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Towfiq I.–Triton Lite 
The Triton Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the theme’s Button shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-13
6.4
CVE-2024-5789
security@wordfence.comsecurity@wordfence.com 

nattywp–Delicate 
The Delicate theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme’s Button shortcode in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-13
6.4
CVE-2024-5867
security@wordfence.comsecurity@wordfence.com 

arnoldgoodway–Neighborly 
The Neighborly theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme’s Button shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-13
6.4
CVE-2024-5869
security@wordfence.comsecurity@wordfence.com 

arnoldgoodway–Tweaker5 
The Tweaker5 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme’s Button shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-13
6.4
CVE-2024-5870
security@wordfence.comsecurity@wordfence.com 

allprices–Beauty 
The Beauty theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tpl_featured_cat_id’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-13
6.4
CVE-2024-5884
security@wordfence.comsecurity@wordfence.com 

zephyrproject-rtos–Zephyr 
BT: Unchecked user input in bap_broadcast_assistant
2024-09-13
6.3
CVE-2024-5931
vulnerabilities@zephyrproject.org 

scriptonite — music_request_manager 
The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
2024-09-12
6.1
CVE-2024-6017
contact@wpscan.com 

scriptonite — music_request_manager 
The Music Request Manager WordPress plugin through 1.3 does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
2024-09-12
6.1
CVE-2024-6018
contact@wpscan.com 

scriptonite — music_request_manager 
The Music Request Manager WordPress plugin through 1.3 does not sanitise and escape incoming music requests, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators
2024-09-12
6.1
CVE-2024-6019
contact@wpscan.com 

Axis Communications AB–AXIS OS 
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
2024-09-10
6.5
CVE-2024-6173
product-security@axis.com 

zephyrproject-rtos–Zephyr 
BT: Missing length checks of net_buf in rfcomm_handle_data
2024-09-13
6.8
CVE-2024-6258
vulnerabilities@zephyrproject.org 

Axis Communications AB–AXIS OS 
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
2024-09-10
6.5
CVE-2024-6509
product-security@axis.com 

Red Hat–Red Hat Ansible Automation Platform 2.4 for RHEL 8 
An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.
2024-09-12
6.6
CVE-2024-6840
secalert@redhat.comsecalert@redhat.comsecalert@redhat.com 

Axis Communications AB–AXIS OS 
Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
2024-09-10
6.8
CVE-2024-6979
product-security@axis.com 

payara — payara 
URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.
2024-09-11
6.1
CVE-2024-7312
769c9ae7-73c3-4e47-ae19-903170fc3eb8769c9ae7-73c3-4e47-ae19-903170fc3eb8 

Unknown–AZIndex 
The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-09
6.1
CVE-2024-7687
contact@wpscan.com 

Unknown–AZIndex 
The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack
2024-09-09
6.5
CVE-2024-7688
contact@wpscan.com 

Lenovo–10w (Type 82ST, 82SU) Laptop (Lenovo) BIOS 
A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell.
2024-09-13
6.8
CVE-2024-7756
psirt@lenovo.com 

Axis Communications AB–AXIS OS 
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis’ knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
2024-09-10
6.1
CVE-2024-7784
product-security@axis.com 

Unknown–Gixaw Chat 
The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-12
6.1
CVE-2024-7816
contact@wpscan.com 

Unknown–Misiek Photo Album 
The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack
2024-09-12
6.5
CVE-2024-7817
contact@wpscan.com 

Unknown–Misiek Photo Album 
The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-12
6.1
CVE-2024-7818
contact@wpscan.com 

Unknown–Quick Code 
The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-12
6.1
CVE-2024-7822
contact@wpscan.com 

Unknown–Visual Sound 
The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
2024-09-12
6.5
CVE-2024-7859
contact@wpscan.com 

Unknown–Simple Headline Rotator 
The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-12
6.1
CVE-2024-7860
contact@wpscan.com 

Unknown–Misiek Paypal 
The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-12
6.1
CVE-2024-7861
contact@wpscan.com 

Unknown–Favicon Generator (CLOSED) 
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server
2024-09-13
6.5
CVE-2024-7864
contact@wpscan.com 

techlabpro1–Classified Listing Classified ads & Business Directory Plugin 
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.
2024-09-13
6.3
CVE-2024-7888
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

nko–Advanced WordPress Backgrounds 
The Advanced WordPress Backgrounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘imageTag’ parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-11
6.4
CVE-2024-8045
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Unknown–MM-Breaking News 
The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-12
6.1
CVE-2024-8054
contact@wpscan.com 

Unknown–MM-Breaking News 
The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
2024-09-12
6.1
CVE-2024-8056
contact@wpscan.com 

curl–curl 
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than ‘revoked’ (like for example ‘unauthorized’) it is not treated as a bad certficate.
2024-09-11
6.5
CVE-2024-8096
2499f714-1537-4658-8207-48ae4bb9eae92499f714-1537-4658-8207-48ae4bb9eae92499f714-1537-4658-8207-48ae4bb9eae9 

pixelgrade–Nova Blocks by Pixelgrade 
The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute of the ‘wp:separator’ Gutenberg block in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-10
6.4
CVE-2024-8241
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

GitLab–GitLab 
An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.
2024-09-12
6.5
CVE-2024-8311
cve@gitlab.com 

wpdevteam–Essential Addons for Elementor Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders 
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-11
6.4
CVE-2024-8440
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

ivanti — endpoint_manager 
An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM.
2024-09-10
6.7
CVE-2024-8441
3c1d8aa1-5a33-4ea4-8992-aadd6440af75 

hardwaremaster–Slider comparison image before and after 
The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-10
6.4
CVE-2024-8543
security@wordfence.comsecurity@wordfence.com 

learningdigital — orca_hcm 
Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files.
2024-09-09
6.5
CVE-2024-8585
twcert@cert.org.twtwcert@cert.org.tw 

Uniong–WebITR 
WebITR from Uniong has an Open Redirect vulnerability, which allows unauthorized remote attackers to exploit this vulnerability to forge URLs. Users, believing they are accessing a trusted domain, can be redirected to another page, potentially leading to phishing attacks.
2024-09-09
6.1
CVE-2024-8586
twcert@cert.org.twtwcert@cert.org.tw 

online_food_ordering_system_project — online_food_ordering_system 
A vulnerability classified as problematic has been found in SourceCodester Online Food Ordering System 2.0. This affects an unknown part of the file index.php of the component Create an Account Page. The manipulation of the argument First Name/Last Name leads to cross site scripting. It is possible to initiate the attack remotely.
2024-09-09
6.1
CVE-2024-8604
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

itsourcecode–Tailoring Management System 
A vulnerability classified as critical was found in itsourcecode Tailoring Management System 1.0. Affected by this vulnerability is an unknown functionality of the file ssms.php. The manipulation of the argument customer leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
2024-09-09
6.3
CVE-2024-8611
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

martynasma–amCharts: Charts and Maps 
The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘amcharts_javascript’ parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-12
6.1
CVE-2024-8622
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

gitlab — gitlab 
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL
2024-09-12
6.5
CVE-2024-8635
cve@gitlab.com 

GitLab–GitLab 
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim’s CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.
2024-09-12
6.7
CVE-2024-8641
cve@gitlab.comcve@gitlab.com 

Eclipse Foundation–Eclipse Glassfish 
In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context (‘/’).
2024-09-11
6.1
CVE-2024-8646
emo@eclipse.orgemo@eclipse.orgemo@eclipse.orgemo@eclipse.org 

algoritmika–WPFactory Helper 
The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8656
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

murgroland–WP Simple Booking Calendar 
The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8663
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

boopathi0001–WP Test Email 
The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8664
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

yithemes–YITH Custom Login 
The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8665
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Shandong Star Measurement and Control Equipment–Heating Network Wireless Monitoring System 
A vulnerability was found in Shandong Star Measurement and Control Equipment Heating Network Wireless Monitoring System 5.6.2 and classified as critical. Affected by this issue is the function GetDataKindByType of the file /DataSrvs/UCCGSrv.asmx. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
2024-09-11
6.3
CVE-2024-8705
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

iovamihai–WordPress Affiliates Plugin SliceWP Affiliates 
The WordPress Affiliates Plugin – SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8714
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

xootix–Waitlist Woocommerce ( Back in stock notifier ) 
The Waitlist Woocommerce ( Back in stock notifier ) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-14
6.1
CVE-2024-8724
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

cvscvstechcom–Exit Notifier 
The Exit Notifier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8730
security@wordfence.comsecurity@wordfence.com 

arielhr1987–Cron Jobs 
The Cron Jobs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8731
security@wordfence.comsecurity@wordfence.com 

arielhr1987–Roles & Capabilities 
The Roles & Capabilities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8732
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

lucasstad–Lucas String Replace 
The Lucas String Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8734
security@wordfence.comsecurity@wordfence.com 

kubiq–PDF Thumbnail Generator 
The PDF Thumbnail Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-13
6.1
CVE-2024-8737
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

wpdevteam–Essential Addons for Elementor Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders 
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-13
6.4
CVE-2024-8742
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

khromov–Email Obfuscate Shortcode 
The Email Obfuscate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ’email-obfuscate’ shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2024-09-13
6.4
CVE-2024-8747
security@wordfence.comsecurity@wordfence.com 

n/a–JFinalCMS 
A vulnerability was found in JFinalCMS up to 1.0. It has been rated as critical. This issue affects the function delete of the file /admin/template/edit. The manipulation of the argument name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
2024-09-13
6.3
CVE-2024-8782
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

QDocs–Smart School Management System 
A vulnerability classified as critical was found in QDocs Smart School Management System 7.0.0. Affected by this vulnerability is an unknown functionality of the file /user/chat/mynewuser of the component Chat. The manipulation of the argument users[] with the input 1’+AND+(SELECT+3220+FROM+(SELECT(SLEEP(5)))ZNun)+AND+’WwBM’%3d’WwBM as part of POST Request Parameter leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.1 is able to address this issue. It is recommended to upgrade the affected component.
2024-09-13
6.3
CVE-2024-8784
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

murgroland–WP Booking System Booking Calendar 
The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.19.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2024-09-14
6.1
CVE-2024-8797
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

OpenText–eDirectory 
Possible Improper Neutralization of Input During Web Page Generation Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.3.0000.
2024-09-12
5.4
CVE-2021-22503
security@opentext.com 

OpenText–Identity Manager AzureAD Driver 
A vulnerability identified in OpenText™ Identity Manager AzureAD Driver that allows logging of sensitive information into log file. This impacts all versions before 5.1.4.0
2024-09-12
5.8
CVE-2021-22518
security@opentext.com 

OpenText–eDirectory 
Possible Cross-Site Scripting (XSS) Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.5.0000.
2024-09-12
5.4
CVE-2021-38131
security@opentext.com 

OpenText–eDirectory 
Possible External Service Interaction attack in eDirectory has been discovered in OpenText™ eDirectory. This impact all version before 9.2.6.0000.
2024-09-12
5.3
CVE-2021-38132
security@opentext.com 

ankitpokhrel–WooCommerce Multiple Free Gift 
The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated attackers to add non-gift items to their cart as a gift.
2024-09-14
5.3
CVE-2022-3459
security@wordfence.comsecurity@wordfence.com 

Siemens–SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) 
A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-7 LTE (All versions < V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions < V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions < V2.4.8). The web server of the affected devices do not properly handle certain requests, causing a timeout in the watchdog, which could lead to the clean up of pointers. This could allow a remote attacker to cause a denial of service condition in the system.
2024-09-10
5.9
CVE-2023-28827
productcert@siemens.com 

Siemens–SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) 
A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-7 LTE (All versions < V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions < V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions < V2.4.8). The web server of the affected devices do not properly handle certain errors when using the Expect HTTP request header, resulting in NULL dereference. This could allow a remote attacker with no privileges to cause a denial of service condition in the system.
2024-09-10
5.9
CVE-2023-30756
productcert@siemens.com 

Bricks Builder–Bricks 
The Bricks theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customTag’ attribute in versions up to, and including, 1.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Bricks Builder (admin-only by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This becomes more of an issue when Bricks Builder access is granted to lower-privileged users.
2024-09-14
5.4
CVE-2023-3410
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Fortinet–FortiAnalyzer 
An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.
2024-09-10
5
CVE-2023-44254
psirt@fortinet.com 

Siemens–Mendix Runtime V10 
A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.31 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.
2024-09-10
5.3
CVE-2023-49069
productcert@siemens.com 

Cisco–Cisco IOS XR Software 
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to read any file in the file system of the underlying Linux operating system. The attacker must have valid credentials on the affected device. This vulnerability is due to incorrect validation of the arguments that are passed to a specific CLI command. An attacker could exploit this vulnerability by logging in to an affected device with low-privileged credentials and using the affected command. A successful exploit could allow the attacker access files in read-only mode on the Linux file system.
2024-09-11
5.5
CVE-2024-20343
ykramarz@cisco.com 

Cisco–Cisco IOS XR Software 
A vulnerability in the Dedicated XML Agent feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on XML TCP listen port 38751. This vulnerability is due to a lack of proper error validation of ingress XML packets. An attacker could exploit this vulnerability by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could allow the attacker to cause XML TCP port 38751 to become unreachable while the attack traffic persists.
2024-09-11
5.3
CVE-2024-20390
ykramarz@cisco.com 

n/a–node-gettext 
All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization.
2024-09-10
5.9
CVE-2024-21528
report@snyk.ioreport@snyk.io 

Fortinet–FortiClientEMS 
A improper limitation of a pathname to a restricted directory (‘path traversal’) in Fortinet FortiClientEMS versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.13, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8, 1.2.1 through 1.2.5 allows attacker to perform a denial of service, read or write a limited number of files via specially crafted HTTP requests
2024-09-10
5.5
CVE-2024-21753
psirt@fortinet.com 

Open-Xchange GmbH–OX Dovecot Pro 
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
2024-09-10
5
CVE-2024-23184
security@open-xchange.com 

n/a–n/a 
An issue was discovered in Samsung Semiconductor Mobile Processor, Automotive Processor, and Modem Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check a pointer specified by the CC (Call Control module), which can lead to Denial of Service (Untrusted Pointer Dereference).
2024-09-10
5.9
CVE-2024-25073
cve@mitre.orgcve@mitre.org 

n/a–n/a 
An issue was discovered in Samsung Semiconductor Mobile Processor, Automotive Processor, and Modem Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check a pointer specified by the SM (Session Management module), which can lead to Denial of Service (Untrusted Pointer Dereference).
2024-09-10
5.9
CVE-2024-25074
cve@mitre.orgcve@mitre.org 

samsung — exynos_980_firmware 
An issue was discovered in Mobile Processor, Wearable Processor Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_roamed_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read.
2024-09-09
5.5
CVE-2024-27364
cve@mitre.orgcve@mitre.org 

samsung — exynos_980_firmware 
An issue was discovered in Samsung Mobile Processor, Wearable Processor Exynos Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_scan_done_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read.
2024-09-09
5.5
CVE-2024-27366
cve@mitre.orgcve@mitre.org 

samsung — exynos_980_firmware 
An issue was discovered in Samsung Mobile Processor Exynos Wearable Processor Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_scan_ind(), there is no input validation check on a length coming from userspace, which can lead to integer overflow and a potential heap over-read.
2024-09-09
5.5
CVE-2024-27367
cve@mitre.orgcve@mitre.org 

samsung — exynos_980_firmware 
An issue was discovered in Samsung Mobile Processor Exynos Mobile Processor, Wearable Processor Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_received_frame_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read.
2024-09-09
5.5
CVE-2024-27368
cve@mitre.org 

Eaton–Foreseer 
The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the tool like alarms, reports, etc. Some of these input fields were not checking the length and bounds of the entered value. The exploit of this security flaw by a bad actor may result in excessive memory consumption or integer overflow.
2024-09-13
5.6
CVE-2024-31416
CybersecurityCOE@eaton.com 

n/a–n/a 
User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.
2024-09-12
5.3
CVE-2024-34336
cve@mitre.orgcve@mitre.orgcve@mitre.org 

Siemens–SIMATIC Reader RF610R CMIIT 
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The service log files of the affected application can be accessed without proper authentication. This could allow an unauthenticated attacker to get access to sensitive information.
2024-09-10
5.3
CVE-2024-37991
productcert@siemens.com 

Siemens–SIMATIC Reader RF610R CMIIT 
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected applications do not authenticated the creation of Ajax2App instances. This could allow an unauthenticated attacker to cause a denial of service condition.
2024-09-10
5.3
CVE-2024-37993
productcert@siemens.com 

microsoft — windows_10_1507 
Windows Mark of the Web Security Feature Bypass Vulnerability
2024-09-10
5.4
CVE-2024-38217
secure@microsoft.com 

microsoft — windows_10_1507 
Windows Kernel-Mode Driver Information Disclosure Vulnerability
2024-09-10
5.5
CVE-2024-38256
secure@microsoft.com 

Zyxel–GS1900-10HP firmware 
An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.
2024-09-10
5.3
CVE-2024-38270
security@zyxel.com.tw 

adobe — after_effects 
After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-39382
psirt@adobe.com 

Adobe–Premiere Pro 
Premiere Pro versions 24.5, 23.6.8 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-39385
psirt@adobe.com 

ti — fusion_digital_power_designer 
An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials
2024-09-12
5.5
CVE-2024-41629
cve@mitre.org 

adobe — after_effects 
After Effects versions 23.6.6, 24.5 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could lead to arbitrary file system write operations. An attacker could leverage this vulnerability to modify or corrupt files, potentially leading to a compromise of system integrity. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-41867
psirt@adobe.com 

Adobe–Audition 
Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-11
5.5
CVE-2024-41868
psirt@adobe.com 

adobe — media_encoder 
Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-41870
psirt@adobe.com 

adobe — media_encoder 
Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-41872
psirt@adobe.com 

adobe — media_encoder 
Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-41873
psirt@adobe.com 

siemens — sinema_remote_connect_client 
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application inserts sensitive information into a log file which is readable by all legitimate users of the underlying system. This could allow an authenticated attacker to compromise the confidentiality of other users’ configuration data.
2024-09-10
5.5
CVE-2024-42344
productcert@siemens.com 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
The RFC enabled function module allows a low privileged user to delete the workplace favourites of any user. This vulnerability could be utilized to identify usernames and access information about targeted user’s workplaces and nodes. There is low impact on integrity and availability of the application.
2024-09-10
5.4
CVE-2024-42371
cna@sap.comcna@sap.com 

Dell–Dell Precision Rack BIOS 
Dell Precision Rack, 14G Intel BIOS versions prior to 2.22.2, contains an Improper Input Validation vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
2024-09-10
5.3
CVE-2024-42424
security_alert@emc.com 

microsoft — dynamics_365 
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
2024-09-10
5.4
CVE-2024-43476
secure@microsoft.com 

adobe — illustrator 
Illustrator versions 28.6, 27.9.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a DoS condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-43759
psirt@adobe.com 

Siemens–SINUMERIK 828D V4 
A vulnerability has been identified in SINUMERIK 828D V4 (All versions < V4.95 SP3), SINUMERIK 840D sl V4 (All versions < V4.95 SP3 in connection with using Create MyConfig (CMC) <= V4.8 SP1 HF6), SINUMERIK ONE (All versions < V6.23 in connection with using Create MyConfig (CMC) <= V6.6), SINUMERIK ONE (All versions < V6.15 SP4 in connection with using Create MyConfig (CMC) <= V6.6). Affected systems, that have been provisioned with Create MyConfig (CMC), contain a Insertion of Sensitive Information into Log File vulnerability. This could allow a local authenticated user with low privileges to read sensitive information and thus circumvent access restrictions.
2024-09-10
5.5
CVE-2024-43781
productcert@siemens.com 

expressjs–express 
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input – even after sanitizing it – to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
2024-09-10
5
CVE-2024-43796
security-advisories@github.comsecurity-advisories@github.com 

pillarjs–send 
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
2024-09-10
5
CVE-2024-43799
security-advisories@github.comsecurity-advisories@github.com 

expressjs–serve-static 
serve-static serves static files. serve-static passes untrusted user input – even after sanitizing it – to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
2024-09-10
5
CVE-2024-43800
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

BUFFALO INC.–WHR-1166DHP2 
OS command injection vulnerability exists in BUFFALO wireless LAN routers and wireless LAN repeaters. If a user logs in to the management page and sends a specially crafted request to the affected product from the product’s specific management page, an arbitrary OS command may be executed.
2024-09-10
5.7
CVE-2024-44072
vultures@jpcert.or.jpvultures@jpcert.or.jp 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
The RFC enabled function module allows a low privileged user to perform various actions, such as modifying the URLs of any user’s favourite nodes and workbook ID. There is low impact on integrity and availability of the application.
2024-09-10
5.4
CVE-2024-44117
cna@sap.comcna@sap.com 

n/a–n/a 
Titan SFTP and Titan MFT Server 2.0.25.2426 and earlier have a vulnerability a vulnerability where sensitive information, including passwords, is exposed in clear text within the JSON response when configuring SMTP settings via the Web UI.
2024-09-13
5
CVE-2024-44685
cve@mitre.orgcve@mitre.org 

perfexcrm — perfex_crm 
A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter.
2024-09-11
5.4
CVE-2024-44851
cve@mitre.orgcve@mitre.org 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only decrement add_addr_accepted for MPJ req Adding the following warning … WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) … before decrementing the add_addr_accepted counter helped to find a bug when running the "remove single subflow" subtest from the mptcp_join.sh selftest. Removing a ‘subflow’ endpoint will first trigger a RM_ADDR, then the subflow closure. Before this patch, and upon the reception of the RM_ADDR, the other peer will then try to decrement this add_addr_accepted. That’s not correct because the attached subflows have not been created upon the reception of an ADD_ADDR. A way to solve that is to decrement the counter only if the attached subflow was an MP_JOIN to a remote id that was not 0, and initiated by the host receiving the RM_ADDR.
2024-09-11
5.5
CVE-2024-45009
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark ‘subflow’ endp as available Adding the following warning … WARN_ON_ONCE(msk->pm.local_addr_used == 0) … before decrementing the local_addr_used counter helped to find a bug when running the "remove single address" subtest from the mptcp_join.sh selftests. Removing a ‘signal’ endpoint will trigger the removal of all subflows linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used counter, which is wrong in this case because this counter is linked to ‘subflow’ endpoints, and here it is a ‘signal’ endpoint that is being removed. Now, the counter is decremented, only if the ID is being used outside of mptcp_pm_nl_rm_addr_or_subflow(), only for ‘subflow’ endpoints, and if the ID is not 0 — local_addr_used is not taking into account these ones. This marking of the ID as being available, and the decrement is done no matter if a subflow using this ID is currently available, because the subflow could have been closed before.
2024-09-11
5.5
CVE-2024-45010
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Check USB endpoints when probing device Ensure, as the driver probes the device, that all endpoints that the driver may attempt to access exist and are of the correct type. All XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at address 1. This is verified in xillyusb_setup_base_eps(). On top of that, a XillyUSB device may have additional Bulk OUT endpoints. The information about these endpoints’ addresses is deduced from a data structure (the IDT) that the driver fetches from the device while probing it. These endpoints are checked in setup_channels(). A XillyUSB device never has more than one IN endpoint, as all data towards the host is multiplexed in this single Bulk IN endpoint. This is why setup_channels() only checks OUT endpoints.
2024-09-11
5.5
CVE-2024-45011
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: use dma non-coherent allocator Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a BUG() on startup, when the iommu is enabled: kernel BUG at include/linux/scatterlist.h:187! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30 Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019 RIP: 0010:sg_init_one+0x85/0xa0 Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00 RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000 RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508 R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018 FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0 Call Trace: <TASK> ? die+0x36/0x90 ? do_trap+0xdd/0x100 ? sg_init_one+0x85/0xa0 ? do_error_trap+0x65/0x80 ? sg_init_one+0x85/0xa0 ? exc_invalid_op+0x50/0x70 ? sg_init_one+0x85/0xa0 ? asm_exc_invalid_op+0x1a/0x20 ? sg_init_one+0x85/0xa0 nvkm_firmware_ctor+0x14a/0x250 [nouveau] nvkm_falcon_fw_ctor+0x42/0x70 [nouveau] ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau] r535_gsp_oneinit+0xb3/0x15f0 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? nvkm_udevice_new+0x95/0x140 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? ktime_get+0x47/0xb0 Fix this by using the non-coherent allocator instead, I think there might be a better answer to this, but it involve ripping up some of APIs using sg lists.
2024-09-11
5.5
CVE-2024-45012
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: nvme: move stopping keep-alive into nvme_uninit_ctrl() Commit 4733b65d82bd ("nvme: start keep-alive after admin queue setup") moves starting keep-alive from nvme_start_ctrl() into nvme_init_ctrl_finish(), but don’t move stopping keep-alive into nvme_uninit_ctrl(), so keep-alive work can be started and keep pending after failing to start controller, finally use-after-free is triggered if nvme host driver is unloaded. This patch fixes kernel panic when running nvme/004 in case that connection failure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl(). This way is reasonable because keep-alive is now started in nvme_init_ctrl_finish().
2024-09-11
5.5
CVE-2024-45013
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: s390/boot: Avoid possible physmem_info segment corruption When physical memory for the kernel image is allocated it does not consider extra memory required for offsetting the image start to match it with the lower 20 bits of KASLR virtual base address. That might lead to kernel access beyond its memory range.
2024-09-11
5.5
CVE-2024-45014
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: move dpu_encoder’s connector assignment to atomic_enable() For cases where the crtc’s connectors_changed was set without enable/active getting toggled , there is an atomic_enable() call followed by an atomic_disable() but without an atomic_mode_set(). This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in the atomic_enable() as the dpu_encoder’s connector was cleared in the atomic_disable() but not re-assigned as there was no atomic_mode_set() call. Fix the NULL ptr access by moving the assignment for atomic_enable() and also use drm_atomic_get_new_connector_for_encoder() to get the connector from the atomic_state. Patchwork: https://patchwork.freedesktop.org/patch/606729/
2024-09-11
5.5
CVE-2024-45015
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc’s q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: – If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. – If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.
2024-09-11
5.5
CVE-2024-45016
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec RoCE MPV trace call Prevent the call trace below from happening, by not allowing IPsec creation over a slave, if master device doesn’t support IPsec. WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94 Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci] CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2 Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021 Workqueue: events xfrm_state_gc_task RIP: 0010:down_read+0x75/0x94 Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0 RSP: 0018:ffffb26387773da8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000 RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540 R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905 FS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0 Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] ? down_read+0x75/0x94 ? __warn+0x80/0x113 ? down_read+0x75/0x94 ? report_bug+0xa4/0x11d ? handle_bug+0x35/0x8b ? exc_invalid_op+0x14/0x75 ? asm_exc_invalid_op+0x16/0x1b ? down_read+0x75/0x94 ? down_read+0xe/0x94 mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core] tx_destroy+0x1b/0xc0 [mlx5_core] tx_ft_put+0x53/0xc0 [mlx5_core] mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core] ___xfrm_state_destroy+0x10f/0x1a2 xfrm_state_gc_task+0x81/0xa9 process_one_work+0x1f1/0x3c6 worker_thread+0x53/0x3e4 ? process_one_work.cold+0x46/0x3c kthread+0x127/0x144 ? set_kthread_struct+0x60/0x52 ret_from_fork+0x22/0x2d </TASK> —[ end trace 5ef7896144d398e1 ]—
2024-09-11
5.5
CVE-2024-45017
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: initialise extack before use Fix missing initialisation of extack in flow offload.
2024-09-11
5.5
CVE-2024-45018
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Take state lock during tx timeout reporter mlx5e_safe_reopen_channels() requires the state lock taken. The referenced changed in the Fixes tag removed the lock to fix another issue. This patch adds it back but at a later point (when calling mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the Fixes tag.
2024-09-11
5.5
CVE-2024-45019
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a kernel verifier crash in stacksafe() Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The ‘i’ iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add ‘i >= cur->allocated_stack’ check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
2024-09-11
5.5
CVE-2024-45020
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: memcg_write_event_control(): fix a user-triggerable oops we are *not* guaranteed that anything past the terminating NUL is mapped (let alone initialized with anything sane).
2024-09-11
5.5
CVE-2024-45021
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) —> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) —-> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code.
2024-09-11
5.5
CVE-2024-45022
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb vs. core-mm PT locking We recently made GUP’s common page table walking code to also walk hugetlb VMAs without most hugetlb special-casing, preparing for the future of having less hugetlb-specific page table walking code in the codebase. Turns out that we missed one page table locking detail: page table locking for hugetlb folios that are not mapped using a single PMD/PUD. Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB hugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the page tables, will perform a pte_offset_map_lock() to grab the PTE table lock. However, hugetlb that concurrently modifies these page tables would actually grab the mm->page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the locks would differ. Something similar can happen right now with hugetlb folios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS. This issue can be reproduced [1], for example triggering: [ 3105.936100] ————[ cut here ]———— [ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188 [ 3105.944634] Modules linked in: […] [ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1 [ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024 [ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 3105.991108] pc : try_grab_folio+0x11c/0x188 [ 3105.994013] lr : follow_page_pte+0xd8/0x430 [ 3105.996986] sp : ffff80008eafb8f0 [ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43 [ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48 [ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978 [ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001 [ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000 [ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000 [ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0 [ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080 [ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000 [ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000 [ 3106.047957] Call trace: [ 3106.049522] try_grab_folio+0x11c/0x188 [ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0 [ 3106.055527] follow_page_mask+0x1a0/0x2b8 [ 3106.058118] __get_user_pages+0xf0/0x348 [ 3106.060647] faultin_page_range+0xb0/0x360 [ 3106.063651] do_madvise+0x340/0x598 Let’s make huge_pte_lockptr() effectively use the same PT locks as any core-mm page table walker would. Add ptep_lockptr() to obtain the PTE page table lock using a pte pointer — unfortunately we cannot convert pte_lockptr() because virt_to_page() doesn’t work with kmap’ed page tables we can have with CONFIG_HIGHPTE. Handle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such that when e.g., CONFIG_PGTABLE_LEVELS==2 with PGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected. Document why that works. There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb folio being mapped using two PTE page tables. While hugetlb wants to take the PMD table lock, core-mm would grab the PTE table lock of one of both PTE page tables. In such corner cases, we have to make sure that both locks match, which is (fortunately!) currently guaranteed for 8xx as it does not support SMP and consequently doesn’t use split PT locks. [1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/
2024-09-11
5.5
CVE-2024-45024
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE copy_fd_bitmaps(new, old, count) is expected to copy the first count/BITS_PER_LONG bits from old->full_fds_bits[] and fill the rest with zeroes. What it does is copying enough words (BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest. That works fine, *if* all bits past the cutoff point are clear. Otherwise we are risking garbage from the last word we’d copied. For most of the callers that is true – expand_fdtable() has count equal to old->max_fds, so there’s no open descriptors past count, let alone fully occupied words in ->open_fds[], which is what bits in ->full_fds_bits[] correspond to. The other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds), which is the smallest multiple of BITS_PER_LONG that covers all opened descriptors below max_fds. In the common case (copying on fork()) max_fds is ~0U, so all opened descriptors will be below it and we are fine, by the same reasons why the call in expand_fdtable() is safe. Unfortunately, there is a case where max_fds is less than that and where we might, indeed, end up with junk in ->full_fds_bits[] – close_range(from, to, CLOSE_RANGE_UNSHARE) with * descriptor table being currently shared * ‘to’ being above the current capacity of descriptor table * ‘from’ being just under some chunk of opened descriptors. In that case we end up with observably wrong behaviour – e.g. spawn a child with CLONE_FILES, get all descriptors in range 0..127 open, then close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending up with descriptor #128, despite #64 being observably not open. The minimally invasive fix would be to deal with that in dup_fd(). If this proves to add measurable overhead, we can go that way, but let’s try to fix copy_fd_bitmaps() first. * new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size). * make copy_fd_bitmaps() take the bitmap size in words, rather than bits; it’s ‘count’ argument is always a multiple of BITS_PER_LONG, so we are not losing any information, and that way we can use the same helper for all three bitmaps – compiler will see that count is a multiple of BITS_PER_LONG for the large ones, so it’ll generate plain memcpy()+memset(). Reproducer added to tools/testing/selftests/core/close_range_test.c
2024-09-11
5.5
CVE-2024-45025
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop up the damage. If it fails early enough, before xhci->interrupters is allocated but after xhci->max_interrupters has been set, which happens in most (all?) cases, things get uglier, as xhci_mem_cleanup() unconditionally derefences xhci->interrupters. With prejudice. Gate the interrupt freeing loop with a check on xhci->interrupters being non-NULL. Found while debugging a DMA allocation issue that led the XHCI driver on this exact path.
2024-09-11
5.5
CVE-2024-45027
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: mmc: mmc_test: Fix NULL dereference on allocation failure If the "test->highmem = alloc_pages()" allocation fails then calling __free_pages(test->highmem) will result in a NULL dereference. Also change the error code to -ENOMEM instead of returning success.
2024-09-11
5.5
CVE-2024-45028
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: Do not mark ACPI devices as irq safe On ACPI machines, the tegra i2c module encounters an issue due to a mutex being called inside a spinlock. This leads to the following bug: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 … Call trace: __might_sleep __mutex_lock_common mutex_lock_nested acpi_subsys_runtime_resume rpm_resume tegra_i2c_xfer The problem arises because during __pm_runtime_resume(), the spinlock &dev->power.lock is acquired before rpm_resume() is called. Later, rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on mutexes, triggering the error. To address this issue, devices on ACPI are now marked as not IRQ-safe, considering the dependency of acpi_subsys_runtime_resume() on mutexes.
2024-09-11
5.5
CVE-2024-45029
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: igb: cope with large MAX_SKB_FRAGS Sabrina reports that the igb driver does not cope well with large MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload corruption on TX. An easy reproducer is to run ssh to connect to the machine. With MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has been reported originally in https://bugzilla.redhat.com/show_bug.cgi?id=2265320 The root cause of the issue is that the driver does not take into account properly the (possibly large) shared info size when selecting the ring layout, and will try to fit two packets inside the same 4K page even when the 1st fraglist will trump over the 2nd head. Address the issue by checking if 2K buffers are insufficient.
2024-09-11
5.5
CVE-2024-45030
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

adobe — illustrator 
Illustrator versions 28.6, 27.9.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
2024-09-13
5.5
CVE-2024-45111
psirt@adobe.com 

SAP_SE–SAP BusinessObjects Business Intelligence Platform 
SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application.
2024-09-10
5.8
CVE-2024-45281
cna@sap.comcna@sap.com 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
The RFC enabled function module allows a low privileged user to perform denial of service on any user and also change or delete favourite nodes. By sending a crafted packet in the function module targeting specific parameters, the specific targeted user will no longer have access to any functionality of SAP GUI. There is low impact on integrity and availability of the application.
2024-09-10
5.4
CVE-2024-45285
cna@sap.comcna@sap.com 

Microsoft–HDAudBus.sys 
A mishandling of IRP requests vulnerability exists in the HDAudBus_DMA interface of Microsoft High Definition Audio Bus Driver 10.0.19041.3636 (WinBuild.160101.0800). A specially crafted application can issue multiple IRP Complete requests which leads to a local denial-of-service. An attacker can execute malicious script/application to trigger this vulnerability.
2024-09-12
5
CVE-2024-45383
talos-cna@cisco.com 

yeti-platform–yeti 
Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (?), or U+2105 (?) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11.
2024-09-10
5.3
CVE-2024-45412
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

JoomUnited–WP Meta SEO 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in JoomUnited WP Meta SEO allows Stored XSS.This issue affects WP Meta SEO: from n/a through 4.5.13.
2024-09-15
5.9
CVE-2024-45455
audit@patchstack.com 

Manu225–Flipping Cards 
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Manu225 Flipping Cards allows Stored XSS.This issue affects Flipping Cards: from n/a through 1.30.
2024-09-15
5.9
CVE-2024-45460
audit@patchstack.com 

xwiki–xwiki-platform 
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.
2024-09-10
5.3
CVE-2024-45591
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

PlutoLang–Pluto 
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.
2024-09-10
5.3
CVE-2024-45597
security-advisories@github.comsecurity-advisories@github.com 

Secreto31126–whatsapp-api-js 
whatsapp-api-js is a TypeScript server agnostic Whatsapp’s Official API framework. It’s possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. This vulnerability is fixed in 4.0.3.
2024-09-12
5.8
CVE-2024-45607
security-advisories@github.comsecurity-advisories@github.comsecurity-advisories@github.com 

n/a–n/a 
CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the fromqossetting function.
2024-09-13
5.7
CVE-2024-46044
cve@mitre.org 

n/a–n/a 
Tenda CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the frmL7PlotForm function.
2024-09-13
5.7
CVE-2024-46045
cve@mitre.org 

n/a–n/a 
Tenda O6 V3.0 firmware V1.0.0.7(2054) contains a stack overflow vulnerability in the formexeCommand function.
2024-09-13
5.7
CVE-2024-46049
cve@mitre.org 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the driver for SAE/OWE offload cases") SSID based PMKSA del commands. brcmfmac is not prepared and tries to dereference the NULL bssid and pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based updates so copy the SSID.
2024-09-11
5.5
CVE-2024-46672
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: gtp: fix a potential NULL pointer dereference When sockfd_lookup() fails, gtp_encap_enable_socket() returns a NULL pointer, but its callers only check for error pointers thus miss the NULL pointer case. Fix it by returning an error pointer with the error code carried from sockfd_lookup(). (I found this bug during code inspection.)
2024-09-13
5.5
CVE-2024-46677
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open Prior to commit 3f29cc82a84c ("nfsd: split sc_status out of sc_type") states_show() relied on sc_type field to be of valid type before calling into a subfunction to show content of a particular stateid. From that commit, we split the validity of the stateid into sc_status and no longer changed sc_type to 0 while unhashing the stateid. This resulted in kernel oopsing for nfsv4.0 opens that stay around and in nfs4_show_open() would derefence sc_file which was NULL. Instead, for closed open stateids forgo displaying information that relies of having a valid sc_file. To reproduce: mount the server with 4.0, read and close a file and then on the server cat /proc/fs/nfsd/clients/2/states [ 513.590804] Call trace: [ 513.590925] _raw_spin_lock+0xcc/0x160 [ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd] [ 513.591412] states_show+0x44c/0x488 [nfsd] [ 513.591681] seq_read_iter+0x5d8/0x760 [ 513.591896] seq_read+0x188/0x208 [ 513.592075] vfs_read+0x148/0x470 [ 513.592241] ksys_read+0xcc/0x178
2024-09-13
5.5
CVE-2024-46682
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix potential NULL dereference in pcs_get_function() pinmux_generic_get_function() can return NULL and the pointer ‘function’ was dereferenced without checking against NULL. Add checking of pointer ‘function’ in pcs_get_function(). Found by code review.
2024-09-13
5.5
CVE-2024-46685
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold.
2024-09-13
5.5
CVE-2024-46686
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit ‘9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")’ moved the pmic_glink client list under a spinlock, as it is accessed by the rpmsg/glink callback, which in turn is invoked from IRQ context. This means that ucsi_unregister() is now called from atomic context, which isn’t feasible as it’s expecting a sleepable context. An effort is under way to get GLINK to invoke its callbacks in a sleepable context, but until then lets schedule the unregistration. A side effect of this is that ucsi_unregister() can now happen after the remote processor, and thereby the communication link with it, is gone. pmic_glink_send() is amended with a check to avoid the resulting NULL pointer dereference. This does however result in the user being informed about this error by the following entry in the kernel log: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5
2024-09-13
5.5
CVE-2024-46691
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: scm: Mark get_wq_ctx() as atomic call Currently get_wq_ctx() is wrongly configured as a standard call. When two SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to resume the corresponding sleeping thread. But if get_wq_ctx() is interrupted, goes to sleep and another SMC call is waiting to be allocated a waitq context, it leads to a deadlock. To avoid this get_wq_ctx() must be an atomic call and can’t be a standard SMC call. Hence mark get_wq_ctx() as a fast call.
2024-09-13
5.5
CVE-2024-46692
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: video/aperture: optionally match the device in sysfb_disable() In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by aperture_detach_platform_device() 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable() 4. NULL pointer dereference via sysfb_disable() since the resources have already been freed by aperture_detach_platform_device() when it was called by the other device. Fix this by passing a device pointer to sysfb_disable() and checking the device to determine if we should execute it or not. v2: Fix build when CONFIG_SCREEN_INFO is not set v3: Move device check into the mutex Drop primary variable in aperture_remove_conflicting_pci_devices() Drop __init on pci sysfb_pci_dev_is_enabled()
2024-09-13
5.5
CVE-2024-46698
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

elemntor–Elementor Website Builder More than Just a Page Builder 
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2.
2024-09-11
5.4
CVE-2024-5416
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

litonice13–Master Addons Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor 
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link.
2024-09-10
5.4
CVE-2024-6282
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

coffee2code–Custom Post Limits 
The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
2024-09-13
5.3
CVE-2024-6544
security@wordfence.comsecurity@wordfence.com 

oscat.de–OSCAT Basic Library 
Out-of-Bounds read vulnerability in OSCAT Basic Library allows an local, unprivileged attacker to access limited internal data of the PLC which may lead to a crash of the affected service.
2024-09-10
5.1
CVE-2024-6876
info@cert.vde.cominfo@cert.vde.com 

PHOENIX CONTACT–FL MGUARD 2102 
A low privileged remote attacker can get access to CSRF tokens of higher privileged users which can be abused to mount CSRF attacks.
2024-09-10
5.7
CVE-2024-7698
info@cert.vde.com 

bplugins–HTML5 Video Player mp4 Video Player Plugin and Block 
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the ‘h5vp_ajax_handler’ ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data.
2024-09-11
5.3
CVE-2024-7727
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

PHOENIX CONTACT–FL MGUARD 2102 
An unauthenticated remote attacker can exploit the behavior of the pathfinder TCP encapsulation service by establishing a high number of TCP connections to the pathfinder TCP encapsulation service. The impact is limited to blocking of valid IPsec VPN peers.
2024-09-10
5.3
CVE-2024-7734
info@cert.vde.com 

ivanti — endpoint_manager 
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.
2024-09-10
5.3
CVE-2024-8320
3c1d8aa1-5a33-4ea4-8992-aadd6440af75 

metagauss–EventPrime Events Calendar, Bookings and Tickets 
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events.
2024-09-10
5.3
CVE-2024-8369
security@wordfence.comsecurity@wordfence.com 

code-projects — inventory_management 
A vulnerability classified as problematic was found in code-projects Inventory Management 1.0. This vulnerability affects unknown code of the file /view/registration.php of the component Registration Form. The manipulation with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
2024-09-09
5.4
CVE-2024-8605
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

Wireshark Foundation–Wireshark 
SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 allows denial of service via packet injection or crafted capture file
2024-09-10
5.5
CVE-2024-8645
cve@gitlab.comcve@gitlab.com 

MongoDB Inc–MongoDB Server 
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.
2024-09-10
5
CVE-2024-8654
cna@mongodb.com 

Mercury–MNVR816 
A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has been classified as problematic. This affects an unknown part of the file /web-static/. The manipulation leads to files or directories accessible. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-10
5.3
CVE-2024-8655
cna@vuldb.comcna@vuldb.comcna@vuldb.com 

TDuckCloud–TDuckPro 
A vulnerability classified as critical was found in TDuckCloud TDuckPro up to 6.3. Affected by this vulnerability is an unknown functionality. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-11
5.3
CVE-2024-8692
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

Synetics–Idoit pro 
Cross-site Scripting (XSS) vulnerability in idoit pro version 28. This vulnerability allows an attacker to retrieve session details of an authenticated user due to lack of proper sanitization of the following parameters (id,lang,mNavID,name,pID,treeNode,type,view).
2024-09-12
5.4
CVE-2024-8750
cve-coordination@incibe.es 

Red Hat–Red Hat Discovery 
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
2024-09-14
5.5
CVE-2024-8775
secalert@redhat.comsecalert@redhat.com 

composiohq–composio 
A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-15
5.5
CVE-2024-8864
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

TOTOLINK–A720R 
A vulnerability classified as critical has been found in TOTOLINK A720R 4.1.5. Affected is the function exportOvpn. The manipulation leads to os command injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-15
5
CVE-2024-8869
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

vedees–wcms 
A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-15
5.4
CVE-2024-8875
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

kasdanet — kw5515_firmware 
Cross Site Scripting (XSS) Vulnerability in Firewall menu in Control Panel in KASDA KW5515 version 4.3.1.0, allows attackers to execute arbitrary code and steal cookies via a crafted script
2024-09-12
4.3
CVE-2020-24061
cve@mitre.orgcve@mitre.org 

OpenText–Identity Manager REST Driver 1.1.2.0200 
Possible Insertion of Sensitive Information into Log File Vulnerability in Identity Manager has been discovered in OpenText™ Identity Manager REST Driver. This impact version before 1.1.2.0200.
2024-09-12
4.9
CVE-2022-26322
security@opentext.com 

Fortinet–FortiClientiOS 
An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and  both the service provider and the identity provider.
2024-09-10
4.8
CVE-2022-45856
psirt@fortinet.com 

themeum–Tutor LMS eLearning and online course solution 
The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the ‘addon_enable_disable’ function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
2024-09-10
4.3
CVE-2023-2919
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Siemens–SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) 
A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-7 LTE (All versions < V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions < V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions < V2.4.8). The web server of the affected devices do not properly handle the shutdown or reboot request, which could lead to the clean up of certain resources. This could allow a remote attacker with elevated privileges to cause a denial of service condition in the system.
2024-09-10
4.4
CVE-2023-30755
productcert@siemens.com 

Axis Communications AB–AXIS OS 
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
2024-09-10
4.3
CVE-2024-0067
product-security@axis.com 

mirapolis — lms 
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data.
2024-09-12
4.3
CVE-2024-25270
cve@mitre.org 

IBM–OpenPages 
IBM OpenPages 8.3 and 9.0 potentially exposes information about client-side source code through use of JavaScript source maps to unauthorized users.
2024-09-10
4.3
CVE-2024-27257
psirt@us.ibm.compsirt@us.ibm.com 

n/a–n/a 
An issue was discovered in Samsung Mobile Processor Exynos Exynos 980, Exynos 850, Exynos 1080, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 1480, Exynos W920, Exynos W930. In the function slsi_rx_blockack_ind(), there is no input validation check on a length coming from userspace, which can lead to a potential heap over-read.
2024-09-09
4.4
CVE-2024-27365
cve@mitre.orgcve@mitre.org 

Fortinet–FortiSandbox 
An exposure of sensitive information to an unauthorized actor in Fortinet FortiSandbox version 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.5 and 3.2.2 through 3.2.4 and 3.1.5 allows attacker to information disclosure via HTTP get requests.
2024-09-10
4.3
CVE-2024-31490
psirt@fortinet.com 

Unknown–Easy Property Listings 
The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
2024-09-12
4.3
CVE-2024-3163
contact@wpscan.com 

Siemens–SINEMA Remote Connect Client 
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication.
2024-09-10
4.3
CVE-2024-32006
productcert@siemens.com 

Fortinet–FortiClientiOS 
A cleartext storage of sensitive information in memory vulnerability [CWE-316] affecting FortiClient VPN iOS 7.2 all versions, 7.0 all versions, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an unauthenticated attacker that has physical access to a jailbroken device to obtain cleartext passwords via keychain dump.
2024-09-10
4.2
CVE-2024-35282
psirt@fortinet.com 

Siemens–SIMATIC Reader RF610R CMIIT 
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected devices does not properly handle the error in case of exceeding characters while setting SNMP leading to the restart of the application.
2024-09-10
4.9
CVE-2024-37992
productcert@siemens.com 

Siemens–SIMATIC Reader RF610R CMIIT 
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected application contains a hidden configuration item to enable debug functionality. This could allow an attacker to gain insight into the internal configuration of the deployment.
2024-09-10
4.3
CVE-2024-37994
productcert@siemens.com 

Unknown–Gallery Plugin for WordPress 
The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks.
2024-09-11
4.8
CVE-2024-3899
contact@wpscan.com 

Gallagher–Controller 6000 and Controller 7000 
Incorrect Calculation of Buffer Size (CWE-131) in the Controller 6000 and Controller 7000 OSDP message handling, allows an attacker with physical access to Controller wiring to instigate a reboot leading to a denial of service. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior.
2024-09-11
4.6
CVE-2024-39808
disclosures@gallagher.com 

SAP_SE–SAP NetWeaver BW (BEx Analyzer) 
Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application.
2024-09-10
4.3
CVE-2024-41729
cna@sap.comcna@sap.com 

siemens — sinema_remote_connect_server 
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). The affected application does not properly handle user session establishment and invalidation. This could allow a remote attacker to circumvent the additional multi factor authentication for user session establishment.
2024-09-10
4.3
CVE-2024-42345
productcert@siemens.com 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
The RFC enabled function module allows a low privileged user to read any user’s workplace favourites and user menu along with all the specific data of each node. Usernames can be enumerated by exploiting vulnerability. There is low impact on confidentiality of the application.
2024-09-10
4.3
CVE-2024-42380
cna@sap.comcna@sap.com 

IBM–Concert 
IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
2024-09-13
4.3
CVE-2024-43180
psirt@us.ibm.compsirt@us.ibm.com 

SAP_SE–SAP for Oil & Gas 
Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability.
2024-09-10
4.3
CVE-2024-44112
cna@sap.comcna@sap.com 

SAP_SE–SAP Business Warehouse (BEx Analyzer) 
Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application.
2024-09-10
4.3
CVE-2024-44113
cna@sap.comcna@sap.com 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
The RFC enabled function module allows a low privileged user to add URLs to any user’s workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user’s workplaces, and nodes. There is low impact on integrity of the application
2024-09-10
4.3
CVE-2024-44115
cna@sap.comcna@sap.com 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
The RFC enabled function module allows a low privileged user to add any workbook to any user’s workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user’s workplaces. There is low impact on integrity of the application.
2024-09-10
4.3
CVE-2024-44116
cna@sap.comcna@sap.com 

SAP_SE–SAP NetWeaver Enterprise Portal 
SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser.
2024-09-10
4.7
CVE-2024-44120
cna@sap.comcna@sap.com 

SAP_SE–SAP S/4 HANA (Statutory Reports) 
Under certain conditions Statutory Reports in SAP S/4 HANA allows an attacker with basic privileges to access information which would otherwise be restricted. The vulnerability could expose internal user data that should remain confidential. It does not impact the integrity and availability of the application
2024-09-10
4.3
CVE-2024-44121
cna@sap.comcna@sap.com 

GitLab–GitLab 
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.
2024-09-12
4
CVE-2024-4472
cve@gitlab.comcve@gitlab.com 

Lenovo–XClarity Administrator 
A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges.
2024-09-13
4.3
CVE-2024-45103
psirt@lenovo.com 

SAP_SE–SAP NetWeaver AS Java (Logon Application) 
Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability.
2024-09-10
4.8
CVE-2024-45280
cna@sap.comcna@sap.com 

Fortinet–FortiEDR Manager 
An improper access control vulnerability [CWE-284] in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include information related to other organizations.
2024-09-10
4.3
CVE-2024-45323
psirt@fortinet.com 

craftcms — craft_cms 
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
2024-09-09
4.8
CVE-2024-45406
security-advisories@github.comsecurity-advisories@github.com 

linux — linux_kernel 
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink: Fix race during initialization As pointed out by Stephen Boyd it is possible that during initialization of the pmic_glink child drivers, the protection-domain notifiers fires, and the associated work is scheduled, before the client registration returns and as a result the local "client" pointer has been initialized. The outcome of this is a NULL pointer dereference as the "client" pointer is blindly dereferenced. Timeline provided by Stephen: CPU0 CPU1 —- —- ucsi->client = NULL; devm_pmic_glink_register_client() client->pdr_notify(client->priv, pg->client_state) pmic_glink_ucsi_pdr_notify() schedule_work(&ucsi->register_work) <schedule away> pmic_glink_ucsi_register() ucsi_register() pmic_glink_ucsi_read_version() pmic_glink_ucsi_read() pmic_glink_ucsi_read() pmic_glink_send(ucsi->client) <client is NULL BAD> ucsi->client = client // Too late! This code is identical across the altmode, battery manager and usci child drivers. Resolve this by splitting the allocation of the "client" object and the registration thereof into two operations. This only happens if the protection domain registry is populated at the time of registration, which by the introduction of commit ‘1ebcde047c54 ("soc: qcom: add pd-mapper implementation")’ became much more likely.
2024-09-13
4.7
CVE-2024-46693
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Unknown–Popup Maker 
The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
2024-09-09
4.8
CVE-2024-5561
contact@wpscan.com 

Unknown–CM Pop-Up Banners for WordPress 
The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks.
2024-09-12
4.8
CVE-2024-5799
contact@wpscan.com 

gitlab — gitlab 
An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.
2024-09-12
4.3
CVE-2024-6389
cve@gitlab.comcve@gitlab.com 

Unknown–NinjaTeam Header Footer Custom Code 
The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
2024-09-13
4.8
CVE-2024-6493
contact@wpscan.com 

Unknown–NinjaTeam Header Footer Custom Code 
The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
2024-09-13
4.8
CVE-2024-6617
contact@wpscan.com 

pega — infinity 
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
2024-09-12
4.8
CVE-2024-6700
security@pega.com 

pega — infinity 
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
2024-09-12
4.8
CVE-2024-6701
security@pega.com 

pega — infinity 
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
2024-09-12
4.8
CVE-2024-6702
security@pega.com 

Unknown–AI Engine 
The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions.
2024-09-13
4.7
CVE-2024-6723
contact@wpscan.com 

Unknown–Carousel Slider 
The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
2024-09-13
4.8
CVE-2024-6850
contact@wpscan.com 

Unknown–Giveaways and Contests by RafflePress 
The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
2024-09-12
4.8
CVE-2024-6887
contact@wpscan.com 

Unknown–EventON 
The EventON WordPress plugin before 2.2.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
2024-09-09
4.8
CVE-2024-6910
contact@wpscan.com 

Unknown–Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme 
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks.
2024-09-13
4.8
CVE-2024-7133
contact@wpscan.com 

Red Hat–Red Hat build of Keycloak 24 
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.
2024-09-09
4.4
CVE-2024-7260
secalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.com 

Red Hat–Red Hat build of Keycloak 24 
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
2024-09-09
4.8
CVE-2024-7318
secalert@redhat.comsecalert@redhat.comsecalert@redhat.comsecalert@redhat.com 

peepso–Community by PeepSo Social Network, Membership, Registration, User Profiles, Premium Mobile App 
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
2024-09-10
4.4
CVE-2024-7618
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

peepso–Community by PeepSo Social Network, Membership, Registration, User Profiles, Premium Mobile App 
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
2024-09-10
4.4
CVE-2024-7655
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Unknown–Snapshot Backup 
The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
2024-09-09
4.7
CVE-2024-7689
contact@wpscan.com 

Unknown–Logo Slider 
The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
2024-09-11
4.8
CVE-2024-7716
contact@wpscan.com 

bplugins–HTML5 Video Player mp4 Video Player Plugin and Block 
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘save_password’ function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled.
2024-09-11
4.3
CVE-2024-7721
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Unknown–ILC Thickbox 
The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
2024-09-12
4.3
CVE-2024-7820
contact@wpscan.com 

Unknown–blogintroduction-wordpress-plugin 
The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
2024-09-12
4.3
CVE-2024-7862
contact@wpscan.com 

Unknown–Floating Contact Button 
The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
2024-09-10
4.8
CVE-2024-7891
contact@wpscan.com 

Unknown–Pocket Widget 
The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
2024-09-09
4.8
CVE-2024-7918
contact@wpscan.com 

Unknown–Starbox 
The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
2024-09-10
4.8
CVE-2024-7955
contact@wpscan.com 

Lenovo–HX5530 Appliance (ThinkAgile) XCC 
IPMI credentials may be captured in XCC audit log entries when the account username length is 16 characters.
2024-09-13
4.3
CVE-2024-8059
psirt@lenovo.com 

inspireui–MStore API Create Native Android & iOS Apps On The Cloud 
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site’s server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue.
2024-09-13
4.3
CVE-2024-8242
security@wordfence.comsecurity@wordfence.comsecurity@wordfence.comsecurity@wordfence.com 

Google–AngularJS 
Improper sanitization of the value of the ‘[srcset]’ attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
2024-09-09
4.8
CVE-2024-8372
36c7be3b-2937-45df-85ea-ca7133ea542c36c7be3b-2937-45df-85ea-ca7133ea542c 

Google–AngularJS 
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
2024-09-09
4.8
CVE-2024-8373
36c7be3b-2937-45df-85ea-ca7133ea542c36c7be3b-2937-45df-85ea-ca7133ea542c 

n/a–JFinalCMS 
A vulnerability was found in JFinalCMS up to 20240903. It has been classified as problematic. This affects the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
2024-09-12
4.3
CVE-2024-8706
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

–Yunke Online School System 
A vulnerability was found in 云课网络科技有限公司 Yunke Online School System up to 3.0.6. It has been declared as problematic. This vulnerability affects the function downfile of the file application/admin/controller/Appadmin.php. The manipulation of the argument url leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
2024-09-12
4.3
CVE-2024-8707
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

n/a–AutoCMS 
A vulnerability was found in AutoCMS 5.4. It has been classified as problematic. This affects an unknown part of the file /admin/robot.php. The manipulation of the argument sidebar leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
2024-09-15
4.3
CVE-2024-8866
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

xiaohe4966–TpMeCMS 
A vulnerability, which was classified as problematic, has been found in xiaohe4966 TpMeCMS up to 1.3.3.1. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.3.2 is able to address this issue. It is recommended to upgrade the affected component.
2024-09-15
4.3
CVE-2024-8876
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

Back to top

Low Vulnerabilities

PrimaryVendor — Product
Description
Published
CVSS Score
Source Info
Patch Info

Fortinet–FortiADC 
An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an attacker, under specific conditions, to retrieve the initial encrypted and signed cookie protected by the feature
2024-09-10
3.7
CVE-2024-36511
psirt@fortinet.com 

Dell–Dell Precision Rack BIOS 
Dell Precision Rack, 14G Intel BIOS versions prior to 2.22.2, contains an Access of Memory Location After End of Buffer vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
2024-09-10
3.8
CVE-2024-42425
security_alert@emc.com 

gitlab — gitlab 
An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.
2024-09-12
3.5
CVE-2024-6446
cve@gitlab.comcve@gitlab.com 

Red Hat–Red Hat Enterprise Linux 7 
A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.
2024-09-10
3.4
CVE-2024-8443
secalert@redhat.comsecalert@redhat.com 

SourceCodester–Best House Rental Management System 
A vulnerability classified as problematic has been found in SourceCodester Best House Rental Management System 1.0. Affected is an unknown function of the file /index.php?page=tenants of the component New Tenant Page. The manipulation of the argument Last Name/First Name/Middle Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
2024-09-09
3.5
CVE-2024-8610
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

n/a–JFinalCMS 
A vulnerability, which was classified as problematic, was found in JFinalCMS up to 20240903. This affects the function update of the file /admin/template/update of the component com.cms.controller.admin.TemplateController. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
2024-09-11
3.8
CVE-2024-8694
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

SourceCodester–Best House Rental Management System 
A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file categories.php. The manipulation leads to cross site scripting. The attack may be initiated remotely.
2024-09-12
3.5
CVE-2024-8708
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

OpenTibiaBR–MyAAC 
A vulnerability classified as problematic has been found in OpenTibiaBR MyAAC up to 0.8.16. Affected is an unknown function of the file system/pages/forum/new_post.php of the component Post Reply Handler. The manipulation of the argument post_topic leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as bf6ae3df0d32fa22552bb44ca4f8489a6e78cc1c. It is recommended to apply a patch to fix this issue.
2024-09-13
3.5
CVE-2024-8783
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

aimhubio–aim 
A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-14
3.5
CVE-2024-8863
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

composiohq–composio 
A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file composio\server\api.py. The manipulation of the argument file leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-15
3.5
CVE-2024-8865
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

Perfex–CRM 
A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
2024-09-15
3.5
CVE-2024-8867
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

Octopus Deploy–Octopus Server 
Affected versions of Octopus Server had a weak content security policy.
2024-09-11
2.6
CVE-2024-1656
security@octopus.com 

Siemens–SIMATIC Reader RF610R CMIIT 
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected application improperly handles error while a faulty certificate upload leading to crashing of application. This vulnerability could allow an attacker to disclose sensitive information.
2024-09-10
2.7
CVE-2024-37995
productcert@siemens.com 

Dell–PowerScale InsightIQ 
Dell PowerScale InsightIQ, version 5.0, contain a Use of hard coded Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
2024-09-10
2.3
CVE-2024-39582
security_alert@emc.com 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.
2024-09-10
2.7
CVE-2024-41728
cna@sap.comcna@sap.com 

SAP_SE–SAP NetWeaver Application Server for ABAP and ABAP Platform 
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.
2024-09-10
2
CVE-2024-44114
cna@sap.comcna@sap.com 

SAP_SE–SAP Student Life Cycle Management (SLcM) 
An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application.
2024-09-10
2.4
CVE-2024-45284
cna@sap.comcna@sap.com 

Rapid7–Insight Platform 
Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.
2024-09-09
2.4
CVE-2024-8042
cve@rapid7.com 

Kaon–CG3000 
A vulnerability, which was classified as problematic, has been found in Kaon CG3000 1.01.43. Affected by this issue is some unknown functionality of the component dhcpcd Command Handler. The manipulation of the argument -h with the input <script>alert(‘XSS’)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
2024-09-11
2.4
CVE-2024-8693
cna@vuldb.comcna@vuldb.comcna@vuldb.comcna@vuldb.com 

Back to top

Severity Not Yet Assigned

PrimaryVendor — Product
Description
Published
CVSS Score
Source Info
Patch Info

TE Informatics–V5 
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS.This issue affects V5: before 6.2.
2024-09-12
not yet calculated
CVE-2024-2010
iletisim@usom.gov.tr 

n/a–n/a 
Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component.
2024-09-09
not yet calculated
CVE-2024-24510
cve@mitre.orgcve@mitre.org 

Simple Online Planning–SO Planning 
A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02.
2024-09-11
not yet calculated
CVE-2024-27112
csirt@divd.nl 

Simple Online Planning–SO Planning 
An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database by exporting it as a CSV file. The vulnerability has been remediated in version 1.52.02.
2024-09-11
not yet calculated
CVE-2024-27113
csirt@divd.nl 

Simple Online Planning–SO Planning 
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.
2024-09-11
not yet calculated
CVE-2024-27115
csirt@divd.nl 

Google–Android 
there is a possible escalation of privilege due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
2024-09-13
not yet calculated
CVE-2024-29779
dsap-vuln-management@google.com 

Utarit Information–SoliClub 
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.
2024-09-12
not yet calculated
CVE-2024-3305
iletisim@usom.gov.tr 

Utarit Information–SoliClub 
Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.
2024-09-12
not yet calculated
CVE-2024-3306
iletisim@usom.gov.tr 

n/a–n/a 
The CMP CLI client in KeyFactor EJBCA before 8.3.1 has only 6 octets of salt, and is thus not compliant with the security requirements of RFC 4211, and might make man-in-the-middle attacks easier. CMP includes password-based MAC as one of the options for message integrity and authentication (the other option is certificate-based). RFC 4211 section 4.4 requires that password-based MAC parameters use a salt with a random value of at least 8 octets. This helps to inhibit dictionary attacks. Because the standalone CMP client originally was developed as test code, the salt was instead hardcoded and only 6 octets long.
2024-09-12
not yet calculated
CVE-2024-36066
cve@mitre.orgcve@mitre.org 

Google–Android 
In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
2024-09-11
not yet calculated
CVE-2024-40654
security@android.comsecurity@android.com 

Google–Android 
In handleCreateConferenceComplete of ConnectionServiceWrapper.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
2024-09-11
not yet calculated
CVE-2024-40656
security@android.comsecurity@android.com 

Google–Android 
In getRegistration of RemoteProvisioningService.java, there is a possible way to permanently disable the AndroidKeyStore key generation feature by updating the attestation keys of all installed apps due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
2024-09-11
not yet calculated
CVE-2024-40659
security@android.comsecurity@android.com 

Ubiquiti Inc–UniFi Network Application 
A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device.
2024-09-13
not yet calculated
CVE-2024-42025
support@hackerone.com 

Google–Android 
In TBD of TBD, there is a possible LCS signing enforcement missing due to test/debugging code left in a production build. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
2024-09-13
not yet calculated
CVE-2024-44092
dsap-vuln-management@google.com 

Google–Android 
In ppmp_unprotect_buf of drm/code/drm_fw.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
2024-09-13
not yet calculated
CVE-2024-44093
dsap-vuln-management@google.com 

Google–Android 
In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
2024-09-13
not yet calculated
CVE-2024-44094
dsap-vuln-management@google.com 

Google–Android 
In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible corrupt memory due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
2024-09-13
not yet calculated
CVE-2024-44095
dsap-vuln-management@google.com 

Google–Android 
there is a possible arbitrary read due to an insecure default value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
2024-09-13
not yet calculated
CVE-2024-44096
dsap-vuln-management@google.com 

n/a–n/a 
D-Link DI-8100 v16.07.26A1 has a stack overflow vulnerability in the dbsrv_asp function.
2024-09-09
not yet calculated
CVE-2024-44375
cve@mitre.orgcve@mitre.org 

n/a–n/a 
SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interface
2024-09-13
not yet calculated
CVE-2024-44430
cve@mitre.orgcve@mitre.org 

n/a–n/a 
A memory allocation issue in vernemq v2.0.1 allows attackers to cause a Denial of Service (DoS) via excessive memory consumption.
2024-09-12
not yet calculated
CVE-2024-44459
cve@mitre.org 

n/a–n/a 
An invalid read size in Nanomq v0.21.9 allows attackers to cause a Denial of Service (DoS).
2024-09-12
not yet calculated
CVE-2024-44460
cve@mitre.org 

n/a–n/a 
A stored cross-site scripting (XSS) vulnerability in the VLAN configuration of RELY-PCIe v22.2.1 to v23.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
2024-09-11
not yet calculated
CVE-2024-44573
cve@mitre.orgcve@mitre.org 

n/a–n/a 
RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.
2024-09-11
not yet calculated
CVE-2024-44575
cve@mitre.orgcve@mitre.org 

n/a–n/a 
An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70 An improper bounds check allows specially crafted packets to cause an arbitrary address read, resulting in Denial of Service.
2024-09-12
not yet calculated
CVE-2024-45182
cve@mitre.orgcve@mitre.org 

istyle Inc.–"@cosme" App for Android 
Improper authorization in handler for custom URL scheme issue in "@cosme" App for Android versions prior 5.69.0 and "@cosme" App for iOS versions prior to 6.74.0 allows an attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
2024-09-09
not yet calculated
CVE-2024-45203
vultures@jpcert.or.jp 

Alps System Integration Co., Ltd.–InterSafe WebFilter 
Cross-site request forgery (CSRF) vulnerability in multiple Alps System Integration products and the OEM products allow a remote unauthenticated attacker to hijack the authentication of the user and to perform unintended operations if the user views a malicious page while logged in.
2024-09-10
not yet calculated
CVE-2024-45504
vultures@jpcert.or.jpvultures@jpcert.or.jpvultures@jpcert.or.jpvultures@jpcert.or.jp 

Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) 
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to improper access controls on its certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to gain unauthorized access to sensitive information belonging to other users.
2024-09-11
not yet calculated
CVE-2024-45786
vdisclose@cert-in.org.in 

Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) 
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to transmission of sensitive information in plain text in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL and intercepting response of the API request leading to exposure of sensitive information belonging to other users.
2024-09-11
not yet calculated
CVE-2024-45787
vdisclose@cert-in.org.in 

Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) 
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system.
2024-09-11
not yet calculated
CVE-2024-45788
vdisclose@cert-in.org.in 

Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) 
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to improper validation of the ‘mode’ parameter in the API endpoint used during the registration process. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body on the vulnerable application. Successful exploitation of this vulnerability could allow the attacker to bypass certain constraints in the registration process leading to creation of multiple accounts.
2024-09-11
not yet calculated
CVE-2024-45789
vdisclose@cert-in.org.in 

Reedos Software Solutions–Mutual Fund Distribution Product (aiM-Star) 
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user passwords, which could lead to gain unauthorized access and compromise other user accounts.
2024-09-11
not yet calculated
CVE-2024-45790
vdisclose@cert-in.org.in 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Prevent USB core invalid event buffer address access This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3_gadget_suspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3_core_exit, the event buffer is cleared regardless of the USB core’s status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address. To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address.
2024-09-13
not yet calculated
CVE-2024-46675
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check ‘if (!im_protocols && !tm_protocols)’ in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFC_CMD_START_POLL operation). So a broken or malicious program may pass a message containing a "bad" combination of protocol parameter values so that dev->poll_mod_count is not incremented inside pn533_poll_create_mod_list(), thus leading to division by zero. Call trace looks like: nfc_genl_start_poll() nfc_start_poll() ->start_poll() pn533_start_poll() Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE.
2024-09-13
not yet calculated
CVE-2024-46676
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: bonding: change ipsec_lock from spin lock to mutex In the cited commit, bond->ipsec_lock is added to protect ipsec_list, hence xdo_dev_state_add and xdo_dev_state_delete are called inside this lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep, "scheduling while atomic" will be triggered when changing bond’s active slave. [ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200 [ 101.055726] Modules linked in: [ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1 [ 101.058760] Hardware name: [ 101.059434] Call Trace: [ 101.059436] <TASK> [ 101.060873] dump_stack_lvl+0x51/0x60 [ 101.061275] __schedule_bug+0x4e/0x60 [ 101.061682] __schedule+0x612/0x7c0 [ 101.062078] ? __mod_timer+0x25c/0x370 [ 101.062486] schedule+0x25/0xd0 [ 101.062845] schedule_timeout+0x77/0xf0 [ 101.063265] ? asm_common_interrupt+0x22/0x40 [ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10 [ 101.064215] __wait_for_common+0x87/0x190 [ 101.064648] ? usleep_range_state+0x90/0x90 [ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core] [ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core] [ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core] [ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core] [ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.067738] ? kmalloc_trace+0x4d/0x350 [ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core] [ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core] [ 101.069312] bond_change_active_slave+0x392/0x900 [bonding] [ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding] [ 101.070454] __bond_opt_set+0xa6/0x430 [bonding] [ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding] [ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding] [ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0 [ 101.073033] vfs_write+0x2d8/0x400 [ 101.073416] ? alloc_fd+0x48/0x180 [ 101.073798] ksys_write+0x5f/0xe0 [ 101.074175] do_syscall_64+0x52/0x110 [ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53 As bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called from bond_change_active_slave, which requires holding the RTNL lock. And bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state xdo_dev_state_add and xdo_dev_state_delete APIs, which are in user context. So ipsec_lock doesn’t have to be spin lock, change it to mutex, and thus the above issue can be resolved.
2024-09-13
not yet calculated
CVE-2024-46678
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: ethtool: check device is present when getting link settings A sysfs reader can race with a device reset or removal, attempting to read device state when the device is not actually present. eg: [exception RIP: qed_get_current_link+17] #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede] #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3 #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4 #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300 #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3 #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1 #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb crash> struct net_device.state ffff9a9d21336000 state = 5, state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100). The device is not present, note lack of __LINK_STATE_PRESENT (0b10). This is the same sort of panic as observed in commit 4224cfd7fb65 ("net-sysfs: add check for netdevice being present to speed_show"). There are many other callers of __ethtool_get_link_ksettings() which don’t have a device presence check. Move this check into ethtool to protect all callers.
2024-09-13
not yet calculated
CVE-2024-46679
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix random crash seen while removing driver This fixes the random kernel crash seen while removing the driver, when running the load/unload test over multiple iterations. 1) modprobe btnxpuart 2) hciconfig hci0 reset 3) hciconfig (check hci0 interface up with valid BD address) 4) modprobe -r btnxpuart Repeat steps 1 to 4 The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(), which gets scheduled after module is removed, causing a kernel crash. This hidden issue got highlighted after enabling Power Save by default in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on startup) The new ps_cleanup() deasserts UART break immediately while closing serdev device, cancels any scheduled ps_work and destroys the ps_lock mutex. [ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258 [ 85.884624] Mem abort info: [ 85.884625] ESR = 0x0000000086000007 [ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits [ 85.884633] SET = 0, FnV = 0 [ 85.884636] EA = 0, S1PTW = 0 [ 85.884638] FSC = 0x07: level 3 translation fault [ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000 [ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000 [ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP [ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)] [ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1 [ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT) [ 85.936182] Workqueue: events 0xffffd4a61638f380 [ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 85.952817] pc : 0xffffd4a61638f258 [ 85.952823] lr : 0xffffd4a61638f258 [ 85.952827] sp : ffff8000084fbd70 [ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000 [ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305 [ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970 [ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000 [ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090 [ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139 [ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50 [ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8 [ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000 [ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000 [ 85.977443] Call trace: [ 85.977446] 0xffffd4a61638f258 [ 85.977451] 0xffffd4a61638f3e8 [ 85.977455] process_one_work+0x1d4/0x330 [ 85.977464] worker_thread+0x6c/0x430 [ 85.977471] kthread+0x108/0x10c [ 85.977476] ret_from_fork+0x10/0x20 [ 85.977488] Code: bad PC value [ 85.977491] —[ end trace 0000000000000000 ]— Preset since v6.9.11
2024-09-13
not yet calculated
CVE-2024-46680
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firing in pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood.
2024-09-13
not yet calculated
CVE-2024-46681
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined create_elf_fdpic_tables() does not correctly account the space for the AUX vector when an architecture has ELF_HWCAP2 defined. Prior to the commit 10e29251be0e ("binfmt_elf_fdpic: fix /proc/<pid>/auxv") it resulted in the last entry of the AUX vector being set to zero, but with that change it results in a kernel BUG. Fix that by adding one to the number of AUXV entries (nitems) when ELF_HWCAP2 is defined.
2024-09-13
not yet calculated
CVE-2024-46684
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails If z_erofs_gbuf_growsize() partially fails on a global buffer due to memory allocation failure or fault injection (as reported by syzbot [1]), new pages need to be freed by comparing to the existing pages to avoid memory leaks. However, the old gbuf->pages[] array may not be large enough, which can lead to null-ptr-deref or out-of-bound access. Fix this by checking against gbuf->nrpages in advance. [1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com
2024-09-13
not yet calculated
CVE-2024-46688
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: cmd-db: Map shared memory as WC, not WB Linux does not write into cmd-db region. This region of memory is write protected by XPU. XPU may sometime falsely detect clean cache eviction as "write" into the write protected region leading to secure interrupt which causes an endless loop somewhere in Trust Zone. The only reason it is working right now is because Qualcomm Hypervisor maps the same region as Non-Cacheable memory in Stage 2 translation tables. The issue manifests if we want to use another hypervisor (like Xen or KVM), which does not know anything about those specific mappings. Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC removes dependency on correct mappings in Stage 2 tables. This patch fixes the issue by updating the mapping to MEMREMAP_WC. I tested this on SA8155P with Xen.
2024-09-13
not yet calculated
CVE-2024-46689
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease It is not safe to dereference fl->c.flc_owner without first confirming fl->fl_lmops is the expected manager. nfsd4_deleg_getattr_conflict() tests fl_lmops but largely ignores the result and assumes that flc_owner is an nfs4_delegation anyway. This is wrong. With this patch we restore the "!= &nfsd_lease_mng_ops" case to behave as it did before the change mentioned below. This is the same as the current code, but without any reference to a possible delegation.
2024-09-13
not yet calculated
CVE-2024-46690
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. (cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3)
2024-09-13
not yet calculated
CVE-2024-46694
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don’t bypass permissions check in inode_setsecctx hook Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode’s i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don’t do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label.
2024-09-13
not yet calculated
CVE-2024-46695
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: nfsd: ensure that nfsd4_fattr_args.context is zeroed out If nfsd4_encode_fattr4 ends up doing a "goto out" before we get to checking for the security label, then args.context will be set to uninitialized junk on the stack, which we’ll then try to free. Initialize it early.
2024-09-13
not yet calculated
CVE-2024-46697
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: libfs: fix infinite directory reads for offset dir After we switch tmpfs dir operations from simple_dir_operations to simple_offset_dir_operations, every rename happened will fill new dentry to dest dir’s maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free key starting with octx->newx_offset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail generic/736 in xfstests(detail show as below). 1. create 5000 files(1 2 3…) under one dir 2. call readdir(man 3 readdir) once, and get one entry 3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry) 4. loop 2~3, until readdir return nothing or we loop too many times(tmpfs break test with the second condition) We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite directory reads") to fix it, record the last_index when we open dir, and do not emit the entry which index >= last_index. The file->private_data now used in offset dir can use directly to do this, and we also update the last_index when we llseek the dir file. [brauner: only update last_index after seek when offset is zero like Jan suggested]
2024-09-13
not yet calculated
CVE-2024-46701
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Mark XDomain as unplugged when router is removed I noticed that when we do discrete host router NVM upgrade and it gets hot-removed from the PCIe side as a result of NVM firmware authentication, if there is another host connected with enabled paths we hang in tearing them down. This is due to fact that the Thunderbolt networking driver also tries to cleanup the paths and ends up blocking in tb_disconnect_xdomain_paths() waiting for the domain lock. However, at this point we already cleaned the paths in tb_stop() so there is really no need for tb_disconnect_xdomain_paths() to do that anymore. Furthermore it already checks if the XDomain is unplugged and bails out early so take advantage of that and mark the XDomain as unplugged when we remove the parent router.
2024-09-13
not yet calculated
CVE-2024-46702
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: Revert "serial: 8250_omap: Set the console genpd always on if no console suspend" This reverts commit 68e6939ea9ec3d6579eadeab16060339cdeaf940. Kevin reported that this causes a crash during suspend on platforms that dont use PM domains.
2024-09-13
not yet calculated
CVE-2024-46703
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: workqueue: Fix spruious data race in __flush_work() When flushing a work item for cancellation, __flush_work() knows that it exclusively owns the work item through its PENDING bit. 134874e2eee9 ("workqueue: Allow cancel_work_sync() and disable_work() from atomic contexts on BH work items") added a read of @work->data to determine whether to use busy wait for BH work items that are being canceled. While the read is safe when @from_cancel, @work->data was read before testing @from_cancel to simplify code structure: data = *work_data_bits(work); if (from_cancel && !WARN_ON_ONCE(data & WORK_STRUCT_PWQ) && (data & WORK_OFFQ_BH)) { While the read data was never used if !@from_cancel, this could trigger KCSAN data race detection spuriously: ================================================================== BUG: KCSAN: data-race in __flush_work / __flush_work write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0: instrument_write include/linux/instrumented.h:41 [inline] ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline] insert_wq_barrier kernel/workqueue.c:3790 [inline] start_flush_work kernel/workqueue.c:4142 [inline] __flush_work+0x30b/0x570 kernel/workqueue.c:4178 flush_work kernel/workqueue.c:4229 [inline] … read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1: __flush_work+0x42a/0x570 kernel/workqueue.c:4188 flush_work kernel/workqueue.c:4229 [inline] flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251 … value changed: 0x0000000000400000 -> 0xffff88810006c00d Reorganize the code so that @from_cancel is tested before @work->data is accessed. The only problem is triggering KCSAN detection spuriously. This shouldn’t need READ_ONCE() or other access qualifiers. No functional changes.
2024-09-13
not yet calculated
CVE-2024-46704
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: drm/xe: reset mmio mappings with devm Set our various mmio mappings to NULL. This should make it easier to catch something rogue trying to mess with mmio after device removal. For example, we might unmap everything and then start hitting some mmio address which has already been unmamped by us and then remapped by something else, causing all kinds of carnage.
2024-09-13
not yet calculated
CVE-2024-46705
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: tty: serial: fsl_lpuart: mark last busy before uart_add_one_port With "earlycon initcall_debug=1 loglevel=8" in bootargs, kernel sometimes boot hang. It is because normal console still is not ready, but runtime suspend is called, so early console putchar will hang in waiting TRDE set in UARTSTAT. The lpuart driver has auto suspend delay set to 3000ms, but during uart_add_one_port, a child device serial ctrl will added and probed with its pm runtime enabled(see serial_ctrl.c). The runtime suspend call path is: device_add |-> bus_probe_device |->device_initial_probe |->__device_attach |-> pm_runtime_get_sync(dev->parent); |-> pm_request_idle(dev); |-> pm_runtime_put(dev->parent); So in the end, before normal console ready, the lpuart get runtime suspended. And earlycon putchar will hang. To address the issue, mark last busy just after pm_runtime_enable, three seconds is long enough to switch from bootconsole to normal console.
2024-09-13
not yet calculated
CVE-2024-46706
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 On a system with a GICv3, if a guest hasn’t been configured with GICv3 and that the host is not capable of GICv2 emulation, a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. We therefore try to emulate the SGI access, only to hit a NULL pointer as no private interrupt is allocated (no GIC, remember?). The obvious fix is to give the guest what it deserves, in the shape of a UNDEF exception.
2024-09-13
not yet calculated
CVE-2024-46707
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: x1e80100: Fix special pin offsets Remove the erroneus 0x100000 offset to prevent the boards from crashing on pin state setting, as well as for the intended state changes to take effect.
2024-09-13
not yet calculated
CVE-2024-46708
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix prime with external buffers Make sure that for external buffers mapping goes through the dma_buf interface instead of trying to access pages directly. External buffers might not provide direct access to readable/writable pages so to make sure the bo’s created from external dma_bufs can be read dma_buf interface has to be used. Fixes crashes in IGT’s kms_prime with vgem. Regular desktop usage won’t trigger this due to the fact that virtual machines will not have multiple GPUs but it enables better test coverage in IGT.
2024-09-13
not yet calculated
CVE-2024-46709
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Prevent unmapping active read buffers The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer "a" mapped for update b) buffer "a" mapped for compare c) do the compare d) unmap "a" for compare e) update the cursor f) unmap "a" for update At step "e" the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0.
2024-09-13
not yet calculated
CVE-2024-46710
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix ID 0 endp usage after multiple re-creations ‘local_addr_used’ and ‘add_addr_accepted’ are decremented for addresses not related to the initial subflow (ID0), because the source and destination addresses of the initial subflows are known from the beginning: they don’t count as "additional local address being used" or "ADD_ADDR being accepted". It is then required not to increment them when the entrypoint used by the initial subflow is removed and re-added during a connection. Without this modification, this entrypoint cannot be removed and re-added more than once.
2024-09-13
not yet calculated
CVE-2024-46711
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Disable coherent dumb buffers without 3d Coherent surfaces make only sense if the host renders to them using accelerated apis. Without 3d the entire content of dumb buffers stays in the guest making all of the extra work they’re doing to synchronize between guest and host useless. Configurations without 3d also tend to run with very low graphics memory limits. The pinned console fb, mob cursors and graphical login manager tend to run out of 16MB graphics memory that those guests use. Fix it by making sure the coherent dumb buffers are only used on configs with 3d enabled.
2024-09-13
not yet calculated
CVE-2024-46712
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

Linux–Linux 
In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.
2024-09-13
not yet calculated
CVE-2024-46713
416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 

n/a–n/a 
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
2024-09-15
not yet calculated
CVE-2024-46918
cve@mitre.orgcve@mitre.org 

n/a–n/a 
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
2024-09-15
not yet calculated
CVE-2024-46938
cve@mitre.org 

n/a–n/a 
In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment.
2024-09-15
not yet calculated
CVE-2024-46942
cve@mitre.orgcve@mitre.orgcve@mitre.org 

n/a–n/a 
An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.
2024-09-15
not yet calculated
CVE-2024-46943
cve@mitre.orgcve@mitre.orgcve@mitre.org 

Rockwell Automation–CompactLogix 5380 
A denial-of-service vulnerability exists in the Rockwell Automation affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover.
2024-09-12
not yet calculated
CVE-2024-6077
PSIRT@rockwellautomation.com 

lunary-ai–lunary-ai/lunary 
An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the ‘invite user’ functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.
2024-09-13
not yet calculated
CVE-2024-6087
security@huntr.devsecurity@huntr.dev 

significant-gravitas–significant-gravitas/autogpt 
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as ‘whoami’ and ‘/bin/whoami’. An attacker can circumvent this restriction by executing commands with a modified path, such as ‘/bin/./whoami’, which is not recognized by the denylist.
2024-09-11
not yet calculated
CVE-2024-6091
security@huntr.devsecurity@huntr.dev 

lunary-ai–lunary-ai/lunary 
A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.
2024-09-13
not yet calculated
CVE-2024-6582
security@huntr.devsecurity@huntr.dev 

berriai–berriai/litellm 
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.
2024-09-13
not yet calculated
CVE-2024-6587
security@huntr.devsecurity@huntr.dev 

TNB Mobile Solutions–Cockpit Software 
Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable.This issue affects Cockpit Software: before v2.13.
2024-09-13
not yet calculated
CVE-2024-6656
iletisim@usom.gov.tr 

lunary-ai–lunary-ai/lunary 
A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.
2024-09-13
not yet calculated
CVE-2024-6862
security@huntr.devsecurity@huntr.dev 

lunary-ai–lunary-ai/lunary 
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.
2024-09-13
not yet calculated
CVE-2024-6867
security@huntr.devsecurity@huntr.dev 

Profelis Informatics and Consulting–PassBox 
Improper Authentication, Missing Authentication for Critical Function, Improper Authorization vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse.This issue affects PassBox: before v1.2.
2024-09-09
not yet calculated
CVE-2024-7015
iletisim@usom.gov.tr 

Vidco Software–VOC TESTER 
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Vidco Software VOC TESTER allows Path Traversal.This issue affects VOC TESTER: before 12.34.8.
2024-09-11
not yet calculated
CVE-2024-7609
iletisim@usom.gov.tr 

Citrix–Citrix Workspace app for Windows 
Local privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Workspace app for Windows
2024-09-11
not yet calculated
CVE-2024-7889
secure@citrix.com 

Citrix–Citrix Workspace app for Windows 
Local privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Workspace app for Windows
2024-09-11
not yet calculated
CVE-2024-7890
secure@citrix.com 

Rockwell Automation–Pavilion8 
The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.
2024-09-12
not yet calculated
CVE-2024-7960
PSIRT@rockwellautomation.com 

Rockwell Automation–Pavilion8 
A path traversal vulnerability exists in the Rockwell Automation affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.
2024-09-12
not yet calculated
CVE-2024-7961
PSIRT@rockwellautomation.com 

TECNO–com.afmobi.boomplayer 
Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks.
2024-09-14
not yet calculated
CVE-2024-8039
907edf6c-bf03-423e-ab1a-8da27e1aa1ea907edf6c-bf03-423e-ab1a-8da27e1aa1ea 

Payara Platform–Payara Server 
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.
2024-09-11
not yet calculated
CVE-2024-8097
769c9ae7-73c3-4e47-ae19-903170fc3eb8769c9ae7-73c3-4e47-ae19-903170fc3eb8 

Logitech–Logitech Options Plus 
Improper Control of Generation of Code (‘Code Injection’) in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.
2024-09-10
not yet calculated
CVE-2024-8258
cve-coordination@logitech.comcve-coordination@logitech.comcve-coordination@logitech.comcve-coordination@logitech.com 

Rockwell Automation–2800C OptixPanel Compact 
A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.
2024-09-12
not yet calculated
CVE-2024-8533
PSIRT@rockwellautomation.com 

TechExcel Software Solutions–Back Office Software 
This vulnerability exists in TechExcel Back Office Software versions prior to 1.0.0 due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to unauthorized access to sensitive information belonging to other users.
2024-09-09
not yet calculated
CVE-2024-8601
vdisclose@cert-in.org.in 

Eclipse Foundation–Eclipse EDC Connector 
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
2024-09-11
not yet calculated
CVE-2024-8642
emo@eclipse.orgemo@eclipse.orgemo@eclipse.orgemo@eclipse.org 

Palo Alto Networks–PAN-OS 
A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as root on the firewall.
2024-09-11
not yet calculated
CVE-2024-8686
psirt@paloaltonetworks.com 

Palo Alto Networks–PAN-OS 
An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so.
2024-09-11
not yet calculated
CVE-2024-8687
psirt@paloaltonetworks.com 

Palo Alto Networks–PAN-OS 
An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall.
2024-09-11
not yet calculated
CVE-2024-8688
psirt@paloaltonetworks.com 

Palo Alto Networks–ActiveMQ Content Pack 
A problem with the ActiveMQ integration for both Cortex XSOAR and Cortex XSIAM can result in the cleartext exposure of the configured ActiveMQ credentials in log bundles.
2024-09-11
not yet calculated
CVE-2024-8689
psirt@paloaltonetworks.com 

Palo Alto Networks–Cortex XDR Agent 
A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows administrator privileges to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity.
2024-09-11
not yet calculated
CVE-2024-8690
psirt@paloaltonetworks.com 

Palo Alto Networks–PAN-OS 
A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN-OS software enables a malicious authenticated GlobalProtect user to impersonate another GlobalProtect user. Active GlobalProtect users impersonated by an attacker who is exploiting this vulnerability are disconnected from GlobalProtect. Upon exploitation, PAN-OS logs indicate that the impersonated user authenticated to GlobalProtect, which hides the identity of the attacker.
2024-09-11
not yet calculated
CVE-2024-8691
psirt@paloaltonetworks.com 

Back to top

AI Summary and Description: Yes

**Summary:** The provided text comprises a comprehensive list of vulnerabilities discovered in various products across different platforms and applications, detailing the nature of each vulnerability, CVSS scores, and relevant patch information. For professionals in security, compliance, and infrastructure management, this represents critical intelligence on the current threat landscape, emphasizing the importance of prompt remediation to mitigate potential risks.

**Detailed Description:**
The text presents a detailed compilation of high, medium, and low vulnerabilities, including specific information on the products affected, a description of the vulnerabilities, their CVSS scores (ranging from critical to low), and source information for further investigation or reporting. Below are some key takeaways:

– **General Insights:**
– The text underscores the prevalent issues such as SQL injection, remote code execution, cross-site scripting (XSS), and improper authentication across various applications and devices.
– Multiple entries are related to well-known platforms like Microsoft, Adobe, Siemens, and Cisco, illustrating that vulnerabilities are not restricted to niche applications but affect widely used software and hardware.

– **Notable Vulnerabilities:**
– Many entries have a CVSS score of 10, indicating critical vulnerabilities such as RCE and SQL injection that could lead to severe data breaches or system compromise.
– Specific examples include:
– **Siemens Industrial Edge Management Pro**: CVE-2024-45032, which allows an unauthenticated remote attacker to impersonate devices due to improper device token validation.
– **Baxter Connex Health Portal**: CVE-2024-6795 highlights SQL injection vulnerabilities that could grant unauthorized access to the database.
– **Elastic Kibana**: CVE-2024-37288 identifies a deserialization issue that could lead to arbitrary code execution, particularly affecting users employing specific AI tools.

– **Patch Recommendations:**
– Several vulnerabilities are noted as having received mitigative patches or fixes, pointing towards the urgency of updating affected systems or software. Professionals are encouraged to check their current versions against the recommended updates to safeguard against these vulnerabilities.

– **Severity Ratings and Response:**
– The vulnerabilities are rated by their CVSS scores, which can help organizations prioritize remediation efforts based on the severity of the vulnerabilities.
– Regular monitoring and patch management are imperative for organizations to ensure compliance and reduce the risk of exploitation of known vulnerabilities.

This compilation serves as a crucial tool for security, compliance, and IT infrastructure professionals to proactively manage risks and maintain a robust security posture. It reinforces the necessity of current awareness around vulnerabilities to preemptively protect digital assets from exploitation.