電腦維修中心每天都會更新以下電腦病毒及入侵警告, 希望大家可以及早留意; 以免因病毒感染而引致資料遺失或硬件損壞!
Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
acnoo -- flutter_api |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through 1.0.5. | 2024-10-28 | 9.8 | CVE-2024-50486 | audit@patchstack.com |
adirectory--aDirectory |
Unrestricted Upload of File with Dangerous Type vulnerability in adirectory aDirectory allows Upload a Web Shell to a Web Server.This issue affects aDirectory: from n/a through 1.3. | 2024-10-29 | 10 | CVE-2024-50420 | audit@patchstack.com |
Ajar Productions--Ajar in5 Embed |
Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed allows Upload a Web Shell to a Web Server.This issue affects Ajar in5 Embed: from n/a through 3.1.3. | 2024-10-29 | 10 | CVE-2024-50473 | audit@patchstack.com |
Amin Omer--Sudan Payment Gateway for WooCommerce |
Unrestricted Upload of File with Dangerous Type vulnerability in Amin Omer Sudan Payment Gateway for WooCommerce allows Upload a Web Shell to a Web Server.This issue affects Sudan Payment Gateway for WooCommerce: from n/a through 1.2.2. | 2024-10-29 | 10 | CVE-2024-50494 | audit@patchstack.com |
amu02aftab--Enable Shortcodes inside Widgets,Comments and Experts |
The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2024-10-30 | 7.3 | CVE-2024-9846 | security@wordfence.com security@wordfence.com security@wordfence.com |
Andy Moyle--Church Admin |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Reflected XSS.This issue affects Church Admin: from n/a before 5.0.0. | 2024-10-28 | 7.1 | CVE-2024-50438 | audit@patchstack.com |
Apache Software Foundation--Apache Lucene.Net.Replicator |
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue. | 2024-10-31 | 8 | CVE-2024-43383 | security@apache.org |
apple -- ipados |
A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in iOS 18.1 and iPadOS 18.1. A remote attacker may be able to break out of Web Content sandbox. | 2024-10-28 | 9.6 | CVE-2024-40867 | product-security@apple.com |
apple -- ipados |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sequoia 15, iOS 17.7 and iPadOS 17.7, macOS Sonoma 14.7, visionOS 2, iOS 18 and iPadOS 18. Processing a maliciously crafted file may lead to heap corruption. | 2024-10-28 | 7.8 | CVE-2024-44126 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
This issue was addressed with improved checks. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, macOS Sonoma 14.7.1, iOS 18.1 and iPadOS 18.1. Processing a maliciously crafted file may lead to heap corruption. | 2024-10-28 | 7.8 | CVE-2024-44218 | product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, tvOS 18.1. Restoring a maliciously crafted backup file may lead to modification of protected system files. | 2024-10-28 | 7.1 | CVE-2024-44252 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
A path handling issue was addressed with improved logic. This issue is fixed in visionOS 2.1, iOS 18.1 and iPadOS 18.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, tvOS 18.1. A malicious app may be able to run arbitrary shortcuts without user consent. | 2024-10-28 | 7.8 | CVE-2024-44255 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, tvOS 18.1. Restoring a maliciously crafted backup file may lead to modification of protected system files. | 2024-10-28 | 7.1 | CVE-2024-44258 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 18.1 and iPadOS 18.1, watchOS 11.1, visionOS 2.1, tvOS 18.1. An app may be able to cause unexpected system termination or corrupt kernel memory. | 2024-10-28 | 7.8 | CVE-2024-44285 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- macos |
A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sequoia 15, macOS Sonoma 14.7.1. An application may be able to break out of its sandbox. | 2024-10-28 | 8.8 | CVE-2024-44122 | product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- macos |
A logic issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A sandboxed process may be able to circumvent sandbox restrictions. | 2024-10-28 | 8.6 | CVE-2024-44270 | product-security@apple.com product-security@apple.com |
apple -- macos |
A path deletion vulnerability was addressed by preventing vulnerable code from running with privileges. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to bypass Privacy preferences. | 2024-10-28 | 7.1 | CVE-2024-44156 | product-security@apple.com product-security@apple.com |
apple -- macos |
A path deletion vulnerability was addressed by preventing vulnerable code from running with privileges. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to bypass Privacy preferences. | 2024-10-28 | 7.1 | CVE-2024-44159 | product-security@apple.com product-security@apple.com |
apple -- macos |
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access a user's Photos Library. | 2024-10-28 | 7.5 | CVE-2024-44203 | product-security@apple.com |
apple -- macos |
This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15. An app may be able to bypass certain Privacy preferences. | 2024-10-28 | 7.5 | CVE-2024-44208 | product-security@apple.com |
apple -- macos |
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to read sensitive location information. | 2024-10-28 | 7.5 | CVE-2024-44289 | product-security@apple.com product-security@apple.com |
apple -- xcode |
This issue was addressed with improved permissions checking. This issue is fixed in Xcode 16. An app may be able to inherit Xcode permissions and access user data. | 2024-10-28 | 7.5 | CVE-2024-44228 | product-security@apple.com |
Apple--iOS and iPadOS |
A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in iOS 18 and iPadOS 18. Password autofill may fill in passwords after failing authentication. | 2024-10-28 | 9.1 | CVE-2024-44217 | product-security@apple.com |
Apple--macOS |
The issue was addressed with improved input sanitization. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to break out of its sandbox. | 2024-10-28 | 9.3 | CVE-2024-44256 | product-security@apple.com product-security@apple.com |
Apple--macOS |
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system. | 2024-10-28 | 7.5 | CVE-2024-44196 | product-security@apple.com product-security@apple.com |
Apple--macOS |
A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system. | 2024-10-28 | 7.7 | CVE-2024-44280 | product-security@apple.com product-security@apple.com |
Apple--macOS |
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system. | 2024-10-28 | 7.7 | CVE-2024-44295 | product-security@apple.com product-security@apple.com |
Apple--visionOS |
This issue was addressed through improved state management. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, Safari 18.1. An attacker may be able to misuse a trust relationship to download malicious content. | 2024-10-28 | 8.8 | CVE-2024-44259 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
Apple--visionOS |
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.1 and iPadOS 18.1, visionOS 2.1, tvOS 18.1. An app may be able to cause unexpected system termination or corrupt kernel memory. | 2024-10-28 | 7.7 | CVE-2024-44277 | product-security@apple.com product-security@apple.com product-security@apple.com |
autodesk -- autocad |
A maliciously crafted DWG file, when parsed through Autodesk AutoCAD and certain AutoCAD-based products, can force an Out-of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-7991 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted DWG file, when parsed through Autodesk AutoCAD and certain AutoCAD-based products, can force a Stack-based Buffer Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-7992 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted SLDPRT file when parsed in odxsw_dll.dll through Autodesk AutoCAD can force a Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8588 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted SLDPRT file when parsed in odxsw_dll.dll through Autodesk AutoCAD can force a Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8589 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted 3DM file when parsed in atf_api.dll through Autodesk AutoCAD can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8590 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted 3DM file when parsed in AcTranslators.exe through Autodesk AutoCAD can force a Heap-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8591 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted CATPART file when parsed in AcTranslators.exe through Autodesk AutoCAD can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8592 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted CATPART file when parsed in ASMKERN230A.dll through Autodesk AutoCAD can force a Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8593 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted MODEL file when parsed in libodxdll.dll through Autodesk AutoCAD can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8594 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted MODEL file when parsed in libodxdll.dll through Autodesk AutoCAD can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8595 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted MODEL file when parsed in libodxdll.dll through Autodesk AutoCAD can force an Out-of-Bound Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8596 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted STP file when parsed in ASMDATAX230A.dll through Autodesk AutoCAD can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8597 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted STP file when parsed in ACTranslators.exe through Autodesk AutoCAD can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8598 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted STP file when parsed in ACTranslators.exe through Autodesk AutoCAD can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8599 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted SLDPRT file when parsed in odxsw_dll.dll through Autodesk AutoCAD can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8600 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted DXF file when parsed in acdb25.dll through Autodesk AutoCAD can force to access a variable prior to initialization. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8896 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted DWG file when parsed in ACAD.exe through Autodesk AutoCAD can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-9489 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted 3DM file when parsed in atf_api.dll through Autodesk AutoCAD can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-9826 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted CATPART file when parsed in CC5Dll.dll through Autodesk AutoCAD can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-9827 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted DWG file when parsed in acdb25.dll through Autodesk AutoCAD can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-9996 | psirt@autodesk.com |
autodesk -- autocad |
A maliciously crafted DWG file when parsed in acdb25.dll through Autodesk AutoCAD can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-9997 | psirt@autodesk.com |
Autodesk--AutoCAD |
A maliciously crafted SLDPRT file when parsed in odxsw_dll.dll through Autodesk AutoCAD can force a Heap Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. | 2024-10-29 | 7.8 | CVE-2024-8587 | psirt@autodesk.com |
Automattic--Newspack Blocks |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic Newspack Blocks allows Path Traversal.This issue affects Newspack Blocks: from n/a through 3.0.8. | 2024-11-01 | 8.5 | CVE-2024-37423 | audit@patchstack.com |
Azexo--Marketing Automation by AZEXO |
Incorrect Privilege Assignment vulnerability in Azexo Marketing Automation by AZEXO allows Privilege Escalation.This issue affects Marketing Automation by AZEXO: from n/a through 1.27.80. | 2024-10-30 | 8.8 | CVE-2024-50506 | audit@patchstack.com |
azexo--Marketing Automation by AZEXO |
Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO allows Upload a Web Shell to a Web Server.This issue affects Marketing Automation by AZEXO: from n/a through 1.27.80. | 2024-10-29 | 9.9 | CVE-2024-50480 | audit@patchstack.com |
buynowdepot -- advanced_online_ordering_and_delivery_platform |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuyNowDepot Advanced Online Ordering and Delivery Platform allows PHP Local File Inclusion.This issue affects Advanced Online Ordering and Delivery Platform: from n/a through 2.0.0. | 2024-10-28 | 9.8 | CVE-2024-50497 | audit@patchstack.com |
Carl Alberto--Simple Custom Admin |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Carl Alberto Simple Custom Admin allows Reflected XSS.This issue affects Simple Custom Admin: from n/a through 1.2. | 2024-10-29 | 7.1 | CVE-2024-49647 | audit@patchstack.com |
CHANGING Information Technology--IDExpert |
IDExpert from CHANGING Information Technology does not properly validate a specific parameter in the administrator interface, allowing remote attackers with administrative privileges to inject and execute OS commands on the server. | 2024-11-01 | 7.2 | CVE-2024-10653 | twcert@cert.org.tw twcert@cert.org.tw |
Chetan Khandla--Woocommerce Product Design |
Unrestricted Upload of File with Dangerous Type vulnerability in Chetan Khandla Woocommerce Product Design allows Upload a Web Shell to a Web Server.This issue affects Woocommerce Product Design: from n/a through 1.0.0. | 2024-10-29 | 10 | CVE-2024-50482 | audit@patchstack.com |
Chetan Khandla--Woocommerce Product Design |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design allows Path Traversal.This issue affects Woocommerce Product Design: from n/a through 1.0.0. | 2024-10-30 | 8.6 | CVE-2024-50509 | audit@patchstack.com |
Chetan Khandla--Woocommerce Product Design |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design allows Path Traversal.This issue affects Woocommerce Product Design: from n/a through 1.0.0. | 2024-10-30 | 7.5 | CVE-2024-50508 | audit@patchstack.com |
code-projects--Courier Management System |
A vulnerability was found in code-projects Courier Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /track-result.php. The manipulation of the argument Consignment leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 7.3 | CVE-2024-10607 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--Courier Management System |
A vulnerability was found in code-projects Courier Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /login.php. The manipulation of the argument txtusername leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 7.3 | CVE-2024-10608 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--E-Health Care System |
A vulnerability, which was classified as critical, has been found in code-projects E-Health Care System 1.0. Affected by this issue is some unknown functionality of the file /Admin/adminlogin.php. The manipulation of the argument email/admin_pswd as part of String leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "email" to be affected. But it must be assumed that parameter "admin_pswd" is affected as well. | 2024-11-03 | 7.3 | CVE-2024-10739 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--E-Health Care System |
A vulnerability has been found in code-projects E-Health Care System 1.0 and classified as critical. This vulnerability affects unknown code of the file /Users/registration.php. The manipulation of the argument f_name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2024-11-03 | 7.3 | CVE-2024-10741 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--Restaurant Order System |
A vulnerability was found in code-projects Restaurant Order System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument uid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 7.3 | CVE-2024-10733 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--Simple Car Rental System |
A vulnerability classified as critical has been found in code-projects Simple Car Rental System 1.0. Affected is an unknown function of the file /signup.php. The manipulation of the argument fname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-02 | 7.3 | CVE-2024-10702 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--Wazifa System |
A vulnerability was found in code-projects Wazifa System 1.0. It has been classified as critical. This affects an unknown part of the file /controllers/logincontrol.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-02 | 7.3 | CVE-2024-10699 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
codezips -- hospital_appointment_system |
A vulnerability, which was classified as critical, was found in Codezips Hospital Appointment System 1.0. This affects an unknown part of the file /loginAction.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-28 | 9.8 | CVE-2024-10449 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
codezips -- online_institute_management_system |
A vulnerability, which was classified as critical, has been found in Codezips Online Institute Management System 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-30 | 9.8 | CVE-2024-10509 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
codezips -- pet_shop_management_system |
A vulnerability, which was classified as critical, was found in Codezips Pet Shop Management System 1.0. Affected is an unknown function of the file birdsadd.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 9.8 | CVE-2024-10556 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
codezips -- pet_shop_management_system |
A vulnerability was found in Codezips Pet Shop Management System 1.0. It has been classified as critical. This affects an unknown part of the file birdsupdate.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 9.8 | CVE-2024-10561 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Free Exam Hall Seating Management System |
A vulnerability classified as critical was found in Codezips Free Exam Hall Seating Management System 1.0. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-30 | 7.3 | CVE-2024-10507 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Free Exam Hall Seating Management System |
A vulnerability was found in Codezips Free Exam Hall Seating Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /student.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 7.3 | CVE-2024-10736 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Free Exam Hall Seating Management System |
A vulnerability classified as critical has been found in Codezips Free Exam Hall Seating Management System 1.0. Affected is an unknown function of the file /teacher.php. The manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 7.3 | CVE-2024-10737 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
CozyThemes--Cozy Blocks |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CozyThemes Cozy Blocks allows Stored XSS.This issue affects Cozy Blocks: from n/a through 2.0.15. | 2024-10-28 | 7.4 | CVE-2024-50441 | audit@patchstack.com |
cure53--DOMPurify |
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | 2024-10-31 | 9.1 | CVE-2024-48910 | security-advisories@github.com security-advisories@github.com |
D3TN--D3TN |
Reachable Assertion in BPv7 parser in µD3TN v0.14.0 allows attacker to disrupt service via malformed Extension Block | 2024-10-28 | 7.5 | CVE-2024-10455 | cve@gitlab.com |
Daniel Schmitzer--DS.DownloadList |
Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3. | 2024-10-30 | 9.8 | CVE-2024-50507 | audit@patchstack.com |
David DONISA--WP donimedia carousel |
Unrestricted Upload of File with Dangerous Type vulnerability in David DONISA WP donimedia carousel allows Upload a Web Shell to a Web Server.This issue affects WP donimedia carousel: from n/a through 1.0.1. | 2024-10-30 | 9.9 | CVE-2024-50511 | audit@patchstack.com |
Delta Electronics--InfraSuite Device Master |
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. | 2024-10-30 | 9.8 | CVE-2024-10456 | ics-cert@hq.dhs.gov |
Deryck Oate--User Toolkit |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck Oñate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3. | 2024-10-30 | 9.8 | CVE-2024-50503 | audit@patchstack.com |
Devsoft Baltic O--SurveyJS: Drag & Drop WordPress Form Builder |
Unrestricted Upload of File with Dangerous Type vulnerability in Devsoft Baltic OÜ SurveyJS: Drag & Drop WordPress Form Builder.This issue affects SurveyJS: Drag & Drop WordPress Form Builder: from n/a through 1.9.136. | 2024-10-29 | 9.9 | CVE-2024-50427 | audit@patchstack.com |
Eclipse Foundation--mosquitto |
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients. | 2024-10-30 | 9.1 | CVE-2024-10525 | emo@eclipse.org emo@eclipse.org emo@eclipse.org |
Eclipse Foundation--mosquitto |
In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker. | 2024-10-30 | 7.5 | CVE-2024-3935 | emo@eclipse.org emo@eclipse.org emo@eclipse.org |
esafenet -- cdg |
A vulnerability was found in ESAFENET CDG 5. It has been declared as critical. Affected by this vulnerability is the function delFile/delDifferCourseList of the file /com/esafenet/servlet/ajax/PublicDocInfoAjax.java. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-31 | 9.8 | CVE-2024-10595 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
gaizhenbiao -- chuanhuchatgpt |
A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. This vulnerability allows an attacker to gain unauthorized access to overwrite critical configuration files within the system. Exploiting this vulnerability can lead to unauthorized changes in system behavior or security settings. Additionally, tampering with these configuration files can result in a denial of service (DoS) condition, disrupting normal system operation. | 2024-10-29 | 9.1 | CVE-2024-5823 | security@huntr.dev security@huntr.dev |
gaizhenbiao -- chuanhuchatgpt |
An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials. | 2024-10-29 | 7.5 | CVE-2024-7962 | security@huntr.dev security@huntr.dev |
gaizhenbiao--gaizhenbiao/chuanhuchatgpt |
A path traversal vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability arises from unsanitized input handling in multiple features, including user upload, directory creation, and template loading. Specifically, the load_chat_history function in modules/models/base_model.py allows arbitrary file uploads, potentially leading to remote code execution (RCE). The get_history_names function in utils.py permits arbitrary directory creation. Additionally, the load_template function in utils.py can be exploited to leak the first column of CSV files. These issues stem from improper sanitization of user inputs concatenated with directory paths using os.path.join. | 2024-10-29 | 9.1 | CVE-2024-5982 | security@huntr.dev security@huntr.dev |
Geek Code Lab--Login As Users |
Missing Authorization vulnerability in Geek Code Lab Login As Users allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login As Users: from n/a through 1.4.3. | 2024-11-01 | 8.8 | CVE-2024-43982 | audit@patchstack.com |
Gifford Cheung, Brian Watanabe, Chongsun Ahn--Google Docs RSVP |
Cross-Site Request Forgery (CSRF) vulnerability in Gifford Cheung, Brian Watanabe, Chongsun Ahn Google Docs RSVP allows Stored XSS.This issue affects Google Docs RSVP: from n/a through 2.0.1. | 2024-10-29 | 7.1 | CVE-2024-49672 | audit@patchstack.com |
Google--Chrome |
Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical) | 2024-10-29 | 8.8 | CVE-2024-10487 | chrome-cve-admin@google.com chrome-cve-admin@google.com |
Google--Chrome |
Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2024-10-29 | 8.8 | CVE-2024-10488 | chrome-cve-admin@google.com chrome-cve-admin@google.com |
GRN Software Group GmbH--GRN spendino Spendenformular |
Missing Authorization vulnerability in GRÃœN Software Group GmbH GRÃœN spendino Spendenformular allows Privilege Escalation.This issue affects GRÃœN spendino Spendenformular: from n/a through 1.0.1. | 2024-10-29 | 9.8 | CVE-2024-50476 | audit@patchstack.com |
gwin--WPAdverts Classifieds Plugin |
The WPAdverts - Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-30 | 7.2 | CVE-2024-10108 | security@wordfence.com security@wordfence.com security@wordfence.com |
HashiCorp--Consul |
A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. | 2024-10-30 | 8.1 | CVE-2024-10005 | security@hashicorp.com |
HashiCorp--Consul |
A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | 2024-10-30 | 8.3 | CVE-2024-10006 | security@hashicorp.com |
HashiCorp--Vault |
Vault Community and Vault Enterprise ("Vault") clusters using Vault's Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12. | 2024-10-31 | 7.5 | CVE-2024-8185 | security@hashicorp.com |
Hercules Design--Hercules Core |
Missing Authorization vulnerability in Hercules Design Hercules Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hercules Core: from n/a through 6.5. | 2024-11-01 | 8.8 | CVE-2024-37232 | audit@patchstack.com |
hitachienergy -- tro610_firmware |
Command injection vulnerability in the Edge Computing UI for the TRO600 series radios that allows for the execution of arbitrary system commands. If exploited, an attacker with write access to the web UI can execute commands on the device with root privileges, far more extensive than what the write privilege intends. | 2024-10-29 | 7.2 | CVE-2024-41153 | cybersecurity@hitachienergy.com |
HP, Inc.--HP Smart Universal Printing Driver |
Client / Server PCs with the HP Smart Universal Printing Driver installed are potentially vulnerable to Remote Code Execution and/or Elevation of Privilege. A client using the HP Smart Universal Printing Driver that sends a print job comprised of a malicious XPS file could potentially lead to Remote Code Execution and/or Elevation of Privilege on the PC. | 2024-10-30 | 7.8 | CVE-2024-9419 | hp-security-alert@hp.com |
IBM--Flexible Service Processor |
IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP. | 2024-10-29 | 9.8 | CVE-2024-45656 | psirt@us.ibm.com |
ioannup--Code Generate |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ioannup Code Generate allows Reflected XSS.This issue affects Code Generate: from n/a through 1.0. | 2024-10-29 | 7.1 | CVE-2024-49646 | audit@patchstack.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality | 2024-10-28 | 7.5 | CVE-2024-50574 | cve@jetbrains.com |
Jinwen--js paper |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jinwen js allows Reflected XSS.This issue affects js paper: from n/a through 2.5.7. | 2024-10-29 | 7.1 | CVE-2024-49678 | audit@patchstack.com |
Kiboko Labs--Namaste! LMS |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kiboko Labs Namaste! LMS allows Reflected XSS.This issue affects Namaste! LMS: from n/a through 2.6.2. | 2024-10-29 | 7.1 | CVE-2024-50407 | audit@patchstack.com |
kibokolabs -- namaste\!_lms |
Deserialization of Untrusted Data vulnerability in Kiboko Labs Namaste! LMS allows Object Injection.This issue affects Namaste! LMS: from n/a through 2.6.3. | 2024-10-28 | 8.8 | CVE-2024-50408 | audit@patchstack.com |
langchain -- langchain |
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. | 2024-10-29 | 9.8 | CVE-2024-7042 | security@huntr.dev security@huntr.dev |
langchain -- langchain |
A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input. | 2024-10-29 | 9.1 | CVE-2024-7774 | security@huntr.dev security@huntr.dev |
langchain -- langchain |
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. | 2024-10-29 | 9.8 | CVE-2024-8309 | security@huntr.dev security@huntr.dev |
LevelOne--WBR-6012 |
The LevelOne WBR-6012 router with firmware R0.40e6 has an authentication bypass vulnerability in its web application due to reliance on client IP addresses for authentication. Attackers could spoof an IP address to gain unauthorized access without needing a session token. | 2024-10-30 | 9 | CVE-2024-23309 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the current password. | 2024-10-30 | 9.9 | CVE-2024-33699 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
A cross-site request forgery (CSRF) vulnerability exists in the Web Application functionality of the LevelOne WBR-6012 R0.40e6. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability. | 2024-10-30 | 8.8 | CVE-2024-24777 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910 80100910 40 6d 21 74 ds "@m!t2K1" 32 4b 31 00 It is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below: if ((SECOND_FROM_BOOT_TIME < 300) && (is_equal = strcmp(password,"@m!t2K1")) { return 1;} Where 1 is the return value to admin-level access (0 being fail and 3 being user). | 2024-10-30 | 8.1 | CVE-2024-28875 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6: 803cdd0f 41 72 69 65 ds "AriesSerenaCairryNativitaMegan" 73 53 65 72 65 6e 61 43 ... It is referenced by the function at 0x800b78b0 and simplified in the pseudocode below: if (is_equal = strcmp(password,"AriesSerenaCairryNativitaMegan"){ ret = 3;} Where 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor). While there's no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater "Pu" (new user password) in place of "Pa" (new admin password). | 2024-10-30 | 8.1 | CVE-2024-31151 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
The LevelOne WBR-6012 router firmware R0.40e6 suffers from an input validation vulnerability within its FTP functionality, enabling attackers to cause a denial of service through a series of malformed FTP commands. This can lead to device reboots and service disruption. | 2024-10-30 | 7.5 | CVE-2024-33700 | talos-cna@cisco.com |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem. Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access. It could be reproduced by following steps: 1. build kernel with CONFIG_KASAN enabled 2. save follow program as test.c ``` \#include <stdio.h> \#include <stdlib.h> \#include <string.h> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. \#define STRLEN 4093 void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; } void print_string(char *str) { printf("%s\n", str); } int main() { char tmp[STRLEN]; generate_string(tmp, STRLEN); print_string(tmp); return 0; } ``` 3. compile program `gcc -o test test.c` 4. get the offset of `print_string()` ``` objdump -t test | grep -w print_string 0000000000401199 g F .text 000000000000001b print_string ``` 5. configure uprobe with offset 0x1199 ``` off=0x1199 cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on ``` 6. run `test`, and kasan will report error. ================================================================== BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x27/0x310 kasan_report+0x10f/0x120 ? strncpy_from_user+0x1d6/0x1f0 strncpy_from_user+0x1d6/0x1f0 ? rmqueue.constprop.0+0x70d/0x2ad0 process_fetch_insn+0xb26/0x1470 ? __pfx_process_fetch_insn+0x10/0x10 ? _raw_spin_lock+0x85/0xe0 ? __pfx__raw_spin_lock+0x10/0x10 ? __pte_offset_map+0x1f/0x2d0 ? unwind_next_frame+0xc5f/0x1f80 ? arch_stack_walk+0x68/0xf0 ? is_bpf_text_address+0x23/0x30 ? kernel_text_address.part.0+0xbb/0xd0 ? __kernel_text_address+0x66/0xb0 ? unwind_get_return_address+0x5e/0xa0 ? __pfx_stack_trace_consume_entry+0x10/0x10 ? arch_stack_walk+0xa2/0xf0 ? _raw_spin_lock_irqsave+0x8b/0xf0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? depot_alloc_stack+0x4c/0x1f0 ? _raw_spin_unlock_irqrestore+0xe/0x30 ? stack_depot_save_flags+0x35d/0x4f0 ? kasan_save_stack+0x34/0x50 ? kasan_save_stack+0x24/0x50 ? mutex_lock+0x91/0xe0 ? __pfx_mutex_lock+0x10/0x10 prepare_uprobe_buffer.part.0+0x2cd/0x500 uprobe_dispatcher+0x2c3/0x6a0 ? __pfx_uprobe_dispatcher+0x10/0x10 ? __kasan_slab_alloc+0x4d/0x90 handler_chain+0xdd/0x3e0 handle_swbp+0x26e/0x3d0 ? __pfx_handle_swbp+0x10/0x10 ? uprobe_pre_sstep_notifier+0x151/0x1b0 irqentry_exit_to_user_mode+0xe2/0x1b0 asm_exc_int3+0x39/0x40 RIP: 0033:0x401199 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 </TASK> This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access. | 2024-10-28 | 7.8 | CVE-2024-50067 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func() 'new_map' is allocated using devm_* which takes care of freeing the allocated data on device removal, call to .dt_free_map = pinconf_generic_dt_free_map double frees the map as pinconf_generic_dt_free_map() calls pinctrl_utils_free_map(). Fix this by using kcalloc() instead of auto-managed devm_kcalloc(). | 2024-10-29 | 7.8 | CVE-2024-50071 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. | 2024-10-29 | 7.8 | CVE-2024-50073 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: parport: Proper fix for array out-of-bounds access The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly with snprintf(). However, since snprintf() returns the would-be-printed size, not the actually output size, the length calculation can still go over the given limit. Use scnprintf() instead of snprintf(), which returns the actually output letters, for addressing the potential out-of-bounds access properly. | 2024-10-29 | 7.8 | CVE-2024-50074 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff RSP: 0018:ffffc90000006db8 EFLAGS: 00010246 RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00 RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0 RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8 R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000 R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5 FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> move_skbs_to_msk net/mptcp/protocol.c:811 [inline] mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854 subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490 tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283 tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 </IRQ> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451 dev_queue_xmit include/linux/netdevice.h:3094 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline] tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015 tcp_push_pending_frames include/net/tcp.h:2107 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline] tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x214/0x350 net/core/sock.c:3072 release_sock+0x61/0x1f0 net/core/sock.c:3626 mptcp_push_ ---truncated--- | 2024-10-29 | 7.5 | CVE-2024-50083 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup. It will cause user-after-free from session log off. This add session_lock when setting SMB2_SESSION_EXPIRED and referece count to session struct not to free session while it is being used. | 2024-10-29 | 7 | CVE-2024-50086 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free in add_inode_ref() The add_inode_ref() function does not initialize the "name" struct when it is declared. If any of the following calls to "read_one_inode() returns NULL, dir = read_one_inode(root, parent_objectid); if (!dir) { ret = -ENOENT; goto out; } inode = read_one_inode(root, inode_objectid); if (!inode) { ret = -EIO; goto out; } then "name.name" would be freed on "out" before being initialized. out: ... kfree(name.name); This issue was reported by Coverity with CID 1526744. | 2024-10-29 | 7.8 | CVE-2024-50088 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
LiteSpeed Technologies--LiteSpeed Cache |
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through 6.5.1. | 2024-10-29 | 8.1 | CVE-2024-50550 | audit@patchstack.com |
lollms -- lollms_web_ui |
A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information. | 2024-10-29 | 7.1 | CVE-2024-6674 | security@huntr.dev security@huntr.dev |
lollms -- lord_of_large_language_models |
A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file. | 2024-10-29 | 9 | CVE-2024-6581 | security@huntr.dev security@huntr.dev |
lubus -- wp_query_console |
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console: from n/a through 1.0. | 2024-10-28 | 9.8 | CVE-2024-50498 | audit@patchstack.com |
Lukas Huser--EKC Tournament Manager |
Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1. | 2024-10-31 | 9.6 | CVE-2024-49674 | audit@patchstack.com |
lunary -- lunary |
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users. | 2024-10-29 | 9.1 | CVE-2024-7475 | security@huntr.dev security@huntr.dev |
lunary -- lunary |
In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data. | 2024-10-29 | 8.1 | CVE-2024-7474 | security@huntr.dev security@huntr.dev |
maantheme -- maanstore_api |
Authentication Bypass Using an Alternate Path or Channel vulnerability in MaanTheme MaanStore API allows Authentication Bypass.This issue affects MaanStore API: from n/a through 1.0.1. | 2024-10-28 | 9.8 | CVE-2024-50487 | audit@patchstack.com |
MagePeople Team--WpTravelly |
Missing Authorization vulnerability in MagePeople Team WpTravelly allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WpTravelly: from n/a through 1.7.7. | 2024-11-01 | 7.5 | CVE-2024-43212 | audit@patchstack.com |
mahlamusa--Multi Purpose Mail Form |
Unrestricted Upload of File with Dangerous Type vulnerability in mahlamusa Multi Purpose Mail Form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through 1.0.2. | 2024-10-29 | 10 | CVE-2024-50484 | audit@patchstack.com |
mansurahamed -- woocommerce_quote_calculator |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mansur Ahamed Woocommerce Quote Calculator allows Blind SQL Injection.This issue affects Woocommerce Quote Calculator: from n/a through 1.1. | 2024-10-28 | 9.8 | CVE-2024-50479 | audit@patchstack.com |
masterhomepage--Automatic Translation |
Unrestricted Upload of File with Dangerous Type vulnerability in masterhomepage Automatic Translation allows Upload a Web Shell to a Web Server.This issue affects Automatic Translation: from n/a through 1.0.4. | 2024-10-29 | 10 | CVE-2024-50493 | audit@patchstack.com |
Masteriyo--Masteriyo - LMS |
Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.4. | 2024-11-01 | 7.5 | CVE-2024-43158 | audit@patchstack.com |
masteriyo--Masteriyo LMS eLearning and Online Course Builder for WordPress |
The Masteriyo LMS - eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students. | 2024-10-29 | 8.8 | CVE-2024-10008 | security@wordfence.com security@wordfence.com |
Matt Whiteman--Bulk Change Role |
Incorrect Privilege Assignment vulnerability in Matt Whiteman Bulk Change Role allows Privilege Escalation.This issue affects Bulk Change Role: from n/a through 1.1. | 2024-10-30 | 8.8 | CVE-2024-50504 | audit@patchstack.com |
MetaBox.io--Meta Box WordPress Custom Fields Framework |
Missing Authorization vulnerability in MetaBox.Io Meta Box - WordPress Custom Fields Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta Box - WordPress Custom Fields Framework: from n/a through 5.9.10. | 2024-11-01 | 7.1 | CVE-2024-43235 | audit@patchstack.com |
Micah Blu--RSVP ME |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Micah Blu RSVP ME allows SQL Injection.This issue affects RSVP ME: from n/a through 1.9.9. | 2024-10-28 | 9.3 | CVE-2024-50491 | audit@patchstack.com |
mintplexlabs -- anythingllm |
mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3. | 2024-10-29 | 7.5 | CVE-2024-7783 | security@huntr.dev security@huntr.dev |
mozilla -- firefox |
Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 8.8 | CVE-2024-10467 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 7.5 | CVE-2024-10458 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 7.5 | CVE-2024-10459 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 7.5 | CVE-2024-10466 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
n/a--lilconfig |
Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. | 2024-10-31 | 8.8 | CVE-2024-21537 | report@snyk.io report@snyk.io report@snyk.io report@snyk.io |
n/a--n/a |
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. | 2024-10-29 | 10 | CVE-2024-51378 | cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. | 2024-10-29 | 10 | CVE-2024-51567 | cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters. | 2024-10-29 | 10 | CVE-2024-51568 | cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension. | 2024-10-31 | 9.8 | CVE-2023-52044 | cve@mitre.org |
n/a--n/a |
An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request. | 2024-10-28 | 9.8 | CVE-2024-39205 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server. | 2024-10-31 | 9.8 | CVE-2024-39332 | cve@mitre.org |
n/a--n/a |
Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML, thereby possibly causing stored XSS. Attackers can append a XSS payload to a word that has a corresponding glossary entry. | 2024-10-31 | 9.9 | CVE-2024-42515 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component. | 2024-10-31 | 9.8 | CVE-2024-42835 | cve@mitre.org |
n/a--n/a |
In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | 2024-10-29 | 9.8 | CVE-2024-48063 | cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | 2024-10-30 | 9.8 | CVE-2024-48112 | cve@mitre.org cve@mitre.org |
n/a--n/a |
A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. | 2024-10-29 | 9.8 | CVE-2024-48138 | cve@mitre.org |
n/a--n/a |
icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. | 2024-10-30 | 9.8 | CVE-2024-48202 | cve@mitre.org |
n/a--n/a |
A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. | 2024-10-29 | 9.8 | CVE-2024-48206 | cve@mitre.org cve@mitre.org |
n/a--n/a |
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData. | 2024-10-31 | 9.8 | CVE-2024-48307 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
LyLme Spage <=1.6.0 is vulnerable to SQL Injection via /admin/group.php. | 2024-10-28 | 9.8 | CVE-2024-48356 | cve@mitre.org |
n/a--n/a |
LyLme Spage 1.2.0 through 1.6.0 is vulnerable to SQL Injection via /admin/apply.php. | 2024-10-28 | 9.8 | CVE-2024-48357 | cve@mitre.org |
n/a--n/a |
Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter. | 2024-10-31 | 9.8 | CVE-2024-48359 | cve@mitre.org |
n/a--n/a |
The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter | 2024-10-28 | 9.8 | CVE-2024-48465 | cve@mitre.org cve@mitre.org |
n/a--n/a |
A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. | 2024-10-29 | 9.8 | CVE-2024-48573 | cve@mitre.org |
n/a--n/a |
Projectworlds Online Admission System v1 is vulnerable to SQL Injection in index.php via the 'a_id' parameter. | 2024-10-31 | 9.1 | CVE-2024-51060 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter. | 2024-10-31 | 9.1 | CVE-2024-51063 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php. | 2024-10-31 | 9.8 | CVE-2024-51064 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter. | 2024-10-31 | 9.8 | CVE-2024-51065 | cve@mitre.org cve@mitre.org |
n/a--n/a |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function. | 2024-10-31 | 9.8 | CVE-2024-51255 | cve@mitre.org |
n/a--n/a |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function. | 2024-10-31 | 9.8 | CVE-2024-51259 | cve@mitre.org |
n/a--n/a |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function. | 2024-10-31 | 9.8 | CVE-2024-51260 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function. | 2024-10-30 | 9.8 | CVE-2024-51298 | cve@mitre.org |
n/a--n/a |
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls. | 2024-10-30 | 9.8 | CVE-2024-51424 | cve@mitre.org |
n/a--n/a |
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls. | 2024-10-30 | 9.8 | CVE-2024-51427 | cve@mitre.org |
n/a--n/a |
EnGenius EnStation5-AC A8J-ENS500AC 1.0.0 devices allow blind OS command injection via shell metacharacters in the Ping and Speed Test parameters. | 2024-10-30 | 8.8 | CVE-2024-36060 | cve@mitre.org |
n/a--n/a |
The Talkatone com.talkatone.android application 8.4.6 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.talkatone.vedroid.ui.launcher.OutgoingCallInterceptor component. | 2024-10-30 | 8.4 | CVE-2024-37573 | cve@mitre.org |
n/a--n/a |
An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-controlled blob file, the attacker can crash the application through the CreateModel route, leading to a segmentation fault (signal SIGSEGV: segmentation violation). | 2024-10-31 | 8.2 | CVE-2024-39720 | cve@mitre.org cve@mitre.org |
n/a--n/a |
The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component. | 2024-10-30 | 8.1 | CVE-2024-42041 | cve@mitre.org |
n/a--n/a |
An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the table parameter of the doPPPoE function in the cgi-bin/mainfunction.cgi route, and finally the command is executed by the system function. | 2024-10-28 | 8 | CVE-2024-48074 | cve@mitre.org |
n/a--n/a |
Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file extensions or content types. | 2024-10-30 | 8 | CVE-2024-48093 | cve@mitre.org cve@mitre.org |
n/a--n/a |
MRCMS 3.1.2 contains a SQL injection vulnerability via the RID parameter in /admin/article/delete.do. | 2024-10-28 | 8.8 | CVE-2024-48177 | cve@mitre.org |
n/a--n/a |
newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter. | 2024-10-28 | 8.1 | CVE-2024-48178 | cve@mitre.org |
n/a--n/a |
An issue in MobaXterm v24.2 allows a local attacker to escalate privileges and execute arbitrary code via the remove function of the MobaXterm MSI is spawning one Administrative cmd (conhost.exe) | 2024-10-31 | 8.4 | CVE-2024-48200 | cve@mitre.org cve@mitre.org |
n/a--n/a |
KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD, in the JSON data contained within the QR code. By that, the attacker can execute arbitrary code on the camera. | 2024-10-30 | 8.4 | CVE-2024-48214 | cve@mitre.org |
n/a--n/a |
D-Link DSL6740C v6.TR069.20211230 was discovered to use insecure default credentials for Administrator access, possibly allowing attackers to bypass authentication and escalate privileges on the device via a bruteforce attack. | 2024-10-30 | 8.8 | CVE-2024-48271 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function. | 2024-10-31 | 8.8 | CVE-2024-48311 | cve@mitre.org |
n/a--n/a |
File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component. | 2024-10-28 | 8.8 | CVE-2024-48594 | cve@mitre.org |
n/a--n/a |
An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files, such as HTML, scripts, or other executable content, that may be executed on the server, leading to further system compromise. | 2024-10-30 | 8.1 | CVE-2024-48646 | cve@mitre.org |
n/a--n/a |
Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. | 2024-10-28 | 8 | CVE-2024-48825 | cve@mitre.org |
n/a--n/a |
Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. | 2024-10-28 | 8 | CVE-2024-48826 | cve@mitre.org |
n/a--n/a |
Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that "assembles" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied. | 2024-10-29 | 8.1 | CVE-2024-48955 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution. | 2024-10-28 | 8.8 | CVE-2024-50623 | cve@mitre.org |
n/a--n/a |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the sign_cacertificate function. | 2024-10-31 | 8.8 | CVE-2024-51254 | cve@mitre.org |
n/a--n/a |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doCertificate function. | 2024-10-30 | 8.8 | CVE-2024-51257 | cve@mitre.org |
n/a--n/a |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doSSLTunnel function. | 2024-10-30 | 8.8 | CVE-2024-51258 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the pingtrace function. | 2024-10-30 | 8.8 | CVE-2024-51296 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the dumpSyslog function. | 2024-10-30 | 8.8 | CVE-2024-51299 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_rrd function. | 2024-10-30 | 8.8 | CVE-2024-51300 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function. | 2024-10-30 | 8.8 | CVE-2024-51301 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ldap_search_dn function. | 2024-10-30 | 8.8 | CVE-2024-51304 | cve@mitre.org |
n/a--n/a |
An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls. | 2024-10-30 | 8.8 | CVE-2024-51425 | cve@mitre.org |
n/a--n/a |
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited to function calls. | 2024-10-30 | 8.8 | CVE-2024-51426 | cve@mitre.org |
n/a--n/a |
Asio C++ Library before 1.13.0 lacks a fallback error code in the case of SSL_ERROR_SYSCALL with no associated error information from the SSL library being used. | 2024-10-29 | 7.5 | CVE-2019-25219 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file existence on the server. | 2024-10-31 | 7.5 | CVE-2024-39719 | cve@mitre.org |
n/a--n/a |
An issue was discovered in Ollama before 0.1.34. The CreateModelHandler function uses os.Open to read a file until completion. The req.Path parameter is user-controlled and can be set to /dev/random, which is blocking, causing the goroutine to run infinitely (even after the HTTP request is aborted by the client). | 2024-10-31 | 7.5 | CVE-2024-39721 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via path traversal in the api/push route. | 2024-10-31 | 7.5 | CVE-2024-39722 | cve@mitre.org |
n/a--n/a |
The Spotify app 8.9.58 for iOS has a buffer overflow in its use of strcat. | 2024-10-28 | 7.5 | CVE-2024-42011 | cve@mitre.org cve@mitre.org |
n/a--n/a |
In Jitsi Meet before 2.0.9779, the functionality to share an image using giphy was implemented in an insecure way, resulting in clients loading GIFs from any arbitrary URL if a message from another participant contains a URL encoded in the expected format. | 2024-10-29 | 7.5 | CVE-2024-44080 | cve@mitre.org cve@mitre.org |
n/a--n/a |
An issue in eyouCMS v.1.6.7 allows a remote attacker to obtain sensitive information via a crafted script to the post parameter. | 2024-10-28 | 7.5 | CVE-2024-48196 | cve@mitre.org |
n/a--n/a |
Qualitor v8.24 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /request/viewValidacao.php. | 2024-10-31 | 7.5 | CVE-2024-48360 | cve@mitre.org cve@mitre.org |
n/a--n/a |
A file disclosure vulnerability exists in Sage 1000 v7.0.0. This vulnerability allows remote attackers to retrieve arbitrary files from the server's file system by manipulating the URL parameter in HTTP requests. The attacker can exploit this flaw to access sensitive information, including configuration files that may contain credentials and system settings, which could lead to further compromise of the server. | 2024-10-30 | 7.2 | CVE-2024-48647 | cve@mitre.org |
n/a--n/a |
Directory Traversal in /SASStudio/sasexec/sessions/{sessionID}/workspace/{InternalPath} in SAS Studio 9.4 allows remote attacker to access internal files by manipulating default path during file download. NOTE: this is disputed by the vendor because these filesystem paths are allowed for authorized users. | 2024-10-30 | 7.7 | CVE-2024-48735 | cve@mitre.org cve@mitre.org |
n/a--n/a |
An Insecure Direct Object Reference (IDOR) vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information (PII) of other customers. | 2024-10-31 | 7.5 | CVE-2024-51066 | cve@mitre.org cve@mitre.org |
n/a--n/a |
The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java. | 2024-10-30 | 7.2 | CVE-2024-51243 | cve@mitre.org |
NVIDIA--BlueField 1 |
NVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit (DPU) contains a vulnerability where an attacker may cause an improper handling of insufficient privileges issue. A successful exploit of this vulnerability may lead to denial of service, data tampering, and limited information disclosure. | 2024-11-01 | 8.7 | CVE-2024-0106 | psirt@nvidia.com |
NVIDIA--ConnectX4 |
NVIDIA ConnectX Firmware contains a vulnerability where an attacker may cause an improper handling of insufficient privileges issue. A successful exploit of this vulnerability may lead to denial of service, data tampering, and limited information disclosure. | 2024-11-01 | 8.9 | CVE-2024-0105 | psirt@nvidia.com |
odude--Crypto Tool |
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. | 2024-10-29 | 9.8 | CVE-2024-9988 | security@wordfence.com security@wordfence.com |
odude--Crypto Tool |
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. | 2024-10-29 | 9.8 | CVE-2024-9989 | security@wordfence.com security@wordfence.com security@wordfence.com |
odude--Crypto Tool |
The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This is due to missing nonce validation in the 'crypto_connect_ajax_process::check' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2024-10-29 | 8.8 | CVE-2024-9990 | security@wordfence.com security@wordfence.com security@wordfence.com |
Okta--Okta Verify for Windows |
The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered via routine penetration testing. Note: A precondition of this vulnerability is that the user must be using the Okta Device Access passwordless feature. Okta Device Access users not using passwordless are not affected, and customers only using Okta Verify on platforms other than Windows, or only using FastPass are not affected. | 2024-11-01 | 7.1 | CVE-2024-9191 | psirt@okta.com psirt@okta.com |
Paid Memberships Pro--Paid Memberships Pro |
Authorization Bypass Through User-Controlled Key vulnerability in Paid Memberships Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Paid Memberships Pro: from n/a through 3.0.4. | 2024-11-01 | 7.5 | CVE-2024-37277 | audit@patchstack.com |
PickPlugins--Product Designer |
Missing Authorization vulnerability in PickPlugins Product Designer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Product Designer: from n/a through 1.0.33. | 2024-11-01 | 7.5 | CVE-2024-38726 | audit@patchstack.com |
pluginus -- wordpress_meta_data_and_taxonomies_filter |
Improper Control of Generation of Code ('Code Injection') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4. | 2024-10-28 | 9.8 | CVE-2024-50450 | audit@patchstack.com |
Podlove--Podlove Podcast Publisher |
Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.This issue affects Podlove Podcast Publisher: from n/a through 4.1.13. | 2024-10-31 | 9.6 | CVE-2024-43984 | audit@patchstack.com |
priyabratasarkar -- token_login |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Priyabrata Sarkar Token Login allows Authentication Bypass.This issue affects Token Login: from n/a through 1.0.3. | 2024-10-28 | 8.8 | CVE-2024-50488 | audit@patchstack.com |
projectworlds -- online_time_table_generator |
A vulnerability classified as critical was found in Project Worlds Online Time Table Generator 1.0. Affected by this vulnerability is an unknown functionality of the file /timetable/staff/staffdashboard.php?info=updateprofile. The manipulation of the argument n leads to sql injection. The attack can be launched remotely. | 2024-10-28 | 8.8 | CVE-2024-10447 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
projectworlds -- online_time_table_generator |
A vulnerability classified as critical has been found in Project Worlds Online Time Table Generator 1.0. Affected is an unknown function of the file /timetable/admin/admindashboard.php?info=add_course. The manipulation of the argument c leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-28 | 7.2 | CVE-2024-10446 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
projectworlds -- simple_web-based_chat_application |
A vulnerability has been found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-10-28 | 9.8 | CVE-2024-10432 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Pylons--waitress |
Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed. Waitress 3.0.1 fixes the race condition. As a workaround, disable channel_request_lookahead, this is set to 0 by default disabling this feature. | 2024-10-29 | 9.1 | CVE-2024-49768 | security-advisories@github.com security-advisories@github.com |
Pylons--waitress |
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition. | 2024-10-29 | 7.5 | CVE-2024-49769 | security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
qbittorrent -- qbittorrent |
qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors. | 2024-11-02 | 8.1 | CVE-2024-51774 | cve@mitre.org cve@mitre.org cve@mitre.org |
Qode Interactive--Qode Essential Addons |
: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.6.3. | 2024-10-28 | 7.5 | CVE-2024-50457 | audit@patchstack.com |
rafasashi--SVG Captcha |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in rafasashi SVG Captcha allows Reflected XSS.This issue affects SVG Captcha: from n/a through 1.0.11. | 2024-10-29 | 7.1 | CVE-2024-49648 | audit@patchstack.com |
Rafasashi--Todo Custom Field |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Rafasashi Todo Custom Field allows Reflected XSS.This issue affects Todo Custom Field: from n/a through 3.0.4. | 2024-10-29 | 7.1 | CVE-2024-49642 | audit@patchstack.com |
razormist -- airport_booking_management_system |
A vulnerability was found in SourceCodester Airport Booking Management System 1.0 and classified as critical. Affected by this issue is the function details of the component Passport Number Handler. The manipulation leads to buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 7.8 | CVE-2024-10559 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
realtyworkstation -- realty_workstation |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Realty Workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through 1.0.45. | 2024-10-28 | 9.8 | CVE-2024-50489 | audit@patchstack.com |
Red Hat--Red Hat Enterprise Linux 7 |
A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. | 2024-10-30 | 7.8 | CVE-2024-9632 | secalert@redhat.com secalert@redhat.com |
royal-elementor-addons -- royal_elementor_addons |
Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980. | 2024-10-28 | 7.2 | CVE-2024-50442 | audit@patchstack.com |
Sam Glover--Client Power Tools Portal |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sam Glover Client Power Tools Portal allows Reflected XSS.This issue affects Client Power Tools Portal: from n/a through 1.8.6. | 2024-10-29 | 7.1 | CVE-2024-49670 | audit@patchstack.com |
Scott Gamon--Signup Page |
Missing Authorization vulnerability in Scott Gamon Signup Page allows Privilege Escalation.This issue affects Signup Page: from n/a through 1.0. | 2024-10-29 | 9.8 | CVE-2024-50475 | audit@patchstack.com |
scottpaterson -- scottcart |
Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart allows Code Injection.This issue affects ScottCart: from n/a through 1.1. | 2024-10-28 | 9.8 | CVE-2024-50492 | audit@patchstack.com |
senols--AI Power: Complete AI Pack |
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and including, 1.8.89. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2024-10-31 | 9.8 | CVE-2024-10392 | security@wordfence.com security@wordfence.com |
ServiceNow--Now Platform |
ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes. | 2024-10-29 | 9.8 | CVE-2024-8923 | psirt@servicenow.com |
ServiceNow--Now Platform |
ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to extract unauthorized information. ServiceNow deployed an update to hosted instances, and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes. | 2024-10-29 | 7.5 | CVE-2024-8924 | psirt@servicenow.com |
softaculous--FileOrganizer Manage WordPress and Website Files |
The FileOrganizer - Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro plugin must be installed and active to allow Subscriber+ users to upload files. | 2024-10-29 | 7.5 | CVE-2024-7985 | security@wordfence.com security@wordfence.com security@wordfence.com |
spider-themes--EazyDocs |
Missing Authorization vulnerability in spider-themes EazyDocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EazyDocs: from n/a through 2.5.0. | 2024-11-01 | 7.1 | CVE-2024-38721 | audit@patchstack.com |
Spring--Spring |
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support | 2024-10-28 | 9.1 | CVE-2024-38821 | security@vmware.com |
squid-cache--squid |
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10. | 2024-10-28 | 7.5 | CVE-2024-45802 | security-advisories@github.com |
Stack Themes--Bstone Demo Importer |
Incorrect Privilege Assignment vulnerability in Stack Themes Bstone Demo Importer allows Privilege Escalation.This issue affects Bstone Demo Importer: from n/a through 1.0.1. | 2024-10-29 | 8.8 | CVE-2024-50481 | audit@patchstack.com |
stacksmarket -- stacks_mobile_app_builder |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3. | 2024-10-28 | 9.8 | CVE-2024-50477 | audit@patchstack.com |
StylemixThemes--MasterStudy LMS |
Access Control vulnerability in StylemixThemes MasterStudy LMS allows . This issue affects MasterStudy LMS: from n/a through 3.2.12. | 2024-11-01 | 8.2 | CVE-2024-37094 | audit@patchstack.com |
sun.net -- ehdr_ctms |
The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents. | 2024-10-28 | 9.8 | CVE-2024-10440 | twcert@cert.org.tw twcert@cert.org.tw |
sun.net -- ehdr_ctms |
The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities. | 2024-10-28 | 7.5 | CVE-2024-10438 | twcert@cert.org.tw twcert@cert.org.tw |
sun.net -- ehdr_ctms |
The eHRD CTMS from Sunnet has an Insecure Direct Object Reference (IDOR) vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to access arbitrary files uploaded by any user. | 2024-10-28 | 7.5 | CVE-2024-10439 | twcert@cert.org.tw twcert@cert.org.tw |
swoopnow -- 1-click_login\ |
Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5. | 2024-10-28 | 9.8 | CVE-2024-50478 | audit@patchstack.com |
Szabolcs Szecsenyi--PegaPoll |
Missing Authorization vulnerability in Szabolcs Szecsenyi PegaPoll allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PegaPoll: from n/a through 1.0.2. | 2024-10-29 | 9.8 | CVE-2024-50490 | audit@patchstack.com |
tareqhasan -- meetup |
Authorization Bypass Through User-Controlled Key vulnerability in Meetup allows Privilege Escalation.This issue affects Meetup: from n/a through 0.1. | 2024-10-28 | 9.8 | CVE-2024-50483 | audit@patchstack.com |
tenda -- ac1206_firmware |
A vulnerability was found in Tenda AC1206 up to 20241027. It has been classified as critical. This affects the function ate_Tenda_mfg_check_usb/ate_Tenda_mfg_check_usb3 of the file /goform/ate. The manipulation of the argument arg leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-28 | 9.8 | CVE-2024-10434 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
tenda -- ac6_firmware |
A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument The leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-02 | 9.8 | CVE-2024-10697 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
tenda -- ac6_firmware |
A vulnerability was found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this issue is the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-02 | 9.8 | CVE-2024-10698 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tenda--AC15 |
A vulnerability has been found in Tenda AC15 15.03.05.19 and classified as critical. This vulnerability affects the function SetDlnaCfg of the file /goform/SetDlnaCfg. The manipulation of the argument scanList leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 8.8 | CVE-2024-10661 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tenda--AC15 |
A vulnerability was found in Tenda AC15 15.03.05.19 and classified as critical. This issue affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 8.8 | CVE-2024-10662 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Theme Horse--Clean Retina |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Theme Horse Clean Retina.This issue affects Clean Retina: from n/a through 3.0.6. | 2024-10-28 | 7.5 | CVE-2024-50436 | audit@patchstack.com |
Theme Horse--Meta News |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Theme Horse Meta News.This issue affects Meta News: from n/a through 1.1.7. | 2024-10-28 | 7.5 | CVE-2024-50435 | audit@patchstack.com |
Theme Horse--NewsCard |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Theme Horse NewsCard.This issue affects NewsCard: from n/a through 1.3. | 2024-10-28 | 7.5 | CVE-2024-50434 | audit@patchstack.com |
Tongda--OA 2017 |
A vulnerability, which was classified as critical, was found in Tongda OA 2017 up to 11.6. Affected is an unknown function of the file pda/appcenter/submenu.php. The manipulation of the argument appid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 7.3 | CVE-2024-10600 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
tongda2000 -- office_anywhere |
A vulnerability, which was classified as critical, has been found in Tongda OA 2017 up to 11.10. This issue affects some unknown processing of the file /pda/reportshop/record_detail.php. The manipulation of the argument repid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 9.8 | CVE-2024-10618 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
tongda2000 -- office_anywhere |
A vulnerability, which was classified as critical, was found in Tongda OA 2017 up to 11.10. Affected is an unknown function of the file /pda/reportshop/next_detail.php. The manipulation of the argument repid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 9.8 | CVE-2024-10619 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Ubiquiti Inc--UniFi Network Application |
A Local privilege escalation vulnerability found in a Self-Hosted UniFi Network Server with UniFi Network Application (Version 8.4.62 and earlier) allows a malicious actor with a local operational system user to execute high privilege actions on UniFi Network Server. | 2024-10-28 | 8.8 | CVE-2024-42028 | support@hackerone.com |
Udit Rawat--Exam Matrix |
: Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through 1.5. | 2024-10-29 | 9.8 | CVE-2024-50485 | audit@patchstack.com |
Upqode--Plum: Spin Wheel & Email Pop-up |
Missing Authorization vulnerability in Upqode Plum: Spin Wheel & Email Pop-up allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS.This issue affects Plum: Spin Wheel & Email Pop-up: from n/a through 2.0. | 2024-11-01 | 8.3 | CVE-2024-38744 | audit@patchstack.com |
Van Abel--LaTeX2HTML |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Van Abel LaTeX2HTML allows Reflected XSS.This issue affects LaTeX2HTML: from n/a through 2.5.4. | 2024-10-29 | 7.1 | CVE-2024-49673 | audit@patchstack.com |
w3speedster--W3SPEEDSTER |
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | 2024-10-30 | 9.1 | CVE-2024-8512 | security@wordfence.com security@wordfence.com security@wordfence.com |
Web and Print Design--AR For Woocommerce |
Unrestricted Upload of File with Dangerous Type vulnerability in Web and Print Design AR For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects AR For Woocommerce: from n/a through 6.2. | 2024-10-30 | 10 | CVE-2024-50510 | audit@patchstack.com |
Web and Print Design--AR For WordPress |
Unrestricted Upload of File with Dangerous Type vulnerability in Web and Print Design AR For WordPress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through 6.2. | 2024-10-28 | 10 | CVE-2024-50496 | audit@patchstack.com |
Webangon--The Pack Elementor addons |
Relative Path Traversal vulnerability in Webangon The Pack Elementor addons allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through 2.0.9. | 2024-10-28 | 7.5 | CVE-2024-50453 | audit@patchstack.com |
WidgiLabs--Plugin Propagator |
Unrestricted Upload of File with Dangerous Type vulnerability in WidgiLabs Plugin Propagator allows Upload a Web Shell to a Web Server.This issue affects Plugin Propagator: from n/a through 0.1. | 2024-10-28 | 10 | CVE-2024-50495 | audit@patchstack.com |
WishList Products--WishList Member X |
Missing Authorization vulnerability in WishList Products WishList Member X allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WishList Member X: from n/a through 3.26.6 | 2024-11-01 | 8.2 | CVE-2024-37106 | audit@patchstack.com |
WishList Products--WishList Member X |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WishList Products WishList Member X allows Path Traversal.This issue affects WishList Member X: from n/a through 3.26.6. | 2024-11-01 | 7.7 | CVE-2024-37108 | audit@patchstack.com |
WofficeIO--Woffice Core |
Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Woffice Core: from n/a through 5.4.8. | 2024-11-01 | 8.2 | CVE-2024-37470 | audit@patchstack.com |
WP Sunshine--Sunshine Photo Cart |
Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through 3.2.8. | 2024-11-01 | 7.1 | CVE-2024-47314 | audit@patchstack.com |
wpclever -- wpc_shop_as_a_customer_for_woocommerce |
Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through 1.2.6. | 2024-10-28 | 8.8 | CVE-2024-50416 | audit@patchstack.com |
wpclever--WPC Smart Messages for WooCommerce |
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.1 via the get_condition_value function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | 2024-10-29 | 8.8 | CVE-2024-10436 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
WPWeb Elite--WooCommerce PDF Vouchers |
Missing Authorization vulnerability in WPWeb Elite WooCommerce PDF Vouchers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce PDF Vouchers: from n/a through 4.9.4. | 2024-11-01 | 7.3 | CVE-2024-39650 | audit@patchstack.com |
xarbo--BuddyPress Greeting Message |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in xarbo BuddyPress Greeting Message allows Reflected XSS.This issue affects BuddyPress Greeting Message: from n/a through 1.0.3. | 2024-10-29 | 7.1 | CVE-2024-49650 | audit@patchstack.com |
yaniiliev--All-in-One WP Migration and Backup |
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. | 2024-10-28 | 7.2 | CVE-2024-9162 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
YesWiki--yeswiki |
YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5. | 2024-10-31 | 9.9 | CVE-2024-51478 | security-advisories@github.com security-advisories@github.com security-advisories@github.com |
YITH--YITH WooCommerce Product Add-Ons |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.14.1. | 2024-10-28 | 7.1 | CVE-2024-50448 | audit@patchstack.com |
YMC--Filter & Grids |
Missing Authorization vulnerability in YMC Filter & Grids allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Filter & Grids: from n/a through 2.8.33. | 2024-11-01 | 7.3 | CVE-2024-39664 | audit@patchstack.com |
ZoneMinder--zoneminder |
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.64. | 2024-10-31 | 9.9 | CVE-2024-51482 | security-advisories@github.com security-advisories@github.com |
ZTE--ZXR10 1800-2S |
There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V2 intelligent multi service router . An authenticated attacker could use the vulnerability to obtain sensitive information about the device. | 2024-10-29 | 7.5 | CVE-2024-22066 | psirt@zte.com.cn |
zusam--zusam |
Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user's long-lived session token is possible. Note that Zusam, at the time of writing, uses a user's static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn't expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability. | 2024-11-01 | 8.8 | CVE-2024-51492 | security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
abdullahirfan -- documentpress |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Abdullah Irfan DocumentPress allows Reflected XSS.This issue affects DocumentPress: from n/a through 2.1. | 2024-10-29 | 6.1 | CVE-2024-49656 | audit@patchstack.com |
abdullahirfan -- whitelist |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Abdullah Irfan Whitelist allows Reflected XSS.This issue affects Whitelist: from n/a through 3.5. | 2024-10-29 | 6.1 | CVE-2024-49643 | audit@patchstack.com |
AffiliateX--AffiliateX |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AffiliateX allows Stored XSS.This issue affects AffiliateX: from n/a through 1.2.9. | 2024-10-29 | 6.5 | CVE-2024-49692 | audit@patchstack.com |
Ahmed Kaludi, Mohammed Kaludi--AMP for WP |
Missing Authorization vulnerability in Ahmed Kaludi, Mohammed Kaludi AMP for WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AMP for WP: from n/a through 1.0.96.1. | 2024-11-01 | 6.3 | CVE-2024-43146 | audit@patchstack.com |
Alex Volkov--WP Accessibility Helper (WAH) |
Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9. | 2024-11-01 | 5.3 | CVE-2024-37926 | audit@patchstack.com |
alexgff--WPGlobus Translate Options |
The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the on__translate_options_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2024-10-31 | 6.1 | CVE-2024-9434 | security@wordfence.com security@wordfence.com |
aliazlan -- risk_warning_bar |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ali Azlan Risk Warning Bar allows Reflected XSS.This issue affects Risk Warning Bar: from n/a through 1.0. | 2024-10-29 | 6.1 | CVE-2024-49638 | audit@patchstack.com |
amadercodelab -- acl_floating_cart_for_woocommerce |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AmaderCode Lab ACL Floating Cart for WooCommerce allows Reflected XSS.This issue affects ACL Floating Cart for WooCommerce: from n/a through 0.9. | 2024-10-29 | 6.1 | CVE-2024-49640 | audit@patchstack.com |
amilia -- store |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Martin Drapeau Amilia Store allows Stored XSS.This issue affects Amilia Store: from n/a through 2.9.8. | 2024-10-28 | 5.4 | CVE-2024-50472 | audit@patchstack.com |
Andy Moyle--Church Admin |
Missing Authorization vulnerability in Andy Moyle Church Admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through 4.4.4. | 2024-11-01 | 4.3 | CVE-2024-37440 | audit@patchstack.com |
Apache Software Foundation--Apache NiFi |
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation. | 2024-10-29 | 4.6 | CVE-2024-45477 | security@apache.org |
apple -- ipad_os |
The issue was addressed with improved bounds checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. Processing a maliciously crafted message may lead to a denial-of-service. | 2024-10-28 | 6.5 | CVE-2024-44297 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
A buffer overflow was addressed with improved size validation. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, macOS Sequoia 15, macOS Sonoma 14.7.1, tvOS 18, watchOS 11, visionOS 2, iOS 18 and iPadOS 18. Processing a maliciously crafted file may lead to unexpected app termination. | 2024-10-28 | 5.5 | CVE-2024-44144 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
This issue was addressed with improved redaction of sensitive information. This issue is fixed in watchOS 11.1, visionOS 2.1, iOS 18.1 and iPadOS 18.1. An app may be able to access sensitive user data. | 2024-10-28 | 5.5 | CVE-2024-44194 | product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
This issue was addressed with improved checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. Processing an image may result in disclosure of process memory. | 2024-10-28 | 5.5 | CVE-2024-44215 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
An information leakage was addressed with additional validation. This issue is fixed in visionOS 2.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, Safari 18.1. Private browsing may leak some browsing history. | 2024-10-28 | 5.3 | CVE-2024-44229 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2.1, watchOS 11.1, tvOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1. Parsing a maliciously crafted video file may lead to unexpected system termination. | 2024-11-01 | 5.5 | CVE-2024-44232 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2.1, watchOS 11.1, tvOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1. Parsing a maliciously crafted video file may lead to unexpected system termination. | 2024-11-01 | 5.5 | CVE-2024-44233 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2.1, watchOS 11.1, tvOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1. Parsing a maliciously crafted video file may lead to unexpected system termination. | 2024-11-01 | 5.5 | CVE-2024-44234 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
An information disclosure issue was addressed with improved private data redaction for log entries. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. An app may be able to leak sensitive kernel state. | 2024-10-28 | 5.5 | CVE-2024-44239 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
This issue was addressed with improved redaction of sensitive information. This issue is fixed in watchOS 11.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, iOS 18.1 and iPadOS 18.1. An app may be able to access sensitive user data. | 2024-10-28 | 5.5 | CVE-2024-44254 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. A malicious app may use shortcuts to access restricted files. | 2024-10-28 | 5.5 | CVE-2024-44269 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.1 and iPadOS 18.1, visionOS 2.1, macOS Sonoma 14.7.1, watchOS 11.1, tvOS 18.1. A malicious app may be able to access private information. | 2024-10-28 | 5.5 | CVE-2024-44273 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. Parsing a file may lead to disclosure of user information. | 2024-10-28 | 5.5 | CVE-2024-44282 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
The issue was addressed with improved checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. Processing a maliciously crafted font may result in the disclosure of process memory. | 2024-10-28 | 5.5 | CVE-2024-44302 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
The issue was addressed with improved checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to view restricted content from the lock screen. | 2024-10-28 | 4.6 | CVE-2024-44235 | product-security@apple.com |
apple -- ipados |
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 18.1 and iPadOS 18.1, watchOS 11.1, visionOS 2.1, tvOS 18.1, macOS Sequoia 15.1, Safari 18.1. Processing maliciously crafted web content may lead to an unexpected process crash. | 2024-10-28 | 4.3 | CVE-2024-44244 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- ipados |
The issue was addressed with improved authentication. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, iOS 18.1 and iPadOS 18.1. An attacker with physical access to a locked device may be able to view sensitive user information. | 2024-10-28 | 4.6 | CVE-2024-44274 | product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- macos |
A path deletion vulnerability was addressed by preventing vulnerable code from running with privileges. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An attacker with root privileges may be able to delete protected system files. | 2024-10-28 | 6.5 | CVE-2024-44294 | product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sequoia 15, macOS Sonoma 14.7.1. A sandboxed app may be able to access sensitive user data. | 2024-10-28 | 5.5 | CVE-2024-40855 | product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An attacker may be able to view restricted content from the lock screen. | 2024-10-28 | 5.5 | CVE-2024-44174 | product-security@apple.com |
apple -- macos |
This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1. An app may be able to access sensitive user data. | 2024-10-28 | 5.5 | CVE-2024-44175 | product-security@apple.com product-security@apple.com |
apple -- macos |
An issue existed in the parsing of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An attacker in a privileged network position may be able to leak sensitive user information. | 2024-10-28 | 5.9 | CVE-2024-44213 | product-security@apple.com product-security@apple.com |
apple -- macos |
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Processing a maliciously crafted file may lead to unexpected app termination. | 2024-10-28 | 5.5 | CVE-2024-44236 | product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system. | 2024-10-28 | 5.5 | CVE-2024-44247 | product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system. | 2024-10-28 | 5.5 | CVE-2024-44253 | product-security@apple.com product-security@apple.com |
apple -- macos |
This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious app may be able to create symlinks to protected regions of the disk. | 2024-10-28 | 5.5 | CVE-2024-44264 | product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system. | 2024-10-28 | 5.5 | CVE-2024-44267 | product-security@apple.com product-security@apple.com |
apple -- macos |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Parsing a file may lead to disclosure of user information. | 2024-10-28 | 5.5 | CVE-2024-44281 | product-security@apple.com product-security@apple.com |
apple -- macos |
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Parsing a maliciously crafted file may lead to an unexpected app termination. | 2024-10-28 | 5.5 | CVE-2024-44284 | product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system. | 2024-10-28 | 5.5 | CVE-2024-44287 | product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sequoia 15, macOS Sonoma 14.7.1. An attacker with physical access may be able to share items from the lock screen. | 2024-10-28 | 4.6 | CVE-2024-44137 | product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- safari |
A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 18, iOS 17.7.1 and iPadOS 17.7.1, macOS Sequoia 15, watchOS 11, iOS 18 and iPadOS 18. Maliciously crafted web content may violate iframe sandboxing policy. | 2024-10-28 | 6.5 | CVE-2024-44155 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
apple -- visionos |
This issue was addressed with improved redaction of sensitive information. This issue is fixed in visionOS 2.1. A user may be able to view sensitive user information. | 2024-10-28 | 5.5 | CVE-2024-44262 | product-security@apple.com |
Apple--iOS and iPadOS |
This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1. An attacker may be able to view restricted content from the lock screen. | 2024-10-28 | 6.2 | CVE-2024-44261 | product-security@apple.com product-security@apple.com |
Apple--iOS and iPadOS |
A logic issue was addressed with improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to access user-sensitive data. | 2024-10-28 | 4 | CVE-2024-44263 | product-security@apple.com |
Apple--macOS |
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to access user-sensitive data. | 2024-10-28 | 6.2 | CVE-2024-44216 | product-security@apple.com product-security@apple.com |
Apple--macOS |
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Processing a maliciously crafted file may lead to unexpected app termination. | 2024-10-28 | 6.5 | CVE-2024-44237 | product-security@apple.com product-security@apple.com |
Apple--macOS |
The issue was addressed with improved checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. Processing a maliciously crafted font may result in the disclosure of process memory. | 2024-10-28 | 6.5 | CVE-2024-44240 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
Apple--macOS |
This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to access sensitive user data. | 2024-10-28 | 6.2 | CVE-2024-44257 | product-security@apple.com product-security@apple.com |
Apple--macOS |
This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious app with root privileges may be able to modify the contents of system files. | 2024-10-28 | 6.7 | CVE-2024-44260 | product-security@apple.com product-security@apple.com |
Apple--macOS |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Parsing a file may lead to disclosure of user information. | 2024-10-28 | 6.5 | CVE-2024-44279 | product-security@apple.com product-security@apple.com |
Apple--macOS |
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Parsing a maliciously crafted file may lead to an unexpected app termination. | 2024-10-28 | 6.5 | CVE-2024-44283 | product-security@apple.com product-security@apple.com |
Apple--macOS |
This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15, iOS 18 and iPadOS 18. An attacker with physical access to a macOS device with Sidecar enabled may be able to bypass the Lock Screen. | 2024-10-28 | 5.7 | CVE-2024-44145 | product-security@apple.com product-security@apple.com |
Apple--macOS |
An information disclosure issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. A sandboxed app may be able to access sensitive user data in system logs. | 2024-10-28 | 5.5 | CVE-2024-44278 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
Apple--macOS |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system. | 2024-10-28 | 5.5 | CVE-2024-44301 | product-security@apple.com product-security@apple.com |
Apple--visionOS |
The issue was addressed with improved checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, visionOS 2.1, macOS Sequoia 15.1, Safari 18.1. Processing maliciously crafted web content may prevent Content Security Policy from being enforced. | 2024-10-28 | 5.4 | CVE-2024-44296 | product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com |
argoproj--argo-workflows |
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2. | 2024-10-28 | 5.7 | CVE-2024-47827 | security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
Arraytics--Timetics |
Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through 1.0.21. | 2024-11-01 | 5.3 | CVE-2024-37427 | audit@patchstack.com |
Arraytics--Timetics |
Missing Authorization vulnerability in Arraytics Timetics allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Timetics: from n/a through 1.0.23. | 2024-11-01 | 5.3 | CVE-2024-43923 | audit@patchstack.com |
Aruba.it--Aruba HiSpeed Cache |
Missing Authorization vulnerability in Aruba.It Aruba HiSpeed Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through 2.0.12. | 2024-11-01 | 4.3 | CVE-2024-43119 | audit@patchstack.com |
Atarim--Atarim |
Missing Authorization vulnerability in Atarim allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Atarim: from n/a through 4.0. | 2024-11-01 | 6.5 | CVE-2024-38771 | audit@patchstack.com |
Atarim--Atarim |
Missing Authorization vulnerability in Atarim allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Atarim: from n/a through 4.0.1. | 2024-11-01 | 5.3 | CVE-2024-43290 | audit@patchstack.com |
atomchat--Group Chat & Video Chat by AtomChat |
The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atomchat shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-11-01 | 6.4 | CVE-2024-10232 | security@wordfence.com security@wordfence.com security@wordfence.com |
Automattic--Newspack Blocks |
Missing Authorization vulnerability in Automattic Newspack Blocks newspack-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack Blocks: from n/a through 3.0.8. | 2024-11-01 | 5.4 | CVE-2024-37425 | audit@patchstack.com |
Automattic--Newspack Content Converter |
Missing Authorization vulnerability in Automattic Newspack Content Converter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack Content Converter: from n/a through 0.1.5. | 2024-11-01 | 6.5 | CVE-2024-37477 | audit@patchstack.com |
Automattic--Newspack Newsletters |
Missing Authorization vulnerability in Automattic Newspack Newsletters allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Newspack Newsletters: from n/a through 2.13.2. | 2024-11-01 | 5.3 | CVE-2024-37475 | audit@patchstack.com |
Automattic--Newspack |
Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack: from n/a through 3.8.6. | 2024-11-01 | 4.3 | CVE-2024-43968 | audit@patchstack.com |
Automattic--WP Job Manager - Resume Manager |
Missing Authorization vulnerability in Automattic WP Job Manager - Resume Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0. | 2024-11-01 | 4.3 | CVE-2024-37443 | audit@patchstack.com |
Avirtum--iPanorama 360 WordPress Virtual Tour Builder |
Missing Authorization vulnerability in Avirtum iPanorama 360 WordPress Virtual Tour Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects iPanorama 360 WordPress Virtual Tour Builder: from n/a through 1.8.3. | 2024-11-01 | 5.3 | CVE-2024-38690 | audit@patchstack.com |
AyeCode Ltd--GetPaid |
Missing Authorization vulnerability in AyeCode Ltd GetPaid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetPaid: from n/a through 2.8.11. | 2024-11-01 | 4.3 | CVE-2024-43973 | audit@patchstack.com |
AyeCode Ltd--UsersWP |
Missing Authorization vulnerability in AyeCode Ltd UsersWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through 1.2.15. | 2024-11-01 | 5.3 | CVE-2024-43277 | audit@patchstack.com |
AyeCode WP Business Directory Plugins--GeoDirectory |
Missing Authorization vulnerability in AyeCode - WP Business Directory Plugins GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GeoDirectory: from n/a through 2.3.70. | 2024-11-01 | 4.3 | CVE-2024-43981 | audit@patchstack.com |
AyeCode--GeoDirectory |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AyeCode GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.80. | 2024-10-28 | 6.5 | CVE-2024-50437 | audit@patchstack.com |
bdthemes -- element_pack |
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Gallery Widget 'image_title' parameter in all versions up to, and including, 5.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-11-02 | 5.4 | CVE-2024-10310 | security@wordfence.com security@wordfence.com |
bdthemes -- element_pack |
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate Widget 'url' parameter in all versions up to, and including, 5.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-11-02 | 5.4 | CVE-2024-9868 | security@wordfence.com security@wordfence.com |
BearDev--JoomSport |
Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.3.0. | 2024-11-01 | 4.3 | CVE-2024-43355 | audit@patchstack.com |
BearDev--JoomSport |
Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.6.3. | 2024-11-01 | 4.3 | CVE-2024-44031 | audit@patchstack.com |
Beckhoff--TwinCAT Package Manager |
A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed. | 2024-10-31 | 6.5 | CVE-2024-8934 | info@cert.vde.com |
BeyondTrust--Privileged Identity |
A medium severity vulnerability has been identified within Privileged Identity which can allow an attacker to perform reflected cross-site scripting attacks. | 2024-10-30 | 6.4 | CVE-2024-9110 | 13061848-ea10-403d-bd75-c83a022c2891 |
Bitly--Bitly |
Missing Authorization vulnerability in Bitly allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bitly: from n/a through 2.7.2. | 2024-11-01 | 6.5 | CVE-2024-43209 | audit@patchstack.com |
blazethemes--Newsmatic |
Missing Authorization vulnerability in blazethemes Newsmatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newsmatic: from n/a through 1.3.1. | 2024-11-01 | 5.3 | CVE-2024-37468 | audit@patchstack.com |
bPlugins LLC--Flash & HTML5 Video |
Missing Authorization vulnerability in bPlugins LLC Flash & HTML5 Video allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flash & HTML5 Video: from n/a through 2.5.30. | 2024-11-01 | 4.3 | CVE-2024-43296 | audit@patchstack.com |
BracketSpace--Advanced Cron Manager debug & control |
Missing Authorization vulnerability in BracketSpace Advanced Cron Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Cron Manager - debug & control: from n/a through 2.5.9. | 2024-11-01 | 4.3 | CVE-2024-43154 | audit@patchstack.com |
Brainstorm Force--Astra Widgets |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through 1.2.14. | 2024-10-28 | 6.5 | CVE-2024-50439 | audit@patchstack.com |
Brainstorm Force--Spectra |
Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.13.7. | 2024-11-01 | 4.3 | CVE-2024-37517 | audit@patchstack.com |
britner--Gutenberg Blocks with AI by Kadence WP Page Builder Features |
The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-11-01 | 6.4 | CVE-2024-9655 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
campusexplorer -- widget |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Campus Explorer Campus Explorer Widget allows Reflected XSS.This issue affects Campus Explorer Widget: from n/a through 1.4. | 2024-10-29 | 6.1 | CVE-2024-49660 | audit@patchstack.com |
Caseproof, LLC--Memberpress |
Missing Authorization vulnerability in Caseproof, LLC Memberpress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Memberpress: from n/a through 1.11.34. | 2024-11-01 | 6.5 | CVE-2024-43956 | audit@patchstack.com |
CHANGING Information Technology--IDExpert |
IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks. | 2024-11-01 | 6.1 | CVE-2024-10652 | twcert@cert.org.tw twcert@cert.org.tw |
CHANGING Information Technology--IDExpert |
IDExpert from CHANGING Information Technology does not properly validate a specific parameter in the administrator interface, allowing remote attackers with administrator privileges to exploit this vulnerability to read arbitrary system files. | 2024-11-01 | 4.9 | CVE-2024-10651 | twcert@cert.org.tw twcert@cert.org.tw |
Charitable Donations & Fundraising Team--Charitable |
Missing Authorization vulnerability in Charitable Donations & Fundraising Team Charitable allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Charitable: from n/a through 1.8.1.7. | 2024-11-01 | 6.5 | CVE-2024-37510 | audit@patchstack.com |
Charitable Donations & Fundraising Team--Charitable |
Missing Authorization vulnerability in Charitable Donations & Fundraising Team Charitable allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Charitable: from n/a through 1.8.1.7. | 2024-11-01 | 5.3 | CVE-2024-37506 | audit@patchstack.com |
chartscss -- coub |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Rami Yushuvaev Coub allows Stored XSS.This issue affects Coub: from n/a through 1.4. | 2024-10-29 | 5.4 | CVE-2024-49659 | audit@patchstack.com |
chatplusjp -- chatplusjp |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in allows Reflected XSS.This issue affects chatplusjp: from n/a through 1.02. | 2024-10-29 | 6.1 | CVE-2024-49664 | audit@patchstack.com |
checklist -- trip_plan |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Checklist Trip Plan allows Stored XSS.This issue affects Trip Plan: from n/a through 1.0.10. | 2024-10-28 | 5.4 | CVE-2024-50471 | audit@patchstack.com |
Chris Coyier--CodePen Embedded Pens Shortcode |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Chris Coyier CodePen Embedded Pens Shortcode allows Stored XSS.This issue affects CodePen Embedded Pens Shortcode: from n/a through 1.0.2. | 2024-10-28 | 6.5 | CVE-2024-50440 | audit@patchstack.com |
Clibo Manager--Clibo Manager |
Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims. | 2024-10-31 | 6.1 | CVE-2024-10454 | cve-coordination@incibe.es |
climaxthemes -- kata_plus |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Climax Themes Kata Plus allows Stored XSS.This issue affects Kata Plus: from n/a through 1.4.7. | 2024-10-28 | 5.4 | CVE-2024-50501 | audit@patchstack.com |
climaxthemes--Kata Plus Addons for Elementor Widgets, Extensions and Templates |
The Kata Plus - Addons for Elementor - Widgets, Extensions and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2024-10-29 | 6.4 | CVE-2024-9376 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
Cloudways--Breeze |
Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.1.14. | 2024-10-29 | 5.3 | CVE-2024-50422 | audit@patchstack.com |
Cloudways--Breeze |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Cloudways Breeze allows Stored XSS.This issue affects Breeze: from n/a through 2.1.14. | 2024-10-28 | 5.9 | CVE-2024-50431 | audit@patchstack.com |
code-projects--Blood Bank Management System |
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /file/request.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 4.3 | CVE-2024-10605 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--Blood Bank System |
A vulnerability classified as critical has been found in code-projects Blood Bank System 1.0. This affects an unknown part of the file /admin/blood/update/B-.php. The manipulation of the argument Bloodname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-30 | 6.3 | CVE-2024-10506 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--E-Health Care System |
A vulnerability, which was classified as critical, was found in code-projects E-Health Care System up to 1.0. This affects an unknown part of the file /Admin/consulting_detail.php. The manipulation of the argument consulting_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10740 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--University Event Management System |
A vulnerability was found in code-projects University Event Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file submit.php. The manipulation of the argument name/email/title/Year/gender/fromdate/todate/people leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "name" to be affected. But it must be assumed that a variety of other parameters is affected too. | 2024-11-02 | 6.3 | CVE-2024-10700 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
code-projects--Wazifa System |
A vulnerability was found in code-projects Wazifa System 1.0 and classified as critical. This issue affects some unknown processing of the file /controllers/control.php. The manipulation of the argument to leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10742 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
codection--Import and export users and customers |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in codection Import and export users and customers allows Stored XSS.This issue affects Import and export users and customers: from n/a through 1.27.5. | 2024-10-29 | 5.9 | CVE-2024-50413 | audit@patchstack.com |
codemenschen--Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) |
The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2024-10-31 | 6.4 | CVE-2024-9165 | security@wordfence.com security@wordfence.com security@wordfence.com |
Consensys--gnark |
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of memory. | 2024-10-31 | 5.5 | CVE-2024-50354 | security-advisories@github.com security-advisories@github.com security-advisories@github.com |
contrid--Newsletters |
The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 6.4 | CVE-2024-10181 | security@wordfence.com security@wordfence.com security@wordfence.com |
ConveyThis Translate Team--Language Translate Widget for WordPress ConveyThis |
Missing Authorization vulnerability in ConveyThis Translate Team Language Translate Widget for WordPress - ConveyThis allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Language Translate Widget for WordPress - ConveyThis: from n/a through 234. | 2024-11-01 | 5.3 | CVE-2024-38792 | audit@patchstack.com |
coralwebdesign -- cwd_3d_image_gallery |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Coral Web Design CWD 3D Image Gallery allows Reflected XSS.This issue affects CWD 3D Image Gallery: from n/a through 1.0. | 2024-10-29 | 6.1 | CVE-2024-49632 | audit@patchstack.com |
Cornel Raiu--WP Search Analytics |
Missing Authorization vulnerability in Cornel Raiu WP Search Analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Search Analytics: from n/a through 1.4.9. | 2024-11-01 | 4.3 | CVE-2024-43229 | audit@patchstack.com |
cozythemes -- cozy_blocks |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CozyThemes Cozy Blocks allows Stored XSS.This issue affects Cozy Blocks: from n/a through 2.0.18. | 2024-10-28 | 5.4 | CVE-2024-50502 | audit@patchstack.com |
CozyThemes--Blockbooster |
Missing Authorization vulnerability in CozyThemes Blockbooster allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockbooster: from n/a through 1.0.10. | 2024-11-01 | 6.5 | CVE-2024-43979 | audit@patchstack.com |
CozyThemes--Fota WP |
Missing Authorization vulnerability in CozyThemes Fota WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fota WP: from n/a through 1.4.1. | 2024-11-01 | 6.5 | CVE-2024-43980 | audit@patchstack.com |
CozyThemes--Hello Agency |
Missing Authorization vulnerability in CozyThemes Hello Agency allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hello Agency: from n/a through 1.0.5. | 2024-11-01 | 6.5 | CVE-2024-43341 | audit@patchstack.com |
CozyThemes--ReviveNews |
Missing Authorization vulnerability in CozyThemes ReviveNews allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviveNews: from n/a through 1.0.2. | 2024-11-01 | 6.5 | CVE-2024-43974 | audit@patchstack.com |
cozyvision1--SMS Alert Order Notifications WooCommerce |
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sa_subscribe shortcode in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 6.4 | CVE-2024-10233 | security@wordfence.com security@wordfence.com security@wordfence.com |
Creative Motion--Auto Featured Image (Auto Post Thumbnail) |
Missing Authorization vulnerability in Creative Motion Auto Featured Image (Auto Post Thumbnail) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through 4.1.2. | 2024-11-01 | 4.3 | CVE-2024-38719 | audit@patchstack.com |
Creative Motion--Clearfy Cache |
Missing Authorization vulnerability in Creative Motion Clearfy Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Clearfy Cache: from n/a through 2.2.4. | 2024-11-01 | 5.4 | CVE-2024-43260 | audit@patchstack.com |
Creative Motion--Robin image optimizer |
Missing Authorization vulnerability in Creative Motion Robin image optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Robin image optimizer: from n/a through 1.6.9. | 2024-11-01 | 6.5 | CVE-2024-43122 | audit@patchstack.com |
creativemotion--Social Slider Feed |
Missing Authorization vulnerability in creativemotion Social Slider Feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Slider Feed: from n/a through 2.2.2. | 2024-11-01 | 4.3 | CVE-2024-43215 | audit@patchstack.com |
CreativeMotion--Titan Anti-spam & Security |
Missing Authorization vulnerability in CreativeMotion Titan Anti-spam & Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Titan Anti-spam & Security: from n/a through 7.3.6. | 2024-11-01 | 6.5 | CVE-2024-38777 | audit@patchstack.com |
CRM Perks--CRM Perks Forms |
Missing Authorization vulnerability in CRM Perks CRM Perks Forms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CRM Perks Forms: from n/a through 1.1.5. | 2024-11-01 | 5.3 | CVE-2024-37463 | audit@patchstack.com |
cservit--affiliate-toolkit |
The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 6.4 | CVE-2024-10227 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
CubeWP--CubeWP All-in-One Dynamic Content Framework |
Missing Authorization vulnerability in CubeWP CubeWP - All-in-One Dynamic Content Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP - All-in-One Dynamic Content Framework: from n/a through 1.1.15. | 2024-11-01 | 4.3 | CVE-2024-48039 | audit@patchstack.com |
DarkMySite--DarkMySite Advanced Dark Mode Plugin for WordPress |
Cross-Site Request Forgery (CSRF) vulnerability in DarkMySite DarkMySite - Advanced Dark Mode Plugin for WordPress darkmysite allows Cross Site Request Forgery.This issue affects DarkMySite - Advanced Dark Mode Plugin for WordPress: from n/a through 1.2.8. | 2024-10-29 | 4.3 | CVE-2024-50466 | audit@patchstack.com |
Depicter Slider and Popup by Averta--Depicter Slider |
Missing Authorization vulnerability in Depicter Slider and Popup by Averta Depicter Slider allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Depicter Slider: from n/a through 3.2.2. | 2024-11-01 | 5.3 | CVE-2024-47359 | audit@patchstack.com |
didi--Super-Jacoco |
A vulnerability was found in didi Super-Jacoco 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /cov/triggerEnvCov. The manipulation of the argument uuid leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-28 | 6.3 | CVE-2024-10435 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Dropshipping Guru--Ali2Woo Lite |
Missing Authorization vulnerability in Dropshipping Guru Ali2Woo Lite Exploiting Incorrectly Configured Access Control Security Levels, Stored XSS.This issue affects Ali2Woo Lite: from n/a through 3.3.5. | 2024-11-01 | 6.5 | CVE-2024-37214 | audit@patchstack.com |
E2Pdf.com--e2pdf |
Missing Authorization vulnerability in E2Pdf.Com allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects e2pdf: from n/a through 1.20.27. | 2024-11-01 | 5.4 | CVE-2024-37415 | audit@patchstack.com |
Easy Digital Downloads--Easy Digital Downloads |
Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12. | 2024-11-01 | 4.3 | CVE-2024-43162 | audit@patchstack.com |
edwardstoever -- monitor.chat |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Edward Stoever Monitor.Chat allows Reflected XSS.This issue affects Monitor.Chat: from n/a through 1.1.1. | 2024-10-29 | 6.1 | CVE-2024-49639 | audit@patchstack.com |
elenazhyvohliad -- ucat |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Elena Zhyvohliad uCAT - Next Story allows Reflected XSS.This issue affects uCAT - Next Story: from n/a through 2.0.0. | 2024-10-29 | 6.1 | CVE-2024-49663 | audit@patchstack.com |
Envira Gallery Team--Envira Photo Gallery |
Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.7.3. | 2024-11-01 | 4.3 | CVE-2024-37095 | audit@patchstack.com |
Envira Gallery Team--Envira Photo Gallery |
Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.14. | 2024-11-01 | 4.3 | CVE-2024-43925 | audit@patchstack.com |
EnvoThemes--Envo's Elementor Templates & Widgets for WooCommerce |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EnvoThemes Envo's Elementor Templates & Widgets for WooCommerce allows Stored XSS.This issue affects Envo's Elementor Templates & Widgets for WooCommerce: from n/a through 1.4.19. | 2024-10-28 | 6.5 | CVE-2024-50447 | audit@patchstack.com |
Epsiloncool--WP Fast Total Search |
Missing Authorization vulnerability in Epsiloncool WP Fast Total Search allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Fast Total Search: from n/a through 1.68.232. | 2024-11-01 | 4.3 | CVE-2024-38714 | audit@patchstack.com |
ESAFENET--CDG |
A vulnerability, which was classified as critical, has been found in ESAFENET CDG 5. Affected by this issue is some unknown functionality of the file /com/esafenet/servlet/policy/HookWhiteListService.java. The manipulation of the argument policyId leads to sql injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-30 | 6.3 | CVE-2024-10500 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability, which was classified as critical, was found in ESAFENET CDG 5. This affects the function findById of the file /com/esafenet/servlet/document/ExamCDGDocService.java. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-30 | 6.3 | CVE-2024-10501 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability has been found in ESAFENET CDG 5 and classified as critical. This vulnerability affects the function getOneFileDirectory of the file /com/esafenet/servlet/fileManagement/FileDirectoryService.java. The manipulation of the argument directoryId leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-30 | 6.3 | CVE-2024-10502 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability was found in ESAFENET CDG 5. It has been classified as critical. Affected is the function docHistory of the file /com/esafenet/servlet/fileManagement/FileDirectoryService.java. The manipulation of the argument fileId leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-31 | 6.3 | CVE-2024-10594 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability was found in ESAFENET CDG 5. It has been rated as critical. Affected by this issue is the function delEntryptPolicySort of the file /com/esafenet/servlet/system/EncryptPolicyTypeService.java. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-31 | 6.3 | CVE-2024-10596 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability classified as critical has been found in ESAFENET CDG 5. This affects the function delPolicyAction of the file /com/esafenet/servlet/system/PolicyActionService.java. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-31 | 6.3 | CVE-2024-10597 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability has been found in ESAFENET CDG 5 and classified as critical. This vulnerability affects the function delProtocol of the file /com/esafenet/servlet/system/ProtocolService.java. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-11-01 | 6.3 | CVE-2024-10610 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability was found in ESAFENET CDG 5 and classified as critical. This issue affects the function delProtocol of the file /com/esafenet/servlet/system/PrintScreenListService.java. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-11-01 | 6.3 | CVE-2024-10611 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability was found in ESAFENET CDG 5. It has been classified as critical. Affected is the function removeHookInvalidCourse of the file /com/esafenet/servlet/system/HookInvalidCourseService.java. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-11-01 | 6.3 | CVE-2024-10612 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability was found in ESAFENET CDG 5. It has been declared as critical. Affected by this vulnerability is the function delSystemEncryptPolicy of the file /com/esafenet/servlet/system/SystemEncryptPolicyService.java. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-11-01 | 6.3 | CVE-2024-10613 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability, which was classified as critical, has been found in ESAFENET CDG 5. Affected by this issue is the function delSystemEncryptPolicy of the file /com/esafenet/servlet/document/CDGAuthoriseTempletService.java. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10659 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
ESAFENET--CDG |
A vulnerability, which was classified as critical, was found in ESAFENET CDG 5. This affects the function deleteHook of the file /com/esafenet/servlet/policy/HookService.java. The manipulation of the argument hookId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10660 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Etoile Web Design--Order Tracking |
Missing Authorization vulnerability in Etoile Web Design Order Tracking allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Order Tracking: from n/a through 3.3.12. | 2024-11-01 | 4.3 | CVE-2024-43343 | audit@patchstack.com |
EventPrime Events--EventPrime |
Missing Authorization vulnerability in EventPrime Events EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.0.3.2. | 2024-11-01 | 4.3 | CVE-2024-43223 | audit@patchstack.com |
express--express |
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters. | 2024-10-29 | 4 | CVE-2024-10491 | 36c7be3b-2937-45df-85ea-ca7133ea542c |
eyecix--JobSearch |
Missing Authorization vulnerability in eyecix JobSearch allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JobSearch: from n/a through 2.5.4. | 2024-11-01 | 6.5 | CVE-2024-43929 | audit@patchstack.com |
eyecix--JobSearch |
Missing Authorization vulnerability in eyecix JobSearch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobSearch: from n/a through 2.5.4. | 2024-11-01 | 5.4 | CVE-2024-43928 | audit@patchstack.com |
eyecix--JobSearch |
Cross-Site Request Forgery (CSRF) vulnerability in eyecix JobSearch allows Cross Site Request Forgery.This issue affects JobSearch: from n/a through 2.5.3. | 2024-10-31 | 4.3 | CVE-2024-43930 | audit@patchstack.com |
fabianros -- blood_bank_management_system |
A vulnerability, which was classified as problematic, has been found in code-projects Blood Bank Management System 1.0. Affected by this issue is some unknown functionality of the file /file/delete.php. The manipulation of the argument bid leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other endpoints might be affected as well. | 2024-10-28 | 6.5 | CVE-2024-10448 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
fabianros -- blood_bank_management_system |
A vulnerability has been found in code-projects Blood Bank Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /file/updateprofile.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 6.5 | CVE-2024-10557 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Fahad Mahmood--WP Datepicker |
Missing Authorization vulnerability in Fahad Mahmood WP Datepicker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Datepicker: from n/a through 2.1.1. | 2024-11-01 | 6.5 | CVE-2024-47321 | audit@patchstack.com |
fastlinemedia -- beaver_builder |
The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 5.4 | CVE-2024-9505 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
fatcatapps--Pricing Tables WordPress Plugin Easy Pricing Tables |
The Pricing Tables WordPress Plugin - Easy Pricing Tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-10-30 | 6.1 | CVE-2024-8871 | security@wordfence.com security@wordfence.com security@wordfence.com |
Faurecia Clarion Electronics Co., Ltd.--SmartPlay |
Use of Default Credentials vulnerability in Maruti Suzuki SmartPlay on Linux (Infotainment Hub modules) allows attacker to try common or default usernames and passwords.The issue was detected on a 2022 Maruti Suzuki Brezza in India Market. This issue affects SmartPlay: 66T0.05.50. | 2024-10-28 | 6.7 | CVE-2024-6245 | cve@asrg.io cve@asrg.io |
Fetch Designs--Sign-up Sheets |
Missing Authorization vulnerability in Fetch Designs Sign-up Sheets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sign-up Sheets: from n/a through 2.2.12. | 2024-11-01 | 5.3 | CVE-2024-39654 | audit@patchstack.com |
fifu.app--Featured Image from URL |
Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.2. | 2024-11-01 | 6.3 | CVE-2024-37516 | audit@patchstack.com |
fifu.app--Featured Image from URL |
Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.1. | 2024-11-01 | 5.3 | CVE-2024-37276 | audit@patchstack.com |
FirelightWP--Firelight Lightbox |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in FirelightWP Firelight Lightbox allows Stored XSS.This issue affects Firelight Lightbox: from n/a through 2.3.3. | 2024-10-28 | 5.9 | CVE-2024-50460 | audit@patchstack.com |
Fla-shop--Interactive World Map |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Fla-shop Interactive World Map allows Stored XSS.This issue affects Interactive World Map: from n/a through 3.4.4. | 2024-10-28 | 6.5 | CVE-2024-50462 | audit@patchstack.com |
Fonts Plugin--Fonts |
Missing Authorization vulnerability in Fonts Plugin Fonts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fonts: from n/a through 3.7.7. | 2024-11-01 | 4.3 | CVE-2024-43302 | audit@patchstack.com |
foxskav -- bet_wc_2018_russia |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Foxskav Bet WC 2018 Russia allows Reflected XSS.This issue affects Bet WC 2018 Russia: from n/a through 2.1. | 2024-10-29 | 6.1 | CVE-2024-49637 | audit@patchstack.com |
fstaude--Widget or Sidebar Shortcode |
The Widget or Sidebar Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sidebar' shortcode in all versions up to, and including, 0.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-30 | 6.4 | CVE-2024-9885 | security@wordfence.com security@wordfence.com security@wordfence.com |
FuturioWP--Futurio Extra |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in FuturioWP Futurio Extra allows Stored XSS.This issue affects Futurio Extra: from n/a through 2.0.11. | 2024-10-28 | 6.5 | CVE-2024-50446 | audit@patchstack.com |
Gabe Livan--Asset CleanUp: Page Speed Booster |
Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through 1.3.9.3. | 2024-11-01 | 4.3 | CVE-2024-43314 | audit@patchstack.com |
gaizhenbiao -- chuanhuchatgpt |
In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history. | 2024-10-29 | 4.3 | CVE-2024-8143 | security@huntr.dev security@huntr.dev |
HashiCorp--Consul |
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. | 2024-10-30 | 6.1 | CVE-2024-10086 | security@hashicorp.com |
HCL Software--AppScan Source |
HCL AppScan Source <= 10.6.0 does not properly validate a TLS/SSL certificate for an executable. | 2024-10-31 | 4.8 | CVE-2024-30149 | psirt@hcl.com |
HelloAsso--HelloAsso |
Missing Authorization vulnerability in HelloAsso allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HelloAsso: from n/a through 1.1.10. | 2024-11-01 | 4.3 | CVE-2024-44052 | audit@patchstack.com |
hitachienergy -- tro610_firmware |
Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access. | 2024-10-29 | 4.3 | CVE-2024-41156 | cybersecurity@hitachienergy.com |
HM Plugin--WordPress Stripe Donation and Payment Plugin |
Missing Authorization vulnerability in HM Plugin WordPress Stripe Donation and Payment Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Stripe Donation and Payment Plugin: from n/a through 3.2.3. | 2024-10-29 | 5.3 | CVE-2024-50459 | audit@patchstack.com |
hokku--Contact Form 7 + Telegram |
The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions. | 2024-10-28 | 5.4 | CVE-2024-9629 | security@wordfence.com security@wordfence.com security@wordfence.com |
htplugins--WP Team WordPress Team Member Plugin |
The WP Team - WordPress Team Member Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's htteamember shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-30 | 6.4 | CVE-2024-10223 | security@wordfence.com security@wordfence.com security@wordfence.com |
IBM--CICS TX Standard |
IBM CICS TX Standard 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 2024-11-01 | 6.5 | CVE-2024-41744 | psirt@us.ibm.com |
IBM--CICS TX Standard |
IBM CICS TX Standard is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2024-11-01 | 6.1 | CVE-2024-41745 | psirt@us.ibm.com |
IBM--TXSeries for Multiplatforms |
IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques. | 2024-11-01 | 5.9 | CVE-2024-41738 | psirt@us.ibm.com |
IBM--TXSeries for Multiplatforms |
IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system. | 2024-11-01 | 5.3 | CVE-2024-41741 | psirt@us.ibm.com |
icegram--Icegram Collect |
Missing Authorization vulnerability in icegram Icegram Collect plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect plugin: from n/a through 1.3.14. | 2024-11-01 | 5.4 | CVE-2024-43273 | audit@patchstack.com |
icegram--Icegram |
Missing Authorization vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. | 2024-11-01 | 5.3 | CVE-2024-39625 | audit@patchstack.com |
ifeelweb--Post Status Notifier |
The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-10-29 | 6.1 | CVE-2024-10048 | security@wordfence.com security@wordfence.com |
instantsoft--icms2 |
InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3. | 2024-10-29 | 5.4 | CVE-2024-50348 | security-advisories@github.com security-advisories@github.com |
IowaComputerGurus--aspnetcore.utilities.cloudstorage |
ICG.AspNetCore.Utilities.CloudStorage is a collection of cloud storage utilities to assist with the management of files for cloud upload. Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is longer, or shorter than desired. Users not implemented SAS Uri's are unaffected. This issue was resolved in version 8.0.0 of the library. | 2024-10-30 | 5.3 | CVE-2024-50353 | security-advisories@github.com security-advisories@github.com |
itsourcecode--Farm Management System |
A vulnerability classified as critical was found in itsourcecode Farm Management System 1.0. Affected by this vulnerability is an unknown functionality of the file manage-breed.php. The manipulation of the argument breed leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10738 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
itsourcecode--Tailoring Management System Project |
A vulnerability, which was classified as critical, was found in itsourcecode Tailoring Management System Project 1.0. This affects an unknown part of the file typeadd.php. The manipulation of the argument sex leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10609 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
javmah--Woocommerce Customers Order History |
Missing Authorization vulnerability in javmah Woocommerce Customers Order History allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woocommerce Customers Order History: from n/a through 5.2.2. | 2024-11-01 | 4.3 | CVE-2024-37201 | audit@patchstack.com |
jetbrains -- hub |
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services | 2024-10-28 | 5.4 | CVE-2024-50573 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API | 2024-10-28 | 6.1 | CVE-2024-50575 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible | 2024-10-28 | 6.1 | CVE-2024-50579 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest | 2024-10-28 | 5.4 | CVE-2024-50576 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings | 2024-10-28 | 5.4 | CVE-2024-50577 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page | 2024-10-28 | 5.4 | CVE-2024-50578 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule | 2024-10-28 | 5.4 | CVE-2024-50580 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag | 2024-10-28 | 5.4 | CVE-2024-50581 | cve@jetbrains.com |
jetbrains -- youtrack |
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements | 2024-10-28 | 5.4 | CVE-2024-50582 | cve@jetbrains.com |
joniles--mpxj |
MPXJ is an open source library to read and write project plans from a variety of file formats and databases. The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not be picked up by the original fix and allow files to be written to arbitrary locations. The issue is addressed in MPXJ version 13.5.1. | 2024-10-28 | 5.3 | CVE-2024-49771 | security-advisories@github.com security-advisories@github.com |
Jordy Meow--Photo Engine |
Missing Authorization vulnerability in Jordy Meow Photo Engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Engine: from n/a through 6.4.0. | 2024-11-01 | 4.3 | CVE-2024-43332 | audit@patchstack.com |
josh401--Ultimate TinyMCE |
The Ultimate TinyMCE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'field' shortcode in all versions up to, and including, 5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-30 | 6.4 | CVE-2024-8627 | security@wordfence.com security@wordfence.com |
JS Help Desk--JS Help Desk Best Help Desk & Support Plugin |
Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk - Best Help Desk & Support Plugin: from n/a through 2.8.6. | 2024-11-01 | 5.8 | CVE-2024-43274 | audit@patchstack.com |
Jules Colle--Conditional Fields for Contact Form 7 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jules Colle Conditional Fields for Contact Form 7 allows Stored XSS.This issue affects Conditional Fields for Contact Form 7: from n/a through 2.4.15. | 2024-10-29 | 5.9 | CVE-2024-50412 | audit@patchstack.com |
KaineLabs--Youzify |
Missing Authorization vulnerability in KaineLabs Youzify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youzify: from n/a through 1.2.6. | 2024-11-01 | 5.4 | CVE-2024-39635 | audit@patchstack.com |
Kanban for WordPress--Kanban Boards for WordPress |
Missing Authorization vulnerability in Kanban for WordPress Kanban Boards for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21. | 2024-11-01 | 5.3 | CVE-2024-37226 | audit@patchstack.com |
Kevon Adonis--WP Abstracts |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kevon Adonis WP Abstracts allows Stored XSS.This issue affects WP Abstracts: from n/a through 2.7.1. | 2024-10-29 | 5.9 | CVE-2024-50411 | audit@patchstack.com |
Kiboko Labs--Chained Quiz |
Missing Authorization vulnerability in Kiboko Labs Chained Quiz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chained Quiz: from n/a through 1.3.2.8. | 2024-11-01 | 5.3 | CVE-2024-37921 | audit@patchstack.com |
Kiboko Labs--Namaste! LMS |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kiboko Labs Namaste! LMS allows Stored XSS.This issue affects Namaste! LMS: from n/a through 2.6.2. | 2024-10-29 | 6.5 | CVE-2024-50409 | audit@patchstack.com |
Kiboko Labs--Namaste! LMS |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kiboko Labs Namaste! LMS allows Stored XSS.This issue affects Namaste! LMS: from n/a through 2.6.4. | 2024-10-29 | 6.5 | CVE-2024-50410 | audit@patchstack.com |
kilukrumedia--WP Simple Anchors Links |
The WP Simple Anchors Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpanchor shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-31 | 6.4 | CVE-2024-9446 | security@wordfence.com security@wordfence.com security@wordfence.com |
knightliao--Disconf |
A vulnerability was found in knightliao Disconf 2.6.36. It has been classified as critical. This affects an unknown part of the file /api/config/list of the component Configuration Center. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 5.3 | CVE-2024-10620 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Kraft Plugins--Wheel of Life |
Missing Authorization vulnerability in Kraft Plugins Wheel of Life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through 1.1.8. | 2024-11-01 | 5.3 | CVE-2024-47311 | audit@patchstack.com |
kubell Co., Ltd.--Chatwork Desktop Application (Windows) |
Use of potentially dangerous function issue exists in Chatwork Desktop Application (Windows) versions prior to 2.9.2. If a user clicks a specially crafted link in the application, an arbitrary file may be downloaded from an external website and executed. As a result, arbitrary code may be executed on the device that runs Chatwork Desktop Application (Windows). | 2024-10-28 | 5.5 | CVE-2024-50307 | vultures@jpcert.or.jp |
Laybuy--Laybuy Payment Extension for WooCommerce |
Missing Authorization vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9. | 2024-11-01 | 4.3 | CVE-2024-37203 | audit@patchstack.com |
leap13--Premium Addons for Elementor |
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 6.4 | CVE-2024-10266 | security@wordfence.com security@wordfence.com |
leenk -- leenk.me |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lew Ayotte leenk.Me allows Reflected XSS.This issue affects leenk.Me: from n/a through 2.16.0. | 2024-10-29 | 6.1 | CVE-2024-49661 | audit@patchstack.com |
Leevio--Happy Addons for Elementor |
Missing Authorization vulnerability in Leevio Happy Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through 3.12.3. | 2024-11-01 | 4.3 | CVE-2024-48045 | audit@patchstack.com |
LevelOne--WBR-6012 |
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities. | 2024-10-30 | 5.3 | CVE-2024-28052 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
The LevelOne WBR-6012 router with firmware R0.40e6 is vulnerable to improper resource allocation within its web application, where a series of crafted HTTP requests can cause a reboot. This could lead to network service interruptions. | 2024-10-30 | 5.3 | CVE-2024-31152 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
A vulnerability in the LevelOne WBR-6012 router's firmware version R0.40e6 allows sensitive information to be transmitted in cleartext via Web and FTP services, exposing it to network sniffing attacks. | 2024-10-30 | 5.9 | CVE-2024-32946 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
The LevelOne WBR-6012 router has an information disclosure vulnerability in its web application, which allows unauthenticated users to access a verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device's reliance on IP address for authentication. | 2024-10-30 | 5.3 | CVE-2024-33603 | talos-cna@cisco.com |
LevelOne--WBR-6012 |
The LevelOne WBR-6012 router contains a vulnerability within its web application that allows unauthenticated disclosure of sensitive information, such as the WiFi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device's WiFi network. | 2024-10-30 | 5.3 | CVE-2024-33626 | talos-cna@cisco.com |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: vt: prevent kernel-infoleak in con_font_get() font.data may not initialize all memory spaces depending on the implementation of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it is safest to modify it to initialize the allocated memory space to 0, and it generally does not affect the overall performance of the system. | 2024-10-29 | 6.5 | CVE-2024-50076 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: mm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets() The sysfs_target->regions allocated in damon_sysfs_regions_alloc() is not freed in damon_sysfs_test_add_targets(), which cause the following memory leak, free it to fix it. unreferenced object 0xffffff80c2a8db80 (size 96): comm "kunit_try_catch", pid 187, jiffies 4294894363 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 [<000000008e6835c1>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000001286d9f8>] damon_sysfs_test_add_targets+0x1cc/0x738 [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000adf936cf>] kthread+0x2e8/0x374 [<0000000041bb1628>] ret_from_fork+0x10/0x20 | 2024-10-29 | 5.5 | CVE-2024-50068 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: pinctrl: apple: check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. | 2024-10-29 | 5.5 | CVE-2024-50069 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: pinctrl: stm32: check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. | 2024-10-29 | 5.5 | CVE-2024-50070 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: x86/bugs: Use code segment selector for VERW operand Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds. [ mingo: Fixed the SOB chain. ] | 2024-10-29 | 5.5 | CVE-2024-50072 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: xhci: tegra: fix checked USB2 port number If USB virtualizatoin is enabled, USB2 ports are shared between all Virtual Functions. The USB2 port number owned by an USB2 root hub in a Virtual Function may be less than total USB2 phy number supported by the Tegra XUSB controller. Using total USB2 phy number as port number to check all PORTSC values would cause invalid memory access. [ 116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f ... [ 117.213640] Call trace: [ 117.216783] tegra_xusb_enter_elpg+0x23c/0x658 [ 117.222021] tegra_xusb_runtime_suspend+0x40/0x68 [ 117.227260] pm_generic_runtime_suspend+0x30/0x50 [ 117.232847] __rpm_callback+0x84/0x3c0 [ 117.237038] rpm_suspend+0x2dc/0x740 [ 117.241229] pm_runtime_work+0xa0/0xb8 [ 117.245769] process_scheduled_works+0x24c/0x478 [ 117.251007] worker_thread+0x23c/0x328 [ 117.255547] kthread+0x104/0x1b0 [ 117.259389] ret_from_fork+0x10/0x20 [ 117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100) | 2024-10-29 | 5.5 | CVE-2024-50075 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix multiple init when debugfs is disabled If bt_debugfs is not created successfully, which happens if either CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init() returns early and does not set iso_inited to true. This means that a subsequent call to iso_init() will result in duplicate calls to proto_register(), bt_sock_register(), etc. With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the duplicate call to proto_register() triggers this BUG(): list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250, next=ffffffffc0b280d0. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:35! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1 RIP: 0010:__list_add_valid_or_report+0x9a/0xa0 ... __list_add_valid_or_report+0x9a/0xa0 proto_register+0x2b5/0x340 iso_init+0x23/0x150 [bluetooth] set_iso_socket_func+0x68/0x1b0 [bluetooth] kmem_cache_free+0x308/0x330 hci_sock_sendmsg+0x990/0x9e0 [bluetooth] __sock_sendmsg+0x7b/0x80 sock_write_iter+0x9a/0x110 do_iter_readv_writev+0x11d/0x220 vfs_writev+0x180/0x3e0 do_writev+0xca/0x100 ... This change removes the early return. The check for iso_debugfs being NULL was unnecessary, it is always NULL when iso_inited is false. | 2024-10-29 | 5.5 | CVE-2024-50077 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Call iso_exit() on module unload If iso_init() has been called, iso_exit() must be called on module unload. Without that, the struct proto that iso_init() registered with proto_register() becomes invalid, which could cause unpredictable problems later. In my case, with CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually triggers this BUG(): list_add corruption. next->prev should be prev (ffffffffb5355fd0), but was 0000000000000068. (next=ffffffffc0a010d0). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:29! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1 RIP: 0010:__list_add_valid_or_report+0x61/0xa0 ... __list_add_valid_or_report+0x61/0xa0 proto_register+0x299/0x320 hci_sock_init+0x16/0xc0 [bluetooth] bt_init+0x68/0xd0 [bluetooth] __pfx_bt_init+0x10/0x10 [bluetooth] do_one_initcall+0x80/0x2f0 do_init_module+0x8b/0x230 __do_sys_init_module+0x15f/0x190 do_syscall_64+0x68/0x110 ... | 2024-10-29 | 5.5 | CVE-2024-50078 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work When the sqpoll is exiting and cancels pending work items, it may need to run task_work. If this happens from within io_uring_cancel_generic(), then it may be under waiting for the io_uring_task waitqueue. This results in the below splat from the scheduler, as the ring mutex may be attempted grabbed while in a TASK_INTERRUPTIBLE state. Ensure that the task state is set appropriately for that, just like what is done for the other cases in io_run_task_work(). do not call blocking ops when !TASK_RUNNING; state=1 set at [<0000000029387fd2>] prepare_to_wait+0x88/0x2fc WARNING: CPU: 6 PID: 59939 at kernel/sched/core.c:8561 __might_sleep+0xf4/0x140 Modules linked in: CPU: 6 UID: 0 PID: 59939 Comm: iou-sqp-59938 Not tainted 6.12.0-rc3-00113-g8d020023b155 #7456 Hardware name: linux,dummy-virt (DT) pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : __might_sleep+0xf4/0x140 lr : __might_sleep+0xf4/0x140 sp : ffff80008c5e7830 x29: ffff80008c5e7830 x28: ffff0000d93088c0 x27: ffff60001c2d7230 x26: dfff800000000000 x25: ffff0000e16b9180 x24: ffff80008c5e7a50 x23: 1ffff000118bcf4a x22: ffff0000e16b9180 x21: ffff0000e16b9180 x20: 000000000000011b x19: ffff80008310fac0 x18: 1ffff000118bcd90 x17: 30303c5b20746120 x16: 74657320313d6574 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: ffff600036c64f0b x11: 1fffe00036c64f0a x10: ffff600036c64f0a x9 : dfff800000000000 x8 : 00009fffc939b0f6 x7 : ffff0001b6327853 x6 : 0000000000000001 x5 : ffff0001b6327850 x4 : ffff600036c64f0b x3 : ffff8000803c35bc x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000e16b9180 Call trace: __might_sleep+0xf4/0x140 mutex_lock+0x84/0x124 io_handle_tw_list+0xf4/0x260 tctx_task_work_run+0x94/0x340 io_run_task_work+0x1ec/0x3c0 io_uring_cancel_generic+0x364/0x524 io_sq_thread+0x820/0x124c ret_from_fork+0x10/0x20 | 2024-10-29 | 5.5 | CVE-2024-50079 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ublk: don't allow user copy for unprivileged device UBLK_F_USER_COPY requires userspace to call write() on ublk char device for filling request buffer, and unprivileged device can't be trusted. So don't allow user copy for unprivileged device. | 2024-10-29 | 5.5 | CVE-2024-50080 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: blk-mq: setup queue ->tag_set before initializing hctx Commit 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx") needs to check queue mapping via tag set in hctx's cpuhp handler. However, q->tag_set may not be setup yet when the cpuhp handler is enabled, then kernel oops is triggered. Fix the issue by setup queue tag_set before initializing hctx. | 2024-10-29 | 5.5 | CVE-2024-50081 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() Commit a3c1e45156ad ("net: microchip: vcap: Fix use-after-free error in kunit test") fixed the use-after-free error, but introduced below memory leaks by removing necessary vcap_free_rule(), add it to fix it. unreferenced object 0xffffff80ca58b700 (size 192): comm "kunit_try_catch", pid 1215, jiffies 4294898264 hex dump (first 32 bytes): 00 12 7a 00 05 00 00 00 0a 00 00 00 64 00 00 00 ..z.........d... 00 00 00 00 00 00 00 00 00 04 0b cc 80 ff ff ff ................ backtrace (crc 9c09c3fe): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<0000000040a01b8d>] vcap_alloc_rule+0x3cc/0x9c4 [<000000003fe86110>] vcap_api_encode_rule_test+0x1ac/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0400 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898265 hex dump (first 32 bytes): 80 04 0b cc 80 ff ff ff 18 b7 58 ca 80 ff ff ff ..........X..... 39 00 00 00 02 00 00 00 06 05 04 03 02 01 ff ff 9............... backtrace (crc daf014e9): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528 [<00000000dfdb1e81>] vcap_api_encode_rule_test+0x224/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0700 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898265 hex dump (first 32 bytes): 80 07 0b cc 80 ff ff ff 28 b7 58 ca 80 ff ff ff ........(.X..... 3c 00 00 00 00 00 00 00 01 2f 03 b3 ec ff ff ff <......../...... backtrace (crc 8d877792): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000006eadfab7>] vcap_rule_add_action+0x2d0/0x52c [<00000000323475d1>] vcap_api_encode_rule_test+0x4d4/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0900 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898266 hex dump (first 32 bytes): 80 09 0b cc 80 ff ff ff 80 06 0b cc 80 ff ff ff ................ 7d 00 00 00 01 00 00 00 00 00 00 00 ff 00 00 00 }............... backtrace (crc 34181e56): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528 [<00000000991e3564>] vcap_val_rule+0xcf0/0x13e8 [<00000000fc9868e5>] vcap_api_encode_rule_test+0x678/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0980 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898266 hex dump (first 32 bytes): 18 b7 58 ca 80 ff ff ff 00 09 0b cc 80 ff ff ff ..X............. 67 00 00 00 00 00 00 00 01 01 74 88 c0 ff ff ff g.........t..... backtrace (crc 275fd9be): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528 [<000000001396a1a2>] test_add_de ---truncated--- | 2024-10-29 | 5.5 | CVE-2024-50084 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated--- | 2024-10-29 | 5.5 | CVE-2024-50085 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free on read_alloc_one_name() error The function read_alloc_one_name() does not initialize the name field of the passed fscrypt_str struct if kmalloc fails to allocate the corresponding buffer. Thus, it is not guaranteed that fscrypt_str.name is initialized when freeing it. This is a follow-up to the linked patch that fixes the remaining instances of the bug introduced by commit e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs"). | 2024-10-29 | 5.5 | CVE-2024-50087 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race We're seeing crashes from rq_qos_wake_function that look like this: BUG: unable to handle page fault for address: ffffafe180a40084 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40 Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00 RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084 RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011 R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002 R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> try_to_wake_up+0x5a/0x6a0 rq_qos_wake_function+0x71/0x80 __wake_up_common+0x75/0xa0 __wake_up+0x36/0x60 scale_up.part.0+0x50/0x110 wb_timer_fn+0x227/0x450 ... So rq_qos_wake_function() calls wake_up_process(data->task), which calls try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock). p comes from data->task, and data comes from the waitqueue entry, which is stored on the waiter's stack in rq_qos_wait(). Analyzing the core dump with drgn, I found that the waiter had already woken up and moved on to a completely unrelated code path, clobbering what was previously data->task. Meanwhile, the waker was passing the clobbered garbage in data->task to wake_up_process(), leading to the crash. What's happening is that in between rq_qos_wake_function() deleting the waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding that it already got a token and returning. The race looks like this: rq_qos_wait() rq_qos_wake_function() ============================================================== prepare_to_wait_exclusive() data->got_token = true; list_del_init(&curr->entry); if (data.got_token) break; finish_wait(&rqw->wait, &data.wq); ^- returns immediately because list_empty_careful(&wq_entry->entry) is true ... return, go do something else ... wake_up_process(data->task) (NO LONGER VALID!)-^ Normally, finish_wait() is supposed to synchronize against the waker. But, as noted above, it is returning immediately because the waitqueue entry has already been removed from the waitqueue. The bug is that rq_qos_wake_function() is accessing the waitqueue entry AFTER deleting it. Note that autoremove_wake_function() wakes the waiter and THEN deletes the waitqueue entry, which is the proper order. Fix it by swapping the order. We also need to use list_del_init_careful() to match the list_empty_careful() in finish_wait(). | 2024-10-29 | 4.7 | CVE-2024-50082 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
lollms -- lollms_web_ui |
A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker to trick a victim into installing ComfyUI. If the victim's device does not have sufficient capacity, this can result in a crash. | 2024-10-29 | 6.5 | CVE-2024-6673 | security@huntr.dev security@huntr.dev |
LUNAD3v--AreaLoad |
A vulnerability was found in LUNAD3v AreaLoad up to 1a1103182ed63a06dde63d1712f3262eda19c3ec. It has been rated as critical. This issue affects some unknown processing of the file request.php. The manipulation of the argument phone leads to sql injection. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 264813c546dba03989ac0fc365f2022bf65e3be2. It is recommended to apply a patch to fix this issue. | 2024-10-29 | 5.5 | CVE-2017-20195 | cna@vuldb.com cna@vuldb.com cna@vuldb.com |
lunary -- lunary |
lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage. | 2024-10-29 | 6.5 | CVE-2024-7472 | security@huntr.dev security@huntr.dev |
lunary -- lunary |
An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3. | 2024-10-29 | 6.5 | CVE-2024-7473 | security@huntr.dev security@huntr.dev |
LWS--LWS Affiliation |
Missing Authorization vulnerability in LWS LWS Affiliation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LWS Affiliation: from n/a through 2.3.4. | 2024-11-01 | 5.4 | CVE-2024-43962 | audit@patchstack.com |
Magazine3--PWA for WP & AMP |
Missing Authorization vulnerability in Magazine3 PWA for WP & AMP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PWA for WP & AMP: from n/a through 1.7.72. | 2024-11-01 | 4.3 | CVE-2024-47318 | audit@patchstack.com |
manzurulhaque -- banner_slider |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Manzurul Haque Banner Slider allows Reflected XSS.This issue affects Banner Slider: from n/a through 2.1. | 2024-10-29 | 6.1 | CVE-2024-49635 | audit@patchstack.com |
marianheddesheimer -- extra_privacy_for_elementor |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Marian Heddesheimer Extra Privacy for Elementor allows Reflected XSS.This issue affects Extra Privacy for Elementor: from n/a through 0.1.3. | 2024-10-29 | 6.1 | CVE-2024-49654 | audit@patchstack.com |
markjaquith--Subscribe to Comments |
The Subscribe to Comments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-10-30 | 6.1 | CVE-2024-8792 | security@wordfence.com security@wordfence.com security@wordfence.com |
Martin Gibson--WP GoToWebinar |
Missing Authorization vulnerability in Martin Gibson WP GoToWebinar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP GoToWebinar: from n/a through 15.6. | 2024-11-01 | 4.3 | CVE-2024-38695 | audit@patchstack.com |
Masteriyo--Masteriyo - LMS |
Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.6. | 2024-11-01 | 5.3 | CVE-2024-43159 | audit@patchstack.com |
masteriyo--Masteriyo LMS eLearning and Online Course Builder for WordPress |
The Masteriyo LMS - eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 6.4 | CVE-2024-10000 | security@wordfence.com security@wordfence.com |
Mattermost--Mattermost |
Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | 2024-10-29 | 4.3 | CVE-2024-10241 | responsibledisclosure@mattermost.com |
Mattermost--Mattermost |
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks | 2024-10-29 | 4.6 | CVE-2024-46872 | responsibledisclosure@mattermost.com |
Mattermost--Mattermost |
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks. | 2024-10-29 | 4.3 | CVE-2024-47401 | responsibledisclosure@mattermost.com |
Mattermost--Mattermost |
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | 2024-10-29 | 4.3 | CVE-2024-50052 | responsibledisclosure@mattermost.com |
mattroyal -- woocommerce_maintenance_mode |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Matt Royal WooCommerce Maintenance Mode allows Reflected XSS.This issue affects WooCommerce Maintenance Mode: from n/a through 2.0.1. | 2024-10-29 | 6.1 | CVE-2024-49651 | audit@patchstack.com |
MediaRon LLC--Custom Query Blocks |
Missing Authorization vulnerability in MediaRon LLC Custom Query Blocks allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Custom Query Blocks: from n/a through 5.2.0. | 2024-11-01 | 5.3 | CVE-2024-38794 | audit@patchstack.com |
Meks--Meks Video Importer |
Missing Authorization vulnerability in Meks Meks Video Importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meks Video Importer: from n/a through 1.0.12. | 2024-11-01 | 5.4 | CVE-2024-38733 | audit@patchstack.com |
Merkulove--Selection Lite |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Merkulove Selection Lite allows Stored XSS.This issue affects Selection Lite: from n/a through 1.13. | 2024-10-28 | 6.5 | CVE-2024-50445 | audit@patchstack.com |
Michael Robinson--Raptor Editor |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael Robinson Raptor Editor allows DOM-Based XSS.This issue affects Raptor Editor: from n/a through 1.0.20. | 2024-10-28 | 6.5 | CVE-2024-50468 | audit@patchstack.com |
Migrate--Clone |
Missing Authorization vulnerability in Migrate Clone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Clone: from n/a through 2.4.5. | 2024-11-01 | 4.3 | CVE-2024-43297 | audit@patchstack.com |
Migrate--Clone |
Missing Authorization vulnerability in Migrate Clone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Clone: from n/a through 2.4.5. | 2024-11-01 | 4.3 | CVE-2024-43298 | audit@patchstack.com |
Miller Media ( Matt Miller )--Send Emails with Mandrill |
Missing Authorization vulnerability in Miller Media ( Matt Miller ) Send Emails with Mandrill allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Send Emails with Mandrill: from n/a through 1.4.1. | 2024-11-01 | 4.3 | CVE-2024-43208 | audit@patchstack.com |
mkucej--i-librarian-free |
I, Librarian is an open-source version of a PDF managing SaaS. Supplemental Files are allowed to be viewed in the browser, only if they have a white-listed MIME type. Unfortunately, this logic is broken, thus allowing unsafe files containing Javascript to be executed with the application context. An attacker can exploit this vulnerability by uploading a supplementary file that contains a malicious code or script. This code will then be executed when the file is loaded in the browser. The vulnerability was fixed in version 5.11.2. | 2024-10-30 | 4.6 | CVE-2024-50344 | security-advisories@github.com security-advisories@github.com |
mndpsingh287--File Manager |
Missing Authorization vulnerability in mndpsingh287 File Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects File Manager: from n/a through 7.2.7. | 2024-11-01 | 4.3 | CVE-2024-37254 | audit@patchstack.com |
modernaweb--Black Widgets For Elementor |
The Black Widgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2024-10-30 | 6.4 | CVE-2024-9388 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
Mondula GmbH--Multi Step Form |
Missing Authorization vulnerability in Mondula GmbH Multi Step Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Multi Step Form: from n/a through 1.7.21. | 2024-10-29 | 4.3 | CVE-2024-50428 | audit@patchstack.com |
moveaddons--Move Addons for Elementor |
The Move Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the render function in includes/widgets/accordion/widget.php, includes/widgets/remote-template/widget.php, and other widget.php files. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | 2024-10-29 | 4.3 | CVE-2024-10360 | security@wordfence.com security@wordfence.com |
mozilla -- firefox_focus |
Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS < 132. | 2024-10-29 | 6.5 | CVE-2024-10474 | security@mozilla.org security@mozilla.org |
mozilla -- firefox |
In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 6.1 | CVE-2024-10461 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
Truncation of a long URL could have allowed origin spoofing in a permission prompt. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 6.5 | CVE-2024-10462 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 6.5 | CVE-2024-10463 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 6.5 | CVE-2024-10464 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
A clipboard "paste" button could persist across tabs which allowed a spoofing attack. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 6.5 | CVE-2024-10465 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | 2024-10-29 | 5.3 | CVE-2024-10460 | security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org |
mozilla -- firefox |
Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132 and Thunderbird < 132. | 2024-10-29 | 5.3 | CVE-2024-10468 | security@mozilla.org security@mozilla.org security@mozilla.org |
n/a--n/a |
Studio-42 eLfinder 2.1.62 contains a filename restriction bypass leading to a persistent Cross-site Scripting (XSS) vulnerability. | 2024-10-31 | 6.1 | CVE-2023-52045 | cve@mitre.org |
n/a--n/a |
PbootCMS 3.2.8 is vulnerable to URL Redirect. | 2024-10-28 | 6.1 | CVE-2024-42930 | cve@mitre.org cve@mitre.org |
n/a--n/a |
phpgurukul Vehicle Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchinputdata parameter at /index.php. | 2024-10-30 | 6.3 | CVE-2024-46531 | cve@mitre.org |
n/a--n/a |
SparkShop <=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to scan ports on the Intranet or local network where the server resides, attack applications running on the Intranet or local network, or read metadata on the cloud server. | 2024-10-28 | 6.5 | CVE-2024-48107 | cve@mitre.org cve@mitre.org |
n/a--n/a |
dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=delAdmin&id=17 | 2024-10-28 | 6.3 | CVE-2024-48191 | cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in eyouCMS v.1.6.7 allows a remote attacker to obtain sensitive information via a crafted script to the post parameter. | 2024-10-28 | 6.1 | CVE-2024-48195 | cve@mitre.org |
n/a--n/a |
D-Link DSL6740C v6.TR069.20211230 was discovered to use an insecure default Wifi password, possibly allowing attackers to connect to the device via a bruteforce attack. | 2024-10-30 | 6.5 | CVE-2024-48272 | cve@mitre.org cve@mitre.org |
n/a--n/a |
dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/doAdminAction.php?act=editAdmin&id=17 | 2024-10-28 | 6.3 | CVE-2024-48291 | cve@mitre.org |
n/a--n/a |
xtreme1 <= v0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /api/data/upload path. The vulnerability is triggered through the fileUrl parameter, which allows an attacker to make arbitrary requests to internal or external systems. | 2024-10-30 | 6.1 | CVE-2024-48346 | cve@mitre.org |
n/a--n/a |
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Sage 1000 v 7.0.0. This vulnerability allows attackers to inject malicious scripts into URLs, which are reflected back by the server in the response without proper sanitization or encoding. | 2024-10-30 | 6.1 | CVE-2024-48648 | cve@mitre.org |
n/a--n/a |
A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. The manipulation of the HTTP Body ip parameter leads to SSRF. | 2024-10-30 | 6.5 | CVE-2024-51242 | cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in Shenzhen Interconnection Harbor Network Technology Co., Ltd Ofweek Online Exhibition v.1.0.0 allows a remote attacker to execute arbitrary code. | 2024-10-30 | 6.1 | CVE-2024-51419 | cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in online diagnostic lab management system using php v.1.0 allows a remote attacker to execute arbitrary code via the Test Name parameter on the diagnostic/add-test.php component. | 2024-10-31 | 6.4 | CVE-2024-51430 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 devices allow a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via the 'Network Name (SSID)' input fields to the /index.html#wireless_basic page. | 2024-10-30 | 5.2 | CVE-2024-31973 | cve@mitre.org |
n/a--n/a |
Snowflake JDBC driver versions >= 3.2.6 and <= 3.19.1 have an Incorrect Security Setting that can result in data being uploaded to an encrypted stage without the additional layer of protection provided by client side encryption. | 2024-10-30 | 5.9 | CVE-2024-43382 | cve@mitre.org |
n/a--n/a |
An issue in radare2 v5.8.0 through v5.9.4 allows a local attacker to cause a denial of service via the __bf_div function. | 2024-10-30 | 5.5 | CVE-2024-48241 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
Proactive Risk Manager version 9.1.1.0 is affected by multiple Cross-Site Scripting (XSS) vulnerabilities in the add/edit form fields, at the urls starting with the subpaths: /ar/config/configuation/ and /ar/config/risk-strategy-control/ | 2024-10-30 | 5.4 | CVE-2024-48569 | cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in PHPGurukul Doctor Appointment Management System v.1.0 allows a local attacker to execute arbitrary code via the search parameter. | 2024-10-30 | 5.4 | CVE-2024-48807 | cve@mitre.org cve@mitre.org |
n/a--n/a |
SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration. | 2024-10-28 | 5 | CVE-2024-48936 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard. | 2024-10-28 | 5.9 | CVE-2024-50624 | cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
EnGenius ESR580 A8J-EMR5000 devices allow a remote attacker to conduct stored XSS attacks that could lead to arbitrary JavaScript code execution (under the context of the user's session) via the Wi-Fi SSID input fields. Web scripts embedded into the vulnerable fields this way are executed immediately when a user logs into the admin page. This affects /admin/wifi/wlan1 and /admin/wifi/wlan_guest. | 2024-10-30 | 4.3 | CVE-2024-31972 | cve@mitre.org |
n/a--n/a |
EnGenius ESR580 devices through 1.1.30 allow a remote attacker to conduct stored XSS attacks via the Wi-Fi SSID parameters. JavaScript embedded into a vulnerable field is executed when the user clicks the SSID field's corresponding EDIT button. | 2024-10-30 | 4.8 | CVE-2024-31975 | cve@mitre.org |
n/a--n/a |
TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, and 13.3.1. | 2024-10-28 | 4.9 | CVE-2024-34537 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in TeslaLogger Admin Panel before v.1.59.6 allows a remote attacker to execute arbitrary code via the New Journey field. | 2024-10-29 | 4.8 | CVE-2024-48461 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description. | 2024-10-28 | 4.8 | CVE-2024-51506 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name. | 2024-10-28 | 4.8 | CVE-2024-51507 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index. | 2024-10-28 | 4.8 | CVE-2024-51508 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name. | 2024-10-28 | 4.8 | CVE-2024-51509 | cve@mitre.org cve@mitre.org |
n/a--Persian WooCommerce |
Missing Authorization vulnerability in ??????? ????? Persian WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Persian WooCommerce: from n/a through 7.1.6. | 2024-11-01 | 5.3 | CVE-2024-43219 | audit@patchstack.com |
n/a--sinatra |
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF. | 2024-11-01 | 5.4 | CVE-2024-21510 | report@snyk.io report@snyk.io report@snyk.io report@snyk.io |
n/a--wuzhicms |
A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were created by the researcher for the different function calls. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-30 | 6.3 | CVE-2024-10505 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
nCrafts--FormCraft |
Missing Authorization vulnerability in nCrafts FormCraft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FormCraft: from n/a through 1.2.10. | 2024-11-01 | 4.3 | CVE-2024-43157 | audit@patchstack.com |
nervythemes -- local_business_addons_for_elementor |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in NervyThemes Local Business Addons For Elementor allows Stored XSS.This issue affects Local Business Addons For Elementor: from n/a through 1.1.5. | 2024-10-29 | 5.4 | CVE-2024-49667 | audit@patchstack.com |
Nickolas Bossinas--WordPress File Upload |
Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress File Upload: from n/a through 4.24.7. | 2024-11-01 | 4.3 | CVE-2024-39639 | audit@patchstack.com |
Noptin Newsletter--Noptin |
Missing Authorization vulnerability in Noptin Newsletter Noptin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Noptin: from n/a through 3.4.2. | 2024-11-01 | 5.3 | CVE-2024-37456 | audit@patchstack.com |
OnTheGoSystems--WooCommerce Multilingual & Multicurrency |
Missing Authorization vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency multilingual allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.6. | 2024-11-01 | 4.3 | CVE-2024-44006 | audit@patchstack.com |
open-scratch--Teaching |
A vulnerability classified as critical was found in open-scratch Teaching ?????? up to 2.7. This vulnerability affects unknown code of the file /api/sys/ng-alain/getDictItemsByTable/ of the component URL Handler. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-30 | 6.3 | CVE-2024-10546 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
OptinlyHQ--Optinly |
Missing Authorization vulnerability in OptinlyHQ Optinly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optinly: from n/a through 1.0.18. | 2024-11-01 | 5.3 | CVE-2024-37220 | audit@patchstack.com |
Packlink Shipping S.L.--Packlink PRO shipping module |
Missing Authorization vulnerability in Packlink Shipping S.L. Packlink PRO shipping module allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Packlink PRO shipping module: from n/a through 3.4.6. | 2024-11-01 | 5.4 | CVE-2024-38740 | audit@patchstack.com |
Pagup--Ads.txt & App-ads.txt Manager for WordPress |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pagup Ads.Txt & App-ads.Txt Manager for WordPress allows Stored XSS.This issue affects Ads.Txt & App-ads.Txt Manager for WordPress: from n/a through 1.1.7.1. | 2024-10-29 | 5.9 | CVE-2024-50415 | audit@patchstack.com |
phpgurukul -- ifsc_code_finder |
A Reflected Cross Site Scripting (XSS) vulnerability was found in /ifscfinder/index.php in PHPGurukul IFSC Code Finder Project v1.0, which allows remote attackers to execute arbitrary code via the "searchifsccode" parameter. | 2024-10-29 | 6.1 | CVE-2024-51180 | cve@mitre.org |
phpgurukul -- ifsc_code_finder |
A Reflected Cross Site Scripting (XSS) vulnerability was found in /ifscfinder/admin/profile.php in PHPGurukul IFSC Code Finder Project v1.0, which allows remote attackers to execute arbitrary code via " searchifsccode" parameter. | 2024-10-29 | 6.1 | CVE-2024-51181 | cve@mitre.org |
phpgurukul -- online_dj_booking_management_system |
A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/user-search.php in PHPGurukul Online DJ Booking Management System v1.0, which allows remote attackers to execute arbitrary code via the searchdata parameter. | 2024-10-29 | 6.1 | CVE-2024-51075 | cve@mitre.org |
phpgurukul -- online_dj_booking_management_system |
A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/booking-search.php in PHPGurukul Online DJ Booking Management System 1.0, which allows remote attackers to execute arbitrary code via the "searchdata" parameter. | 2024-10-29 | 6.1 | CVE-2024-51076 | cve@mitre.org |
PickPlugins--Post Grid and Gutenberg Blocks |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.2.93. | 2024-10-28 | 6.5 | CVE-2024-50432 | audit@patchstack.com |
Pierre Lebedel--Kodex Posts likes |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pierre Lebedel Kodex Posts likes allows Stored XSS.This issue affects Kodex Posts likes: from n/a through 2.5.0. | 2024-10-28 | 6.5 | CVE-2024-50464 | audit@patchstack.com |
PluginOps--MailChimp Subscribe Forms |
Cross Site Scripting (XSS) vulnerability in PluginOps MailChimp Subscribe Forms allows Stored XSS.This issue affects MailChimp Subscribe Forms: from n/a through 4.0.9.8. | 2024-11-01 | 5.9 | CVE-2024-43211 | audit@patchstack.com |
Popup Box Team--Popup box |
Missing Authorization vulnerability in Popup Box Team Popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup box: from n/a through 4.5.1. | 2024-11-01 | 4.3 | CVE-2024-37096 | audit@patchstack.com |
Popup Maker--Popup Maker |
Missing Authorization vulnerability in Popup Maker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Popup Maker: from n/a through 1.19.2. | 2024-11-01 | 5.3 | CVE-2024-47358 | audit@patchstack.com |
POSIMYTH--The Plus Addons for Elementor Page Builder Lite |
Missing Authorization vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.6.2. | 2024-11-01 | 6.5 | CVE-2024-43932 | audit@patchstack.com |
Post Grid Team by RadiusTheme--The Post Grid |
Missing Authorization vulnerability in Post Grid Team by RadiusTheme The Post Grid allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects The Post Grid: from n/a through 7.7.4. | 2024-11-01 | 6.5 | CVE-2024-37481 | audit@patchstack.com |
Post Grid Team by RadiusTheme--The Post Grid |
Missing Authorization vulnerability in Post Grid Team by RadiusTheme The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Post Grid: from n/a through 7.7.4. | 2024-11-01 | 5.4 | CVE-2024-37483 | audit@patchstack.com |
Post Grid Team by RadiusTheme--The Post Grid |
Missing Authorization vulnerability in Post Grid Team by RadiusTheme The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Post Grid: from n/a through 7.7.4. | 2024-11-01 | 4.3 | CVE-2024-37482 | audit@patchstack.com |
Post Grid Team by WPXPO--PostX |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Post Grid Team by WPXPO PostX allows Stored XSS.This issue affects PostX: from n/a through 4.1.12. | 2024-10-28 | 6.5 | CVE-2024-50443 | audit@patchstack.com |
Posti--Posti Shipping |
Generation of Error Message Containing Sensitive Information vulnerability in Posti Posti Shipping allows Retrieve Embedded Sensitive Data.This issue affects Posti Shipping: from n/a through 3.10.2. | 2024-10-30 | 5.3 | CVE-2024-50512 | audit@patchstack.com |
Prasad Kirpekar--WP Free SSL Free SSL Certificate for WordPress and force HTTPS |
Missing Authorization vulnerability in Prasad Kirpekar WP Free SSL - Free SSL Certificate for WordPress and force HTTPS allows . This issue affects WP Free SSL - Free SSL Certificate for WordPress and force HTTPS: from n/a through 1.2.6. | 2024-11-01 | 4.3 | CVE-2024-44020 | audit@patchstack.com |
prashantmavinkurve -- agile_video_player_lite |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Prashant Mavinkurve Agile Video Player Lite allows Reflected XSS.This issue affects Agile Video Player Lite: from n/a through 1.0. | 2024-10-29 | 6.1 | CVE-2024-49636 | audit@patchstack.com |
prasidhda--Woo Manage Fraud Orders |
The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.1.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files. | 2024-10-31 | 5.3 | CVE-2024-10544 | security@wordfence.com security@wordfence.com |
Presto Made, Inc--Presto Player |
Missing Authorization vulnerability in Presto Made, Inc Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Presto Player: from n/a through 3.0.2. | 2024-11-01 | 6.3 | CVE-2024-43285 | audit@patchstack.com |
Prism IT Systems--User Rights Access Manager |
Access Control vulnerability in Prism IT Systems User Rights Access Manager allows . This issue affects User Rights Access Manager: from n/a through 1.1.2. | 2024-11-01 | 6.5 | CVE-2024-37209 | audit@patchstack.com |
ProfileGrid User Profiles--ProfileGrid |
Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid: from n/a through 5.8.7. | 2024-11-01 | 4.3 | CVE-2024-37453 | audit@patchstack.com |
Progress Software Corporation--Chef Habitat Builder |
The Chef Habitat builder-api on-prem-builder package with any version lower than habitat/builder-api/10315/20240913162802 is vulnerable to indirect object reference (IDOR) by un-authorized deletion of personal token. Habitat builder consumes builder-api habitat package as a dependency and the vulnerability was specifically due to builder-api habitat package. The fix was made available in habitat/builder-api/10315/20240913162802 and all the subsequent versions after that. We would recommend user to always use on-prem stable channel. | 2024-10-28 | 5.4 | CVE-2024-9825 | security@progress.com security@progress.com |
Project Worlds--Life Insurance Management System |
A vulnerability was found in Project Worlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown part of the file /editPayment.php. The manipulation of the argument recipt_no leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10734 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Project Worlds--Life Insurance Management System |
A vulnerability was found in Project Worlds Life Insurance Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /editNominee.php. The manipulation of the argument nominee_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10735 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
projectworlds -- simple_web-based_chat_application |
A vulnerability was found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument Name/Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions different parameters to be affected which do not correlate with the screenshots of a successful attack. | 2024-10-28 | 6.1 | CVE-2024-10433 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
PropertyHive--PropertyHive |
Missing Authorization vulnerability in PropertyHive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through 2.0.9. | 2024-11-01 | 4.3 | CVE-2024-37204 | audit@patchstack.com |
qriouslad--Code Explorer |
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance. | 2024-10-30 | 4.9 | CVE-2023-5816 | security@wordfence.com security@wordfence.com |
QuadLayers--WP Social Feed Gallery |
Missing Authorization vulnerability in QuadLayers WP Social Feed Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Social Feed Gallery: from n/a through 4.3.9. | 2024-11-01 | 6.5 | CVE-2024-39640 | audit@patchstack.com |
Rara Themes--Business One Page |
Missing Authorization vulnerability in Rara Themes Business One Page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business One Page: from n/a through 1.2.9. | 2024-11-01 | 4.3 | CVE-2024-37505 | audit@patchstack.com |
realmag777--WordPress Meta Data and Taxonomies Filter (MDTF) |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Stored XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4. | 2024-10-28 | 6.5 | CVE-2024-50451 | audit@patchstack.com |
Red Hat--Red Hat Enterprise Linux 7 |
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. | 2024-10-31 | 6.7 | CVE-2024-10573 | secalert@redhat.com secalert@redhat.com secalert@redhat.com |
Red Hat--Red Hat Satellite 6.13 for RHEL 8 |
A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information. | 2024-10-31 | 6.3 | CVE-2024-8553 | secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com |
RedefiningTheWeb--PDF Generator Addon for Elementor Page Builder |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through 1.7.4. | 2024-10-28 | 6.5 | CVE-2024-50449 | audit@patchstack.com |
Renzo Johnson--Contact Form 7 Campaign Monitor Extension |
Missing Authorization vulnerability in Renzo Johnson Contact Form 7 Campaign Monitor Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contact Form 7 Campaign Monitor Extension: from n/a through 0.4.67. | 2024-11-01 | 5.3 | CVE-2024-44019 | audit@patchstack.com |
reputeinfosystems -- bookingpress |
The Appointment Booking Calendar Plugin and Scheduling Plugin - BookingPress plugin for WordPress is vulnerable to SQL Injection via the 'service' parameter of the bookingpress_form shortcode in all versions up to, and including, 1.1.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2024-11-02 | 6.5 | CVE-2024-10540 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
Reservation Diary--ReDi Restaurant Reservation |
Missing Authorization vulnerability in Reservation Diary ReDi Restaurant Reservation allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReDi Restaurant Reservation: from n/a through 24.0422. | 2024-11-01 | 5.4 | CVE-2024-38737 | audit@patchstack.com |
ReviewX--ReviewX |
Missing Authorization vulnerability in ReviewX allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviewX: from n/a through 1.6.28. | 2024-11-01 | 5.3 | CVE-2024-43323 | audit@patchstack.com |
rimonhabib -- bp_member_type_manager |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Rimon Habib BP Member Type Manager allows Reflected XSS.This issue affects BP Member Type Manager: from n/a through 1.01. | 2024-10-29 | 6.1 | CVE-2024-49634 | audit@patchstack.com |
Roundup WP--Registrations for the Events Calendar |
Missing Authorization vulnerability in Roundup WP Registrations for the Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registrations for the Events Calendar: from n/a through 2.12.1. | 2024-11-01 | 6.4 | CVE-2024-43143 | audit@patchstack.com |
Rymera Web Co--Wholesale Suite |
Missing Authorization vulnerability in Rymera Web Co Wholesale Suite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Wholesale Suite: from n/a through 2.1.12. | 2024-11-01 | 5.3 | CVE-2024-38745 | audit@patchstack.com |
Seraphinite Solutions--Seraphinite Post .DOCX Source |
Missing Authorization vulnerability in Seraphinite Solutions Seraphinite Post .DOCX Source allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seraphinite Post .DOCX Source: from n/a through 2.16.9. | 2024-11-01 | 4.3 | CVE-2024-38727 | audit@patchstack.com |
seuroficial--SEUR Oficial |
The SEUR Oficial plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'change_service' parameter in all versions up to, and including, 2.2.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-10-29 | 6.1 | CVE-2024-9438 | security@wordfence.com security@wordfence.com security@wordfence.com |
shopitpress--SIP Reviews Shortcode for WooCommerce |
The SIP Reviews Shortcode for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2024-10-31 | 6.5 | CVE-2024-6479 | security@wordfence.com security@wordfence.com security@wordfence.com |
shopitpress--SIP Reviews Shortcode for WooCommerce |
The SIP Reviews Shortcode for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-31 | 6.4 | CVE-2024-6480 | security@wordfence.com security@wordfence.com security@wordfence.com |
ShortPixel Convert WebP/AVIF & Optimize Images--ShortPixel Image Optimizer |
Missing Authorization vulnerability in ShortPixel - Convert WebP/AVIF & Optimize Images ShortPixel Image Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShortPixel Image Optimizer: from n/a through 5.6.3. | 2024-11-01 | 5.4 | CVE-2024-48044 | audit@patchstack.com |
SiteGround--SiteGround Security |
Missing Authorization vulnerability in SiteGround SiteGround Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteGround Security: from n/a through 1.5.0. | 2024-11-01 | 5.4 | CVE-2024-38774 | audit@patchstack.com |
Smash Balloon--Custom Twitter Feeds (Tweets Widget) |
Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) allows Cross Site Request Forgery.This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through 2.2.3. | 2024-10-31 | 5.4 | CVE-2024-49685 | audit@patchstack.com |
soft-master -- affiliate_platform |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ilias Gomatos Affiliate Platform allows Reflected XSS.This issue affects Affiliate Platform: from n/a through 1.4.8. | 2024-10-29 | 6.1 | CVE-2024-49645 | audit@patchstack.com |
solwin--User Activity Log Pro |
Missing Authorization vulnerability in solwin User Activity Log Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Activity Log Pro: from n/a through 2.3.4. | 2024-11-01 | 6.3 | CVE-2024-37929 | audit@patchstack.com |
SourceCodester--Kortex Lite Advocate Office Management System |
A vulnerability has been found in SourceCodester Kortex Lite Advocate Office Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /kortex_lite/control/edit_profile.php of the component POST Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-28 | 6.3 | CVE-2024-10450 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
spider-themes -- bbp_core |
The BBP Core - Expand bbPress powered forums with useful features plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-11-02 | 6.1 | CVE-2024-9896 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
squirrly -- premium_seo_pack |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP SEO - Calin Vingan Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 1.6.001. | 2024-10-28 | 6.5 | CVE-2024-50465 | audit@patchstack.com |
streamweasels--StreamWeasels Kick Integration |
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-kick-embed shortcode in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 6.4 | CVE-2024-10184 | security@wordfence.com security@wordfence.com security@wordfence.com |
streamweasels--StreamWeasels YouTube Integration |
The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-youtube-embed shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 6.4 | CVE-2024-10185 | security@wordfence.com security@wordfence.com security@wordfence.com |
StylemixThemes--Masterstudy Elementor Widgets |
Missing Authorization vulnerability in StylemixThemes Masterstudy Elementor Widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Masterstudy Elementor Widgets: from n/a through 1.2.2. | 2024-11-01 | 5.3 | CVE-2024-37269 | audit@patchstack.com |
suifengtec--WP Baidu Map |
The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-30 | 6.4 | CVE-2024-9886 | security@wordfence.com security@wordfence.com security@wordfence.com |
sunshinephotocart -- sunshine_photo_cart |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in WP Sunshine Sunshine Photo Cart.This issue affects Sunshine Photo Cart: from n/a through 3.2.9. | 2024-10-28 | 6.1 | CVE-2024-50463 | audit@patchstack.com |
Survey Maker team--Survey Maker |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Stored XSS.This issue affects Survey Maker: from n/a through 5.0.2. | 2024-10-29 | 5.9 | CVE-2024-50426 | audit@patchstack.com |
Team Bright Vessel--Textboxes |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Team Bright Vessel Textboxes allows DOM-Based XSS.This issue affects Textboxes: from n/a through 0.1.3.1. | 2024-10-28 | 6.5 | CVE-2024-50469 | audit@patchstack.com |
Team Emilia Projects--Progress Planner |
Missing Authorization vulnerability in Team Emilia Projects Progress Planner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Progress Planner: from n/a through 0.9.1. | 2024-11-01 | 5.3 | CVE-2024-37411 | audit@patchstack.com |
Templately--Templately |
Missing Authorization vulnerability in Templately allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Templately: from n/a through 3.1.2. | 2024-11-01 | 6.5 | CVE-2024-47308 | audit@patchstack.com |
Templately--Templately |
Missing Authorization vulnerability in Templately allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templately: from n/a through 3.1.5. | 2024-10-29 | 6.5 | CVE-2024-50424 | audit@patchstack.com |
Templately--Templately |
Missing Authorization vulnerability in Templately allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templately: from n/a through 3.1.5. | 2024-10-29 | 5.4 | CVE-2024-50423 | audit@patchstack.com |
The SEO Guys at SEOPress--SEOPress |
Missing Authorization vulnerability in The SEO Guys at SEOPress SEOPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through 8.1.1. | 2024-10-29 | 5.3 | CVE-2024-50454 | audit@patchstack.com |
The SEO Guys at SEOPress--SEOPress |
Missing Authorization vulnerability in The SEO Guys at SEOPress SEOPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through 8.1.1. | 2024-10-29 | 5.4 | CVE-2024-50456 | audit@patchstack.com |
The SEO Guys at SEOPress--SEOPress |
Missing Authorization vulnerability in The SEO Guys at SEOPress SEOPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through 8.1.1. | 2024-10-29 | 4.3 | CVE-2024-50455 | audit@patchstack.com |
TheInnovs--EleForms |
Access Control vulnerability in TheInnovs EleForms allows . This issue affects EleForms: from n/a through 2.9.9.9. | 2024-11-01 | 5.3 | CVE-2024-38748 | audit@patchstack.com |
Theme4Press--Demo Awesome |
Missing Authorization vulnerability in Theme4Press Demo Awesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Awesome: from n/a through 1.0.2. | 2024-11-01 | 5.4 | CVE-2024-37207 | audit@patchstack.com |
themeisle--Multiple Page Generator Plugin MPG |
The Multiple Page Generator Plugin - MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functions in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those functions intended for admin use resulting in subscribers being able to upload csv files and view the contents of MPG projects. | 2024-11-01 | 5.4 | CVE-2024-7424 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
themeisle--Otter Blocks Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE |
The Otter Blocks - Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2024-11-01 | 6.4 | CVE-2024-10367 | security@wordfence.com security@wordfence.com security@wordfence.com |
themes4wp -- youtube_external_subtitles |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themes4WP Themes4WP YouTube External Subtitles allows Stored XSS.This issue affects Themes4WP YouTube External Subtitles: from n/a through 1.0. | 2024-10-28 | 5.4 | CVE-2024-50470 | audit@patchstack.com |
Themeum--Tutor LMS |
Missing Authorization vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 2.7.3. | 2024-11-01 | 4.3 | CVE-2024-43142 | audit@patchstack.com |
Themeum--WP Crowdfunding |
Missing Authorization vulnerability in Themeum WP Crowdfunding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Crowdfunding: from n/a through 2.1.10. | 2024-11-01 | 6.4 | CVE-2024-43937 | audit@patchstack.com |
tidaweb -- tida_url_screenshot |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tidaweb Tida URL Screenshot allows Reflected XSS.This issue affects Tida URL Screenshot: from n/a through 1.0. | 2024-10-29 | 6.1 | CVE-2024-49641 | audit@patchstack.com |
Time Slot Booking--Time Slot |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Time Slot Booking Time Slot allows Stored XSS.This issue affects Time Slot: from n/a through 1.3.6. | 2024-10-29 | 6.5 | CVE-2024-50418 | audit@patchstack.com |
timstrifler--Exclusive Addons for Elementor |
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.4 via the render function in elements/tabs/tabs.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | 2024-10-29 | 4.3 | CVE-2024-10312 | security@wordfence.com security@wordfence.com |
Tongda--OA 2017 |
A vulnerability has been found in Tongda OA 2017 up to 11.10 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /general/address/private/address/query/delete.php. The manipulation of the argument where_repeat leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 6.3 | CVE-2024-10601 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA 2017 |
A vulnerability was found in Tongda OA 2017 up to 11.9 and classified as critical. Affected by this issue is some unknown functionality of the file /general/approve_center/list/input_form/data_picker_link.php. The manipulation of the argument dataSrc leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10602 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA 2017 |
A vulnerability was found in Tongda OA 2017 up to 11.10. It has been rated as critical. Affected by this issue is some unknown functionality of the file /general/approve_center/query/list/input_form/delete_data_attach.php. The manipulation of the argument RUN_ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10615 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA 2017 |
A vulnerability was found in Tongda OA 2017 up to 11.9. It has been declared as critical. This vulnerability affects unknown code of the file /pda/reportshop/new.php. The manipulation of the argument repid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10655 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA 2017 |
A vulnerability was found in Tongda OA 2017 up to 11.9. It has been rated as critical. This issue affects some unknown processing of the file /pda/meeting/apply.php. The manipulation of the argument mr_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10656 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA 2017 |
A vulnerability has been found in Tongda OA 2017 up to 11.10 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /module/word_model/view/index.php. The manipulation of the argument query_str leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10732 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA 2017 |
A vulnerability, which was classified as problematic, has been found in Tongda OA 2017 up to 11.7. This issue affects some unknown processing of the file /inc/package_static_resources.php. The manipulation leads to resource consumption. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 5.3 | CVE-2024-10599 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA |
A vulnerability classified as critical has been found in Tongda OA up to 11.9. This affects an unknown part of the file /pda/workflow/webSignSubmit.php. The manipulation of the argument saleId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10616 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA |
A vulnerability classified as critical was found in Tongda OA up to 11.10. This vulnerability affects unknown code of the file /pda/workflow/check_seal.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10617 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA |
A vulnerability classified as critical has been found in Tongda OA up to 11.10. Affected is an unknown function of the file /pda/approve_center/prcs_info.php. The manipulation of the argument RUN_ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10657 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA |
A vulnerability classified as critical was found in Tongda OA up to 11.10. Affected by this vulnerability is an unknown functionality of the file /pda/approve_center/check_seal.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 6.3 | CVE-2024-10658 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA |
A vulnerability, which was classified as critical, has been found in Tongda OA up to 11.6. This issue affects some unknown processing of the file /pda/appcenter/web_show.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10730 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA |
A vulnerability, which was classified as critical, was found in Tongda OA up to 11.10. Affected is an unknown function of the file /pda/appcenter/check_seal.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 6.3 | CVE-2024-10731 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Tongda--OA |
A vulnerability classified as critical was found in Tongda OA 11.2/11.3/11.4/11.5/11.6. This vulnerability affects unknown code of the file general/hr/setting/attendance/leave/data.php of the component Annual Leave Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-31 | 5.3 | CVE-2024-10598 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
TOTOLINK--LR350 |
A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-01 | 5.3 | CVE-2024-10654 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Truepush--Truepush |
Missing Authorization vulnerability in Truepush allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Truepush: from n/a through 1.0.8. | 2024-11-01 | 5.4 | CVE-2024-44021 | audit@patchstack.com |
twinpictures--T(-) Countdown |
The T(-) Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tminus' shortcode in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-30 | 6.4 | CVE-2024-9884 | security@wordfence.com security@wordfence.com security@wordfence.com |
Tyche Softwares--Arconix FAQ |
Missing Authorization vulnerability in Tyche Softwares Arconix FAQ allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Arconix FAQ: from n/a through 1.9.4. | 2024-11-01 | 5.3 | CVE-2024-38783 | audit@patchstack.com |
Tyche Softwares--Arconix Shortcodes |
Missing Authorization vulnerability in Tyche Softwares Arconix Shortcodes allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Arconix Shortcodes: from n/a through 2.1.11. | 2024-11-01 | 5.3 | CVE-2024-38769 | audit@patchstack.com |
Tyche Softwares--Product Delivery Date for WooCommerce Lite |
Missing Authorization vulnerability in Tyche Softwares Product Delivery Date for WooCommerce - Lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Product Delivery Date for WooCommerce - Lite: from n/a through 2.7.2. | 2024-11-01 | 5.3 | CVE-2024-38702 | audit@patchstack.com |
tychesoftwares -- arconix_shortcodes |
The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'box' shortcode in all versions up to, and including, 2.1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2024-10-29 | 5.4 | CVE-2024-10226 | security@wordfence.com security@wordfence.com security@wordfence.com |
UkrSolution--Print Barcode Labels for your WooCommerce products/orders |
Missing Authorization vulnerability in UkrSolution Print Barcode Labels for your WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through 3.4.9. | 2024-11-01 | 6.5 | CVE-2024-43310 | audit@patchstack.com |
Uncanny Owl--Uncanny Automator Pro |
Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0. | 2024-11-01 | 5.3 | CVE-2024-37119 | audit@patchstack.com |
Uncanny Owl--Uncanny Toolkit Pro for LearnDash |
Missing Authorization vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a through 4.1.4.0 | 2024-11-01 | 5.4 | CVE-2024-37439 | audit@patchstack.com |
Unknown--Download Manager |
The Download Manager WordPress plugin before 3.3.00 doesn't sanitize some of it's shortcode parameters, leading to cross site scripting. | 2024-10-30 | 5.4 | CVE-2024-8444 | contact@wpscan.com |
Upqode--Plum: Spin Wheel & Email Pop-up |
Access Control vulnerability in Upqode Plum: Spin Wheel & Email Pop-up allows . This issue affects Plum: Spin Wheel & Email Pop-up: from n/a through 2.0. | 2024-11-01 | 5.3 | CVE-2024-38743 | audit@patchstack.com |
Veribo, Roland Murg--WP Booking System |
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Veribo, Roland Murg WP Booking System.This issue affects WP Booking System: from n/a through 2.0.19.10. | 2024-10-29 | 6.5 | CVE-2024-50425 | audit@patchstack.com |
VirusTran--Button contact VR |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in VirusTran Button contact VR allows Stored XSS.This issue affects Button contact VR: from n/a through 4.7.9.1. | 2024-10-29 | 5.9 | CVE-2024-50414 | audit@patchstack.com |
VowelWeb--Ibtana |
Missing Authorization vulnerability in VowelWeb Ibtana allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ibtana: from n/a through 1.2.3.3. | 2024-11-01 | 5.3 | CVE-2024-37123 | audit@patchstack.com |
webbricks -- web_bricks_addons |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Web Bricks Web Bricks Addons for Elementor allows Stored XSS.This issue affects Web Bricks Addons for Elementor: from n/a through 1.1.1. | 2024-10-29 | 5.4 | CVE-2024-49665 | audit@patchstack.com |
webgensis -- simple_load_more |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webgensis Simple Load More allows Reflected XSS.This issue affects Simple Load More: from n/a through 1.0. | 2024-10-29 | 6.1 | CVE-2024-49662 | audit@patchstack.com |
WebsiteinWP--Blogpoet |
Missing Authorization vulnerability in WebsiteinWP Blogpoet allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blogpoet: from n/a through 1.0.3. | 2024-11-01 | 6.5 | CVE-2024-43998 | audit@patchstack.com |
WebXApp--Scrollbar by webxapp Best vertical/horizontal scrollbars plugin |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WebXApp Scrollbar by webxapp - Best vertical/horizontal scrollbars plugin allows Stored XSS.This issue affects Scrollbar by webxapp - Best vertical/horizontal scrollbars plugin: from n/a through 1.3.0. | 2024-10-28 | 6.5 | CVE-2024-50467 | audit@patchstack.com |
wedevs -- recaptcha_integration |
The ReCaptcha Integration for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2024-11-02 | 6.1 | CVE-2024-8739 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
wedevs -- wp_erp |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs WP ERP allows Reflected XSS.This issue affects WP ERP: from n/a through 1.13.2. | 2024-10-29 | 6.1 | CVE-2024-47640 | audit@patchstack.com |
WordPress Page Builder Sandwich Team--Page Builder Sandwich Front-End Page Builder |
Missing Authorization vulnerability in WordPress Page Builder Sandwich Team Page Builder Sandwich - Front-End Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page Builder Sandwich - Front-End Page Builder: from n/a through 5.1.0. | 2024-11-01 | 4.3 | CVE-2024-37218 | audit@patchstack.com |
wowDevs--Sky Addons for Elementor |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wowDevs Sky Addons for Elementor allows Stored XSS.This issue affects Sky Addons for Elementor: from n/a through 2.5.15. | 2024-10-28 | 6.5 | CVE-2024-50433 | audit@patchstack.com |
WP Codeus--Advanced Sermons |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Stored XSS.This issue affects Advanced Sermons: from n/a through 3.4. | 2024-10-28 | 6.5 | CVE-2024-50458 | audit@patchstack.com |
WP Overnight--WooCommerce PDF Invoices & Packing Slips |
Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through 3.8.6. | 2024-10-29 | 5.3 | CVE-2024-50421 | audit@patchstack.com |
WP Quads--Ads by WPQuads Adsense Ads, Banner Ads, Popup Ads |
Missing Authorization vulnerability in WP Quads Ads by WPQuads - Adsense Ads, Banner Ads, Popup Ads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads by WPQuads - Adsense Ads, Banner Ads, Popup Ads: from n/a through 2.0.84. | 2024-11-01 | 4.3 | CVE-2024-47317 | audit@patchstack.com |
WP Sunshine--Sunshine Photo Cart |
Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through 3.2.9. | 2024-11-01 | 5.3 | CVE-2024-44038 | audit@patchstack.com |
WP Sunshine--Sunshine Photo Cart |
Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through 3.2.1. | 2024-11-01 | 4.3 | CVE-2024-43136 | audit@patchstack.com |
WPBackItUp--Backup and Restore WordPress |
Access Control vulnerability in WPBackItUp Backup and Restore WordPress allows . This issue affects Backup and Restore WordPress: from n/a through 1.50. | 2024-11-01 | 5.4 | CVE-2024-43268 | audit@patchstack.com |
WPBackItUp--Backup and Restore WordPress |
Missing Authorization vulnerability in WPBackItUp Backup and Restore WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Backup and Restore WordPress: from n/a through 1.50. | 2024-11-01 | 5.3 | CVE-2024-43270 | audit@patchstack.com |
WPBlockArt--Magazine Blocks |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPBlockArt Magazine Blocks allows Stored XSS.This issue affects Magazine Blocks: from n/a through 1.3.15. | 2024-10-28 | 6.5 | CVE-2024-50429 | audit@patchstack.com |
wpchill--Download Monitor |
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users. | 2024-10-30 | 4.3 | CVE-2024-10399 | security@wordfence.com security@wordfence.com security@wordfence.com |
WPChill--Htaccess File Editor |
Incorrect Authorization vulnerability in WPChill Htaccess File Editor allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Htaccess File Editor: from n/a through 1.0.18. | 2024-11-01 | 5.4 | CVE-2024-49256 | audit@patchstack.com |
WPChill--Strong Testimonials |
Missing Authorization vulnerability in WPChill Strong Testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through 3.1.16. | 2024-11-01 | 4.3 | CVE-2024-47362 | audit@patchstack.com |
WPClever--WPC Frequently Bought Together for WooCommerce |
Missing Authorization vulnerability in WPClever WPC Frequently Bought Together for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Frequently Bought Together for WooCommerce: from n/a through 7.1.9. | 2024-11-01 | 5.4 | CVE-2024-43312 | audit@patchstack.com |
wpclever--WPC Smart Messages for WooCommerce |
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages. | 2024-10-29 | 4.3 | CVE-2024-10437 | security@wordfence.com security@wordfence.com security@wordfence.com |
wpcloudtechnologies--Get Quote For Woocommerce Request A Quote For Woocommerce |
The Get Quote For Woocommerce - Request A Quote For Woocommerce plugin for WordPress is vulnerable to unauthorized access of Quote data due to a missing capability check on the ct_tepfw_wp_loaded function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to download Quote PDF and CSV documents. | 2024-10-31 | 5.3 | CVE-2024-9430 | security@wordfence.com security@wordfence.com |
wpdelower--Easy SVG Upload |
The Easy SVG Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2024-10-31 | 6.4 | CVE-2024-9708 | security@wordfence.com security@wordfence.com |
WPDeveloper--EmbedPress |
Missing Authorization vulnerability in WPDeveloper EmbedPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EmbedPress: from n/a through 4.0.4. | 2024-11-01 | 6.3 | CVE-2024-38707 | audit@patchstack.com |
WPDeveloper--EmbedPress |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper EmbedPress allows Stored XSS.This issue affects EmbedPress: from n/a through 4.0.14. | 2024-10-28 | 6.5 | CVE-2024-50461 | audit@patchstack.com |
WPEngine Inc.--Advanced Custom Fields PRO |
Missing Authorization vulnerability in WPEngine Inc. Advanced Custom Fields PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Custom Fields PRO: from n/a through 6.3.1. | 2024-11-01 | 5.4 | CVE-2024-37250 | audit@patchstack.com |
WPEngine Inc.--Advanced Custom Fields PRO |
Missing Authorization vulnerability in WPEngine Inc. Advanced Custom Fields PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Custom Fields PRO: from n/a through 6.3.1. | 2024-11-01 | 4.3 | CVE-2024-37249 | audit@patchstack.com |
WPKoi--WPKoi Templates for Elementor |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPKoi WPKoi Templates for Elementor allows Stored XSS.This issue affects WPKoi Templates for Elementor: from n/a through 3.1.0. | 2024-10-29 | 5.9 | CVE-2024-49679 | audit@patchstack.com |
WPManageNinja LLC--Fluent Support |
Missing Authorization vulnerability in WPManageNinja LLC Fluent Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through 1.8.0. | 2024-11-01 | 5.3 | CVE-2024-47302 | audit@patchstack.com |
Wpmet--Elements kit Elementor addons |
Missing Authorization vulnerability in Wpmet Elements kit Elementor addons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Elements kit Elementor addons: from n/a through 3.1.4. | 2024-11-01 | 5.3 | CVE-2024-37255 | audit@patchstack.com |
WPMobile.App--WPMobile.App |
Cross-Site Request Forgery (CSRF) vulnerability in WPMobile.App allows Stored XSS.This issue affects WPMobile.App: from n/a through 11.48. | 2024-10-31 | 4.3 | CVE-2024-43933 | audit@patchstack.com |
WPMU DEV--Defender Security |
Missing Authorization vulnerability in WPMU DEV Defender Security allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Defender Security: from n/a through 4.7.1. | 2024-11-01 | 5.3 | CVE-2024-37444 | audit@patchstack.com |
WPMU DEV--Hummingbird |
Missing Authorization vulnerability in WPMU DEV Hummingbird allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hummingbird: from n/a through 3.9.1. | 2024-11-01 | 4.3 | CVE-2024-43118 | audit@patchstack.com |
wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder |
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions. | 2024-10-31 | 5.3 | CVE-2024-9700 | security@wordfence.com security@wordfence.com security@wordfence.com |
Wpsoul--Greenshift animation and page builder blocks |
Incorrect Authorization vulnerability in Wpsoul Greenshift - animation and page builder blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift - animation and page builder blocks: from n/a through 9.7. | 2024-10-30 | 5.4 | CVE-2024-50419 | audit@patchstack.com |
WPVibes--Elementor Addon Elements |
Missing Authorization vulnerability in WPVibes Elementor Addon Elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Addon Elements: from n/a through 1.13.6. | 2024-11-01 | 6.5 | CVE-2024-47361 | audit@patchstack.com |
WPZOOM--Recipe Card Blocks for Gutenberg & Elementor |
Missing Authorization vulnerability in WPZOOM Recipe Card Blocks for Gutenberg & Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Recipe Card Blocks for Gutenberg & Elementor: from n/a through 3.3.1. | 2024-11-01 | 4.3 | CVE-2024-43293 | audit@patchstack.com |
xootix--Waitlist Woocommerce ( Back in stock notifier ) |
Missing Authorization vulnerability in xootix Waitlist Woocommerce ( Back in stock notifier ) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Waitlist Woocommerce ( Back in stock notifier ): from n/a through 2.6. | 2024-11-01 | 4.3 | CVE-2024-43134 | audit@patchstack.com |
XSERVER Inc.--TypeSquare Webfonts |
Missing Authorization vulnerability in XSERVER Inc. TypeSquare Webfonts allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects TypeSquare Webfonts: from n/a through 2.0.7. | 2024-11-01 | 5.3 | CVE-2024-43120 | audit@patchstack.com |
YARPP--YARPP |
Access Control vulnerability in YARPP YARPP allows . This issue affects YARPP: from n/a through 5.30.10. | 2024-11-01 | 5.3 | CVE-2024-43919 | audit@patchstack.com |
Zaytech--Smart Online Order for Clover |
Missing Authorization vulnerability in Zaytech Smart Online Order for Clover allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smart Online Order for Clover: from n/a through 1.5.6. | 2024-11-01 | 5.3 | CVE-2024-43253 | audit@patchstack.com |
Zaytech--Smart Online Order for Clover |
Missing Authorization vulnerability in Zaytech Smart Online Order for Clover allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Online Order for Clover: from n/a through 1.5.6. | 2024-11-01 | 4.3 | CVE-2024-43254 | audit@patchstack.com |
ZTE--MF258 Pro |
There is a command injection vulnerability in ZTE MF258 Pro product. Due to insufficient validation of Ping Diagnosis interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands. | 2024-10-29 | 6.8 | CVE-2024-22065 | psirt@zte.com.cn |
Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
apple -- ipados |
This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to use Siri to enable Auto-Answer Calls. | 2024-10-28 | 3.3 | CVE-2024-40853 | product-security@apple.com |
apple -- ipados |
This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker with physical access may be able to access contact photos from the lock screen. | 2024-10-28 | 2.4 | CVE-2024-40851 | product-security@apple.com |
apple -- ipados |
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15, iOS 18 and iPadOS 18. A malicious app with root privileges may be able to access keyboard input and location information without user consent. | 2024-10-28 | 2.3 | CVE-2024-44123 | product-security@apple.com product-security@apple.com |
apple -- ipados |
This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to view restricted content from the lock screen. | 2024-10-28 | 2.4 | CVE-2024-44251 | product-security@apple.com |
apple -- macos |
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15. An app may be able to read sensitive location information. | 2024-10-28 | 3.3 | CVE-2024-27849 | product-security@apple.com |
apple -- macos |
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A malicious app may be able to change network settings. | 2024-10-28 | 3.3 | CVE-2024-40792 | product-security@apple.com |
apple -- macos |
This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to read sensitive location information. | 2024-10-28 | 3.3 | CVE-2024-44222 | product-security@apple.com product-security@apple.com |
apple -- macos |
The issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An attacker with physical access can input Game Controller events to apps running on a locked device. | 2024-10-28 | 2.4 | CVE-2024-44265 | product-security@apple.com product-security@apple.com |
Apple--macOS |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system. | 2024-10-28 | 3.3 | CVE-2024-44275 | product-security@apple.com product-security@apple.com |
Apple--macOS |
The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious app may be able to cause a denial-of-service. | 2024-10-28 | 2.7 | CVE-2024-44197 | product-security@apple.com product-security@apple.com |
Arm Ltd--Arm Compiler for Embedded |
When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers. | 2024-10-31 | 3.7 | CVE-2024-7883 | arm-security@arm.com |
DuendeSoftware--IdentityServer |
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs. | 2024-10-28 | 3.1 | CVE-2024-49755 | security-advisories@github.com security-advisories@github.com |
Genians--Genian NAC V5.0 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Genians Genian NAC V5.0, Genians Genian NAC LTS V5.0.This issue affects Genian NAC V5.0: from V5.0.0 through V5.0.60; Genian NAC LTS V5.0: from 5.0.0 LTS through 5.0.55 LTS(Revision 125558), from 5.0.0 LTS through 5.0.56 LTS(Revision 125560). | 2024-10-28 | 2.2 | CVE-2024-23843 | vuln@krcert.or.kr |
Grafana--Grafana |
Organization admins can delete pending invites created in an organization they are not part of. | 2024-10-29 | 2.2 | CVE-2024-10452 | security@grafana.com |
HashiCorp--Vagrant |
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23 | 2024-10-29 | 3.8 | CVE-2024-10228 | security@hashicorp.com |
HCL Software--Connections |
HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data. | 2024-10-28 | 3.5 | CVE-2024-30106 | psirt@hcl.com |
Klokan--MapTiler tileserver-gl |
A vulnerability was found in Klokan MapTiler tileserver-gl 2.3.1 and classified as problematic. This issue affects some unknown processing of the component URL Handler. The manipulation of the argument key leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2024-10-30 | 3.5 | CVE-2024-10503 | cna@vuldb.com cna@vuldb.com cna@vuldb.com |
LevelOne--WBR-6012 |
A denial of service vulnerability exists in the Web Application functionality of LevelOne WBR-6012 R0.40e6. A specially crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | 2024-10-30 | 3.7 | CVE-2024-33623 | talos-cna@cisco.com |
LinZhaoguan--pb-cms |
A vulnerability classified as problematic was found in LinZhaoguan pb-cms up to 2.0.1. This vulnerability affects unknown code of the file /admin#permissions of the component Permission Management Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-29 | 2.4 | CVE-2024-10477 | cna@vuldb.com cna@vuldb.com cna@vuldb.com |
LinZhaoguan--pb-cms |
A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms up to 2.0.1. This issue affects some unknown processing of the file /admin#article/edit?id=2 of the component Edit Article Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-29 | 2.4 | CVE-2024-10478 | cna@vuldb.com cna@vuldb.com cna@vuldb.com |
LinZhaoguan--pb-cms |
A vulnerability, which was classified as problematic, was found in LinZhaoguan pb-cms up to 2.0.1. Affected is an unknown function of the file /admin#themes of the component Theme Management Module. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-29 | 2.4 | CVE-2024-10479 | cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Mattermost--Mattermost |
Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings. | 2024-10-28 | 3.5 | CVE-2024-10214 | responsibledisclosure@mattermost.com |
mongodb -- mongo_crypt_v1.so |
A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions. | 2024-10-28 | 3.3 | CVE-2024-8013 | cna@mongodb.com |
PHPGurukul--Car Rental Portal |
A vulnerability was found in PHPGurukul Car Rental Portal 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /search.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-11-02 | 3.5 | CVE-2024-10701 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
PHPGurukul--Online Shopping Portal |
A vulnerability was found in PHPGurukul Online Shopping Portal 2.0. It has been classified as problematic. Affected is an unknown function of the file /shopping/admin/assets/plugins/DataTables/examples/examples_support/editable_ajax.php. The manipulation of the argument value leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 3.5 | CVE-2024-10743 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
PHPGurukul--Online Shopping Portal |
A vulnerability was found in PHPGurukul Online Shopping Portal 2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/assets/plugins/DataTables/media/unit_testing/templates/complex_header_2.php. The manipulation of the argument scripts leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 3.5 | CVE-2024-10744 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
PHPGurukul--Online Shopping Portal |
A vulnerability was found in PHPGurukul Online Shopping Portal 2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/assets/plugins/DataTables/media/unit_testing/templates/deferred_table.php. The manipulation of the argument scripts leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-11-03 | 3.5 | CVE-2024-10745 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
CERT/CC--VINCE |
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users. | 2024-10-28 | not yet calculated | CVE-2024-10469 | cret@cert.org |
dgtlmoon--changedetection.io |
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Version 0.47.5 fixes the issue. | 2024-11-01 | not yet calculated | CVE-2024-51483 | security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
Erudika--scoold |
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false. | 2024-10-29 | not yet calculated | CVE-2024-50334 | security-advisories@github.com |
frappe--press |
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). The password could be reset by anyone who have access to the mail inbox circumventing the 2FA. Even though they wouldn't be able to login by bypassing the 2FA. Only users who have enabled 2FA are affected. Commit ba0007c28ac814260f836849bc07d29beea7deb6 patches this bug. | 2024-10-31 | not yet calculated | CVE-2024-50356 | security-advisories@github.com security-advisories@github.com |
gaizhenbiao--gaizhenbiao/chuanhuchatgpt |
A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240628 allows for a Denial of Service (DOS) attack. When uploading a file, if an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering ChuanhuChatGPT inaccessible. This uncontrolled resource consumption can lead to prolonged unavailability of the service, disrupting operations and causing potential data inaccessibility and loss of productivity. | 2024-10-29 | not yet calculated | CVE-2024-7807 | security@huntr.dev security@huntr.dev |
kyverno--kyverno |
Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions. This vulnerability is fixed in 1.13.0. | 2024-10-29 | not yet calculated | CVE-2024-48921 | security-advisories@github.com |
laravel--reverb |
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information (such as number of connections) about a given channel. This issue only affects the Pusher-compatible API endpoints and not the WebSocket connections themselves. In order to exploit this vulnerability, the application ID which, should never be exposed, would need to be known by an attacker. This vulnerability is fixed in 1.4.0. | 2024-10-31 | not yet calculated | CVE-2024-50347 | security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
lunary-ai--lunary-ai/lunary |
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption. | 2024-11-01 | not yet calculated | CVE-2024-7456 | security@huntr.dev security@huntr.dev |
mudler--mudler/localai |
mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server. | 2024-10-29 | not yet calculated | CVE-2024-6868 | security@huntr.dev security@huntr.dev |
mudler--mudler/localai |
mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access. | 2024-10-29 | not yet calculated | CVE-2024-7010 | security@huntr.dev security@huntr.dev |
n/a--n/a |
http.zig commit 76cf5 was discovered to contain a CRLF injection vulnerability via the url parameter. | 2024-10-30 | not yet calculated | CVE-2023-52066 | cve@mitre.org |
n/a--n/a |
TP Link MR200 V4 Firmware version 210201 was discovered to contain a null-pointer-dereference in the web administration panel on /cgi/login via the sign, Action or LoginStatus query parameters which could lead to a denial of service by a local or remote unauthenticated attacker. | 2024-11-01 | not yet calculated | CVE-2024-22733 | cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the new_ticket.php component. | 2024-11-01 | not yet calculated | CVE-2024-27524 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component. | 2024-11-01 | not yet calculated | CVE-2024-27525 | cve@mitre.org cve@mitre.org |
n/a--n/a |
IBOS v4.5.5 has an arbitrary file deletion vulnerability via \system\modules\dashboard\controllers\LoginController.php. | 2024-11-01 | not yet calculated | CVE-2024-28265 | cve@mitre.org cve@mitre.org |
n/a--n/a |
An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot Password function. | 2024-11-01 | not yet calculated | CVE-2024-40490 | cve@mitre.org |
n/a--n/a |
In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another participant contains a URL encoded in the expected format. | 2024-10-29 | not yet calculated | CVE-2024-44081 | cve@mitre.org cve@mitre.org |
n/a--n/a |
An Insecure Direct Object Reference (IDOR) in the dashboard of SiSMART v7.4.0 allows attackers to execute a horizontal-privilege escalation. | 2024-11-01 | not yet calculated | CVE-2024-48217 | cve@mitre.org |
n/a--n/a |
An issue in the component /logins of oasys v1.1 allows attackers to access sensitive information via a burst attack. | 2024-11-01 | not yet calculated | CVE-2024-48270 | cve@mitre.org cve@mitre.org |
n/a--n/a |
An issue in the Bluetooth Low Energy implementation of Cypress Bluetooth SDK v3.66 allows attackers to cause a Denial of Service (DoS) via supplying a crafted LL_PAUSE_ENC_REQ packet. | 2024-11-01 | not yet calculated | CVE-2024-48289 | cve@mitre.org |
n/a--n/a |
Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID. | 2024-11-01 | not yet calculated | CVE-2024-48352 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Yealink Meeting Server before V26.0.0.67 allows attackers to obtain static key information from a front-end JS file and decrypt the plaintext passwords based on the obtained key information. | 2024-11-01 | not yet calculated | CVE-2024-48353 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in Camtrace v.9.16.2.1 allows a remote attacker to execute arbitrary code via the login.php. | 2024-11-01 | not yet calculated | CVE-2024-48410 | cve@mitre.org |
n/a--n/a |
A User enumeration vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to obtain email addresses via the "Add a user" feature. The vulnerability occurs due to insufficiently validated user input being processed as a regular expression, which is then matched against email addresses to find duplicate entries. | 2024-10-29 | not yet calculated | CVE-2024-48572 | cve@mitre.org |
n/a--n/a |
SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users. | 2024-10-30 | not yet calculated | CVE-2024-48733 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized users. | 2024-10-30 | not yet calculated | CVE-2024-48734 | cve@mitre.org cve@mitre.org |
n/a--n/a |
A SQL Injection vulnerability was discovered in AbanteCart 1.4.0 in the update() function in public_html/admin/controller/responses/listing_grid/collections.php. The vulnerability is exploitable via the id parameter. | 2024-10-31 | not yet calculated | CVE-2024-50801 | cve@mitre.org cve@mitre.org |
n/a--n/a |
A SQL Injection vulnerability was discovered in AbanteCart 1.4.0 in the update() function in public_html/admin/controller/responses/listing_grid/email_templates.php. The vulnerability is exploitable via the id parameter. | 2024-10-31 | not yet calculated | CVE-2024-50802 | cve@mitre.org cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doIPSec function. | 2024-11-01 | not yet calculated | CVE-2024-51244 | cve@mitre.org |
n/a--n/a |
In DrayTek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the rename_table function. | 2024-11-01 | not yet calculated | CVE-2024-51245 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPPo function. | 2024-11-01 | not yet calculated | CVE-2024-51247 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the modifyrow function. | 2024-11-01 | not yet calculated | CVE-2024-51248 | cve@mitre.org |
n/a--n/a |
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the restore function. | 2024-11-01 | not yet calculated | CVE-2024-51252 | cve@mitre.org |
n/a--n/a |
An issue in Ladybird Web Solution Faveo Helpdesk & Servicedesk (On-Premise and Cloud) 9.2.0 allows a remote attacker to execute arbitrary code via the Subject and Identifier fields | 2024-11-01 | not yet calculated | CVE-2024-51377 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Altai Technologies Ltd Altai X500 Indoor 22 802.11ac Wave 2 AP web Management Weak password leakage in the background may lead to unauthorized access, data theft, and network attacks, seriously threatening network security. | 2024-11-01 | not yet calculated | CVE-2024-51398 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Altai Technologies Ltd Altai IX500 Indoor 22 802.11ac Wave 2 AP After login, there are file reads in the background, and attackers can obtain sensitive information such as user credentials, system configuration, and database connection strings, which can lead to data breaches and identity theft. | 2024-11-01 | not yet calculated | CVE-2024-51399 | cve@mitre.org |
n/a--n/a |
Floodlight SDN Open Flow Controller v.1.2 has an issue that allows local hosts to build fake LLDP packets that allow specific clusters to be missed by Floodlight, which in turn leads to missed hosts inside and outside the cluster. | 2024-11-01 | not yet calculated | CVE-2024-51406 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
Floodlight SDN OpenFlow Controller v.1.2 has an issue that allows local hosts to construct false broadcast ports causing inter-host communication anomalies. | 2024-11-01 | not yet calculated | CVE-2024-51407 | cve@mitre.org cve@mitre.org cve@mitre.org |
n/a--n/a |
LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable. | 2024-11-01 | not yet calculated | CVE-2024-51431 | cve@mitre.org cve@mitre.org |
n/a--n/a |
Cross Site Scripting vulnerability in FiberHome HG6544C RP2743 allows an attacker to execute arbitrary code via the SSID field in the WIFI Clients List not being sanitized | 2024-11-01 | not yet calculated | CVE-2024-51432 | cve@mitre.org cve@mitre.org |
NixOS--nix |
Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import <nix/fetchurl.nix>`) were not executed in the macOS sandbox. Thus, these builders (which are running under the `nixbld*` users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, and 2.24.10. Note that sandboxing is not enabled by default on macOS. The Nix sandbox is not primarily intended as a security mechanism, but as an aid to improve reproducibility and purity of Nix builds. However, sandboxing *can* mitigate the impact of other security issues by limiting what parts of the host system a build has access to. | 2024-10-31 | not yet calculated | CVE-2024-51481 | security-advisories@github.com security-advisories@github.com |
oakserver--oak |
`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue. | 2024-11-01 | not yet calculated | CVE-2024-49770 | security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com |
OMRON Corporation--SYSMAC-SE2[][][] |
Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function. | 2024-11-01 | not yet calculated | CVE-2024-49501 | vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp |
OpenText--Operations Agent |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenTextâ„¢ Operations Agent. The XSS vulnerability could allow an attacker with local admin permissions to manipulate the content of the internal status page of the Agent on the local system. This issue affects Operations Agent: 12.20, 12.21, 12.22, 12.23, 12.24, 12.25, 12.26. | 2024-10-28 | not yet calculated | CVE-2024-5532 | security@opentext.com |
Ping Identity--PingAM |
An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks | 2024-10-29 | not yet calculated | CVE-2024-25566 | responsible-disclosure@pingidentity.com responsible-disclosure@pingidentity.com |
Ricoh Company, Ltd.--Multiple laser printers and MFPs which implement Web Image Monitor |
Stack-based buffer overflow vulnerability exists in multiple Ricoh laser printers and MFPs which implement Web Image Monitor. If this vulnerability is exploited, receiving a specially crafted request created and sent by an attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition. As for the details of affected product names and versions, refer to the information provided by the vendor under [References]. | 2024-11-01 | not yet calculated | CVE-2024-47939 | vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp |
ruby--rexml |
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability. | 2024-10-28 | not yet calculated | CVE-2024-49761 | security-advisories@github.com security-advisories@github.com security-advisories@github.com |
Vulnerability Summary for the Week of October 21, 2024
Posted on Monday October 28, 2024
Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
---|---|---|---|---|---|
Admin--Verbalize WP |
Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. | 2024-10-23 | 10 | CVE-2024-49668 | audit@patchstack.com |
advancedcoding--Comments wpDiscuz |
The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. | 2024-10-25 | 9.8 | CVE-2024-9488 | security@wordfence.com security@wordfence.com security@wordfence.com |
Alexander De Ridder--INK Official |
Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. | 2024-10-23 | 9.9 | CVE-2024-49669 | audit@patchstack.com |
Amazon--Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware |
The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets. The repository/package has been deprecated, is end of life, and is no longer supported. As a security best practice, ensure that your ELB targets (e.g. EC2 Instances, Fargate Tasks etc.) do not have public IP addresses. Ensure any forked or derivative code validate that the signer attribute in the JWT match the ARN of the Application Load Balancer that the service is configured to use. | 2024-10-22 | 7.5 | CVE-2024-10125 | ff89ba41-3aa1-4d27-914a-91399e9639e5 ff89ba41-3aa1-4d27-914a-91399e9639e5 |
Amazon--AWS ALB Route Directive Adapter For Istio |
The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer and issuer validation. In deployments of ALB that ignore security best practices, where ALB targets are directly exposed to internet traffic, an actor can provide a JWT signed by an untrusted entity in order to spoof OIDC-federated sessions and successfully bypass authentication. The repository/package has been deprecated, is end of life, and is no longer supported. As a security best practice, ensure that your ELB targets (e.g. EC2 Instances, Fargate Tasks etc.) do not have public IP addresses. Ensure any forked or derivative code validate that the signer attribute in the JWT match the ARN of the Application Load Balancer that the service is configured to use. | 2024-10-22 | 7.5 | CVE-2024-8901 | ff89ba41-3aa1-4d27-914a-91399e9639e5 ff89ba41-3aa1-4d27-914a-91399e9639e5 |
appcheap--App Builder Create Native Android & iOS Apps On The Flight |
The App Builder - Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This is due to the verify_otp_forgot_password() and update_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator. | 2024-10-25 | 8.1 | CVE-2024-9302 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
baserproject--basercms |
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Edit Email Form Settings Feature. Version 5.1.2 fixes the issue. | 2024-10-24 | 7.1 | CVE-2024-46998 | security-advisories@github.com security-advisories@github.com |
buddypress--BuddyPress |
The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions. This vulnerability only affects Windows. | 2024-10-25 | 8.1 | CVE-2024-10011 | security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute operating system commands as root. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by submitting crafted input when executing remote CLI commands over SSH. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. An attacker with limited user privileges could use this vulnerability to gain complete control over the system. | 2024-10-23 | 9.9 | CVE-2024-20329 | ykramarz@cisco.com ykramarz@cisco.com ykramarz@cisco.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the VPN and management web servers of the Cisco Adaptive Security Virtual Appliance (ASAv) and Cisco Secure Firewall Threat Defense Virtual (FTDv), formerly Cisco Firepower Threat Defense Virtual, platforms could allow an unauthenticated, remote attacker to cause the virtual devices to run out of system memory, which could cause SSL VPN connection processing to slow down and eventually cease all together. This vulnerability is due to a lack of proper memory management for new incoming SSL/TLS connections on the virtual platforms. An attacker could exploit this vulnerability by sending a large number of new incoming SSL/TLS connections to the targeted virtual platform. A successful exploit could allow the attacker to deplete system memory, resulting in a denial of service (DoS) condition. The memory could be reclaimed slowly if the attack traffic is stopped, but a manual reload may be required to restore operations quickly. | 2024-10-23 | 8.6 | CVE-2024-20260 | ykramarz@cisco.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the SSL VPN feature for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a logic error in memory management when the device is handling SSL VPN connections. An attacker could exploit this vulnerability by sending crafted SSL/TLS packets to the SSL VPN server of the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. | 2024-10-23 | 8.6 | CVE-2024-20402 | ykramarz@cisco.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the Internet Key Exchange version 2 (IKEv2) protocol for VPN termination of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted IKEv2 traffic to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. | 2024-10-23 | 8.6 | CVE-2024-20426 | ykramarz@cisco.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper data validation during the TLS 1.3 handshake. An attacker could exploit this vulnerability by sending a crafted TLS 1.3 packet to an affected system through a TLS 1.3-enabled listening socket. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Note: This vulnerability can also impact the integrity of a device by causing VPN HostScan communication failures or file transfer failures when Cisco ASA Software is upgraded using Cisco Adaptive Security Device Manager (ASDM). | 2024-10-23 | 8.6 | CVE-2024-20494 | ykramarz@cisco.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the Remote Access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition on an affected device. This vulnerability is due to improper validation of client key data after the TLS session is established. An attacker could exploit this vulnerability by sending a crafted key value to an affected system over the secure TLS session. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. | 2024-10-23 | 8.6 | CVE-2024-20495 | ykramarz@cisco.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the Simple Network Management Protocol (SNMP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an unexpected reload of the device. This vulnerability is due to insufficient input validation of SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device using IPv4 or IPv6. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects all versions of SNMP (versions 1, 2c, and 3) and requires a valid SNMP community string or valid SNMPv3 user credentials. | 2024-10-23 | 7.7 | CVE-2024-20268 | ykramarz@cisco.com ykramarz@cisco.com ykramarz@cisco.com |
Cisco--Cisco Adaptive Security Appliance (ASA) Software |
A vulnerability in the Dynamic Access Policies (DAP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly. To exploit this vulnerability, an attacker would need valid remote access VPN user credentials on the affected device. This vulnerability is due to improper validation of data in HTTPS POST requests. An attacker could exploit this vulnerability by sending a crafted HTTPS POST request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. | 2024-10-23 | 7.7 | CVE-2024-20408 | ykramarz@cisco.com |
Cisco--Cisco Firepower Management Center |
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient input validation of certain HTTP requests. An attacker could exploit this vulnerability by authenticating to the web-based management interface of an affected device and then sending a crafted HTTP request to the device. A successful exploit could allow the attacker to execute arbitrary commands with root permissions on the underlying operating system of the Cisco FMC device or to execute commands on managed Cisco Firepower Threat Defense (FTD) devices. To exploit this vulnerability, the attacker would need valid credentials for a user account with at least the role of Security Analyst (Read Only). | 2024-10-23 | 9.9 | CVE-2024-20424 | ykramarz@cisco.com |
Cisco--Cisco Firepower Threat Defense Software |
A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials. This vulnerability is due to the presence of static accounts with hard-coded passwords on an affected system. An attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials. A successful exploit could allow the attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a reimage of the device. | 2024-10-23 | 9.3 | CVE-2024-20412 | ykramarz@cisco.com |
Cisco--Cisco Firepower Threat Defense Software |
A vulnerability in the Snort 2 and Snort 3 TCP and UDP detection engine of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Appliances could allow an unauthenticated, remote attacker to cause memory corruption, which could cause the Snort detection engine to restart unexpectedly. This vulnerability is due to improper memory management when the Snort detection engine processes specific TCP or UDP packets. An attacker could exploit this vulnerability by sending crafted TCP or UDP packets through a device that is inspecting traffic using the Snort detection engine. A successful exploit could allow the attacker to restart the Snort detection engine repeatedly, which could cause a denial of service (DoS) condition. The DoS condition impacts only the traffic through the device that is examined by the Snort detection engine. The device can still be managed over the network. Note: Once a memory block is corrupted, it cannot be cleared until the Cisco Firepower 2100 Series Appliance is manually reloaded. This means that the Snort detection engine could crash repeatedly, causing traffic that is processed by the Snort detection engine to be dropped until the device is manually reloaded. | 2024-10-23 | 8.6 | CVE-2024-20330 | ykramarz@cisco.com ykramarz@cisco.com ykramarz@cisco.com |
Cisco--Cisco Firepower Threat Defense Software |
A vulnerability in the TLS processing feature of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an issue that occurs when TLS traffic is processed. An attacker could exploit this vulnerability by sending certain TLS traffic over IPv4 through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition and impacting traffic to and through the affected device. | 2024-10-23 | 8.6 | CVE-2024-20339 | ykramarz@cisco.com ykramarz@cisco.com ykramarz@cisco.com |
Cisco--Cisco Firepower Threat Defense Software |
A vulnerability in the TCP/IP traffic handling function of the Snort Detection Engine of Cisco Firepower Threat Defense (FTD) Software and Cisco FirePOWER Services could allow an unauthenticated, remote attacker to cause legitimate network traffic to be dropped, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of TCP/IP network traffic. An attacker could exploit this vulnerability by sending a large amount of TCP/IP network traffic through the affected device. A successful exploit could allow the attacker to cause the Cisco FTD device to drop network traffic, resulting in a DoS condition. The affected device must be rebooted to resolve the DoS condition. | 2024-10-23 | 8.6 | CVE-2024-20351 | ykramarz@cisco.com ykramarz@cisco.com ykramarz@cisco.com ykramarz@cisco.com |
code-projects -- pharmacy_management_system |
A vulnerability was found in code-projects Pharmacy Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /add_new_invoice.php. The manipulation of the argument text leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-21 | 9.8 | CVE-2024-10196 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Pet Shop Management System |
A vulnerability, which was classified as critical, has been found in Codezips Pet Shop Management System 1.0. This issue affects some unknown processing of the file /animalsupdate.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-10-27 | 7.3 | CVE-2024-10430 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Pet Shop Management System |
A vulnerability, which was classified as critical, was found in Codezips Pet Shop Management System 1.0. Affected is an unknown function of the file /deletebird.php. The manipulation of the argument t1 leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-27 | 7.3 | CVE-2024-10431 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Sales Management System |
A vulnerability was found in Codezips Sales Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /addstock.php. The manipulation of the argument prodtype leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-10-25 | 7.3 | CVE-2024-10368 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Sales Management System |
A vulnerability was found in Codezips Sales Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /addcustcom.php. The manipulation of the argument refno leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-10-25 | 7.3 | CVE-2024-10369 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
Codezips--Sales Management System |
A vulnerability was found in Codezips Sales Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /addcustind.php. The manipulation of the argument refno leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-10-25 | 7.3 | CVE-2024-10370 | cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com |
delabon--WordPress Post Grid Layouts with Pagination Sogrid |
The WordPress Post Grid Layouts with Pagination - Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.2 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This can also be exploited via CSRF techniques. | 2024-10-26 | 7.2 | CVE-2024-8392 | security@wordfence.com security@wordfence.com |
deryck--User Toolkit |
The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. | 2024-10-26 | 8.8 | CVE-2024-9890 | security@wordfence.com security@wordfence.com security@wordfence.com |
Dogu Pekgoz--AI Image Generator for Your Content & Featured Images AI Postpix |
Unrestricted Upload of File with Dangerous Type vulnerability in Dogu Pekgoz AI Image Generator for Your Content & Featured Images - AI Postpix allows Upload a Web Shell to a Web Server.This issue affects AI Image Generator for Your Content & Featured Images - AI Postpix: from n/a through 1.1.8. | 2024-10-23 | 9.9 | CVE-2024-49671 | audit@patchstack.com |
Ecomerciar--Woocommerce Custom Profile Picture |
Unrestricted Upload of File with Dangerous Type vulnerability in Ecomerciar Woocommerce Custom Profile Picture allows Upload a Web Shell to a Web Server.This issue affects Woocommerce Custom Profile Picture: from n/a through 1.0. | 2024-10-23 | 9.9 | CVE-2024-49658 | audit@patchstack.com |
elecom -- wab-i1750-ps_firmware |
Stack-based buffer overflow vulnerability exists in WAB-I1750-PS and WAB-S1167-PS. By processing a specially crafted HTTP request, arbitrary code may be executed. | 2024-10-21 | 9.8 | CVE-2024-43689 | vultures@jpcert.or.jp vultures@jpcert.or.jp |
fortinet -- fortimanager |
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests. | 2024-10-23 | 9.8 | CVE-2024-47575 | psirt@fortinet.com |
funnelkit -- funnelkit_automations |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Automation By Autonami allows SQL Injection.This issue affects Automation By Autonami: from n/a through 3.1.2. | 2024-10-21 | 7.2 | CVE-2024-47328 | audit@patchstack.com |
GitLab--GitLab |
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS. | 2024-10-24 | 8.7 | CVE-2024-8312 | cve@gitlab.com cve@gitlab.com |
google -- android |
there is a possible man-in-the-middle attack due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 8.1 | CVE-2024-47023 | dsap-vuln-management@google.com |
google -- android |
Android before 2024-10-05 on Google Pixel devices allows information disclosure in the modem component, A-299774545. | 2024-10-25 | 7.5 | CVE-2024-44100 | dsap-vuln-management@google.com |
google -- android |
there is a possible Null Pointer Dereference (modem crash) due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.5 | CVE-2024-44101 | dsap-vuln-management@google.com |
google -- android |
In mm_GetMobileIdIndexForNsUpdate of mm_GmmPduCodec.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.8 | CVE-2024-47012 | dsap-vuln-management@google.com |
google -- android |
Android before 2024-10-05 on Google Pixel devices allows information disclosure in the ABL component, A-331966488. | 2024-10-25 | 7.5 | CVE-2024-47020 | dsap-vuln-management@google.com |
google -- android |
In sms_ExtractCbLanguage of sms_CellBroadcast.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.5 | CVE-2024-47021 | dsap-vuln-management@google.com |
google -- android |
Android before 2024-10-05 on Google Pixel devices allows information disclosure in the ACPM component, A-331255656. | 2024-10-25 | 7.5 | CVE-2024-47022 | dsap-vuln-management@google.com |
google -- chrome |
Inappropriate implementation in Extensions in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High) | 2024-10-22 | 8.1 | CVE-2024-10229 | chrome-cve-admin@google.com chrome-cve-admin@google.com |
google -- chrome |
Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2024-10-22 | 8.8 | CVE-2024-10230 | chrome-cve-admin@google.com chrome-cve-admin@google.com |
google -- chrome |
Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2024-10-22 | 8.8 | CVE-2024-10231 | chrome-cve-admin@google.com chrome-cve-admin@google.com |
Google--Android |
Android before 2024-10-05 on Google Pixel devices allows privilege escalation in the ABL component, A-330537292. | 2024-10-25 | 8.8 | CVE-2024-47014 | dsap-vuln-management@google.com |
Google--Android |
In lwis_device_event_states_clear_locked of lwis_event.c, there is a possible privilege escalation due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.4 | CVE-2024-44098 | dsap-vuln-management@google.com |
Google--Android |
In pmucal_rae_handle_seq_int of flexpmu_cal_rae.c, there is a possible arbitrary write due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.8 | CVE-2024-47013 | dsap-vuln-management@google.com |
Google--Android |
there is a possible privilege escalation due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.8 | CVE-2024-47016 | dsap-vuln-management@google.com |
Google--Android |
In ufshc_scsi_cmd of ufs.c, there is a possible stack variable use after free due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.8 | CVE-2024-47017 | dsap-vuln-management@google.com |
Google--Android |
In vring_size of external/headers/include/virtio/virtio_ring.h, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.4 | CVE-2024-47024 | dsap-vuln-management@google.com |
Google--Android |
In sm_mem_compat_get_vmm_obj of lib/sm/shared_mem.c, there is a possible arbitrary physical memory access due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.4 | CVE-2024-47027 | dsap-vuln-management@google.com |
Google--Android |
In lwis_allocator_free of lwis_allocator.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.4 | CVE-2024-47033 | dsap-vuln-management@google.com |
Google--Android |
In vring_init of external/headers/include/virtio/virtio_ring.h, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.4 | CVE-2024-47035 | dsap-vuln-management@google.com |
Google--Android |
In valid_address of syscall.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2024-10-25 | 7.4 | CVE-2024-47041 | dsap-vuln-management@google.com |
ibm -- concert |
IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute. | 2024-10-22 | 9.8 | CVE-2024-43177 | psirt@us.ibm.com |
IceWhaleTech--ZimaOS |
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path>` is vulnerable to arbitrary file reading due to improper input validation. By manipulating the `files` parameter, authenticated users can read sensitive system files, including `/etc/shadow`, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise. The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the `files` parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory. As of time of publication, no known patched versions are available. | 2024-10-24 | 7.5 | CVE-2024-48931 | security-advisories@github.com security-advisories@github.com |
IceWhaleTech--ZimaOS |
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available. | 2024-10-24 | 7.5 | CVE-2024-49357 | security-advisories@github.com security-advisories@github.com |
IceWhaleTech--ZimaOS |
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as `/etc`, potentially exposing critical configuration files and increasing the risk of further attacks. As of time of publication, no known patched versions are available. | 2024-10-24 | 7.5 | CVE-2024-49359 | security-advisories@github.com security-advisories@github.com |
iniNet Solutions--SpiderControl SCADA PC HMI Editor |
iniNet Solutions SpiderControl SCADA PC HMI Editor has a path traversal vulnerability. When the software loads a malicious 'ems' project template file constructed by an attacker, it can write files to arbitrary directories. This can lead to overwriting system files, causing system paralysis, or writing to startup items, resulting in remote control. | 2024-10-24 | 8 | CVE-2024-10313 | ics-cert@hq.dhs.gov |
James Eggers--Portfolleo |
Unrestricted Upload of File with Dangerous Type vulnerability in James Eggers Portfolleo portfolleo allows Upload a Web Shell to a Web Server.This issue affects Portfolleo: from n/a through 1.2. | 2024-10-23 | 9.9 | CVE-2024-49653 | audit@patchstack.com |
janobe -- online_complaint_site |
SQL Injection vulnerability in Online Complaint Site v.1.0 allows a remote attacker to escalate privileges via the username and password parameters in the /admin.index.php component. | 2024-10-22 | 9.8 | CVE-2024-44812 | cve@mitre.org |
jdsofttech--School Management System WPSchoolPress |
The School Management System - WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with teacher-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | 2024-10-26 | 8.8 | CVE-2024-9637 | security@wordfence.com security@wordfence.com |
jurredeklijn--Wux Blog Editor |
The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it possible for unauthenticated attackers to log in to the first administrator user. | 2024-10-26 | 9.8 | CVE-2024-9931 | security@wordfence.com security@wordfence.com |
jurredeklijn--Wux Blog Editor |
The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2024-10-26 | 9.8 | CVE-2024-9932 | security@wordfence.com security@wordfence.com |
keith-cullen -- freecoap |
Null Pointer Dereference in `coap_client_exchange_blockwise2` function in Keith Cullen FreeCoAP 1.0 allows remote attackers to cause a denial of service and potentially execute arbitrary code via a specially crafted CoAP packet that causes `coap_msg_get_payload(resp)` to return a null pointer, which is then dereferenced in a call to `memcpy`. | 2024-10-22 | 9.8 | CVE-2024-40493 | cve@mitre.org cve@mitre.org |
Kieback & Peter--DDC4040e |
Kieback & Peter's DDC4000 series is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system. | 2024-10-22 | 9.8 | CVE-2024-41717 | ics-cert@hq.dhs.gov |
Kieback&Peter--DDC4040e |
Kieback & Peter's DDC4000 series uses weak credentials, which may allow an unauthenticated attacker to get full admin rights on the system. | 2024-10-22 | 9.8 | CVE-2024-43698 | ics-cert@hq.dhs.gov |
Kieback&Peter--DDC4040e |
Kieback & Peter's DDC4000 series has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system. | 2024-10-22 | 8.4 | CVE-2024-43812 | ics-cert@hq.dhs.gov |
latepoint -- latepoint |
Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.This issue affects LatePoint: from n/a through 4.9.91. | 2024-10-21 | 8.8 | CVE-2024-43945 | audit@patchstack.com |
Lawo AG--vsm LTC Time Sync (vTimeSync) |
The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt. | 2024-10-24 | 7.5 | CVE-2024-6049 | 551230f0-3615-47bd-b7cc-93e92e730bbf 551230f0-3615-47bd-b7cc-93e92e730bbf |
Liferay--Portal |
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API. | 2024-10-22 | 9 | CVE-2024-38002 | security@liferay.com |
Liferay--Portal |
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. | 2024-10-22 | 9.6 | CVE-2024-8980 | security@liferay.com |
Liferay--Portal |
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. | 2024-10-22 | 8.8 | CVE-2024-26271 | security@liferay.com |
Liferay--Portal |
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter. | 2024-10-22 | 8.8 | CVE-2024-26272 | security@liferay.com |
Liferay--Portal |
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter. | 2024-10-22 | 8.8 | CVE-2024-26273 | security@liferay.com |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated--- | 2024-10-21 | 9.1 | CVE-2024-47685 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: perf: Fix perf_pending_task() UaF Per syzbot it is possible for perf_pending_task() to run after the event is free()'d. There are two related but distinct cases: - the task_work was already queued before destroying the event; - destroying the event itself queues the task_work. The first cannot be solved using task_work_cancel() since perf_release() itself might be called from a task_work (____fput), which means the current->task_works list is already empty and task_work_cancel() won't be able to find the perf_pending_task() entry. The simplest alternative is extending the perf_event lifetime to cover the task_work. The second is just silly, queueing a task_work while you know the event is going away makes no sense and is easily avoided by re-arranging how the event is marked STATE_DEAD and ensuring it goes through STATE_OFF on the way down. | 2024-10-21 | 7.8 | CVE-2022-48950 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() The bounds checks in snd_soc_put_volsw_sx() are only being applied to the first channel, meaning it is possible to write out of bounds values to the second channel in stereo controls. Add appropriate checks. | 2024-10-21 | 7.8 | CVE-2022-48951 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix use-after-free in hsci KASAN found that addr was dereferenced after br2dev_event_work was freed. ================================================================== BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000_event qeth_l2_br2dev_worker Call Trace: [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0 [<000000016942d118>] print_report+0x110/0x1f8 [<0000000167a7bd04>] kasan_report+0xfc/0x128 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0 [<00000001673edd1e>] process_one_work+0x76e/0x1128 [<00000001673ee85c>] worker_thread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8 [<00000001694711da>] ret_from_fork+0xa/0x40 Allocated by task 108338: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 __kasan_kmalloc+0xa0/0xc0 qeth_l2_switchdev_event+0x25a/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Freed by task 540: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 kasan_save_free_info+0x4c/0x68 ____kasan_slab_free+0x14e/0x1a8 __kasan_slab_free+0x24/0x30 __kmem_cache_free+0x168/0x338 qeth_l2_br2dev_worker+0x154/0x6b0 process_one_work+0x76e/0x1128 worker_thread+0x184/0x1098 kthread+0x26a/0x310 __ret_from_fork+0x8a/0xe8 ret_from_fork+0xa/0x40 Last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 insert_work+0x56/0x2e8 __queue_work+0x4ce/0xd10 queue_work_on+0xf4/0x100 qeth_l2_switchdev_event+0x520/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Second to last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 kvfree_call_rcu+0xb2/0x760 kernfs_unlink_open_file+0x348/0x430 kernfs_fop_release+0xc2/0x320 __fput+0x1ae/0x768 task_work_run+0x1bc/0x298 exit_to_user_mode_prepare+0x1a0/0x1a8 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f ---truncated--- | 2024-10-21 | 7.8 | CVE-2022-48954 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 ip6_dst_idev include/net/ip6_fib.h:245 [inline] ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 dst_output include/net/dst.h:445 [inline] ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sock_write_iter+0x295/0x3d0 net/socket.c:1108 call_write_iter include/linux/fs.h:2191 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9ed/0xdd0 fs/read_write.c:584 ksys_write+0x1ec/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fde3588c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 </TASK> Allocated by task 7618: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 dst_alloc+0x14a/0x1f0 net/core/dst.c:92 ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec n ---truncated--- | 2024-10-21 | 7.8 | CVE-2022-48956 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free. | 2024-10-21 | 7.8 | CVE-2022-48960 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free. | 2024-10-21 | 7.8 | CVE-2022-48962 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ravb: Fix potential use-after-free in ravb_rx_gbeth() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free. | 2024-10-21 | 7.8 | CVE-2022-48964 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: mvneta: Prevent out of bounds read in mvneta_config_rss() The pp->indir[0] value comes from the user. It is passed to: if (cpu_online(pp->rxq_def)) inside the mvneta_percpu_elect() function. It needs bounds checkeding to ensure that it is not beyond the end of the cpu bitmap. | 2024-10-21 | 7.1 | CVE-2022-48966 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfc_target arrays While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nci_add_new_protocol(). Add the missing checks. | 2024-10-21 | 7.1 | CVE-2022-48967 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet is classified as multicast, it will be processed by the policer index 99 + SRCPORT. The sja1105_init_l2_policing() function initializes all L2 policers such that they don't interfere with normal packet reception by default. To have a common code between SJA1105 and SJA1110, the index of the multicast policer for the port is calculated because it's an index that is out of bounds for SJA1105 but in bounds for SJA1110, and a bounds check is performed. The code fails to do the proper thing when determining what to do with the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" index will be equal to 45, which is also equal to table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes through the check. But at the same time, SJA1105 doesn't have multicast policers. So the code programs the SHARINDX field of an out-of-bounds element in the L2 Policing table of the static config. The comparison between index 45 and 45 entries should have determined the code to not access this policer index on SJA1105, since its memory wasn't even allocated. With enough bad luck, the out-of-bounds write could even overwrite other valid kernel data, but in this case, the issue was detected using KASAN. Kernel log: sja1105 spi5.0: Probed switch chip: SJA1105Q ================================================================== BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 ... Workqueue: events_unbound deferred_probe_work_func Call trace: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Allocated by task 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... | 2024-10-21 | 7.8 | CVE-2022-48980 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. | 2024-10-21 | 7.8 | CVE-2022-48981 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free during gpu recovery [Why] [ 754.862560] refcount_t: underflow; use-after-free. [ 754.862898] Call Trace: [ 754.862903] <TASK> [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu] [ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched] [How] The fw_fence may be not init, check whether dma_fence_init is performed before job free | 2024-10-21 | 7.8 | CVE-2022-48990 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer. # echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable Now if we delete the kprobe and create a new one that reads a string: # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events And now we can the trace: # cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="????????????????????????????????????????????????????????????????????????????????????????????????" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="????????????????????????????????????????????????????????????????????????????????????????????????" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="????????????????????????????????????????????????????????????????????????????????????????????????" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="??????????????????????????????????????? ---truncated--- | 2024-10-21 | 7.8 | CVE-2022-49006 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done. | 2024-10-21 | 7.8 | CVE-2022-49014 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: hsr: Fix potential use-after-free The skb is delivered to netif_rx() which may free it, after calling this, dereferencing skb may trigger use-after-free. | 2024-10-21 | 7.8 | CVE-2022-49015 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: tipc: re-fetch skb cb after tipc_msg_validate As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate(). | 2024-10-21 | 7.8 | CVE-2022-49017 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration Fix possible out-of-bound access in ieee80211_get_rate_duration routine as reported by the following UBSAN report: UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 index 15 is out of range for type 'u16 [12]' CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 Workqueue: mt76 mt76u_tx_status_data [mt76_usb] Call Trace: <TASK> show_stack+0x4e/0x61 dump_stack_lvl+0x4a/0x6f dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x43 __ubsan_handle_out_of_bounds.cold+0x42/0x47 ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211] ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211] ieee80211_calc_rx_airtime+0xda/0x120 [mac80211] ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211] mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib] mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib] mt76u_tx_status_data+0x67/0xd0 [mt76_usb] process_one_work+0x225/0x400 worker_thread+0x50/0x3e0 ? process_one_work+0x400/0x400 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 | 2024-10-21 | 7.8 | CVE-2022-49022 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix buffer overflow in elem comparison For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length. | 2024-10-21 | 7.8 | CVE-2022-49023 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free when reverting termination table When having multiple dests with termination tables and second one or afterwards fails the driver reverts usage of term tables but doesn't reset the assignment in attr->dests[num_vport_dests].termtbl which case a use-after-free when releasing the rule. Fix by resetting the assignment of termtbl to null. | 2024-10-21 | 7.8 | CVE-2022-49025 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xmit_prepare In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free. | 2024-10-21 | 7.8 | CVE-2022-49026 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: '&data->list' not removed from list If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will be freed, but data->list will not be removed from driver_data.bmc_data, then list traversal may cause UAF. Fix by removeing it from driver_data.bmc_data before free(). | 2024-10-21 | 7.8 | CVE-2022-49029 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: libbpf: Handle size overflow for ringbuf mmap The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries will overflow u32 when mapping producer page and data pages. Only casting max_entries to size_t is not enough, because for 32-bits application on 64-bits kernel the size of read-only mmap region also could overflow size_t. So fixing it by casting the size of read-only mmap region into a __u64 and checking whether or not there will be overflow during mmap. | 2024-10-21 | 7.8 | CVE-2022-49030 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4403: Fix oob read in afe4403_read_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279 Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0 This issue can be reproduced by singe command: $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw The array size of afe4403_channel_leds is less than channels, so access with chan->address cause OOB read in afe4403_read_raw. Fix it by moving access before use it. | 2024-10-21 | 7.1 | CVE-2022-49031 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 Read of size 4 at addr ffffffffc00e4658 by task cat/278 Call Trace: afe4404_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4404_channel_leds+0x18/0xffffffffffffe9c0 This issue can be reproduce by singe command: $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw The array size of afe4404_channel_leds and afe4404_channel_offdacs are less than channels, so access with chan->address cause OOB read in afe4404_[read|write]_raw. Fix it by moving access before use them. | 2024-10-21 | 7.1 | CVE-2022-49032 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in bpf_uprobe_multi_link_attach() If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the error_free label and frees the array of bpf_uprobe's without calling bpf_uprobe_unregister(). This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer without removing it from the uprobe->consumers list. | 2024-10-21 | 7.8 | CVE-2024-47675 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway Syzbot reports a UAF in hugetlb_fault(). This happens because vmf_anon_prepare() could drop the per-VMA lock and allow the current VMA to be freed before hugetlb_vma_unlock_read() is called. We can fix this by using a modified version of vmf_anon_prepare() that doesn't release the VMA lock on failure, and then release it ourselves after hugetlb_vma_unlock_read(). | 2024-10-21 | 7.8 | CVE-2024-47676 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8. | 2024-10-21 | 7.8 | CVE-2024-47682 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() The psc->div[] array has psc->num_div elements. These values come from when we call clk_hw_register_div(). It's adc_divisors and ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >= instead of > to prevent an out of bounds read. | 2024-10-21 | 7.1 | CVE-2024-47686 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() syzbot reports a f2fs bug as below: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:184 [inline] __refcount_inc include/linux/refcount.h:241 [inline] refcount_inc include/linux/refcount.h:258 [inline] get_task_struct include/linux/sched/task.h:118 [inline] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer. - remount - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; We will call f2fs_do_shutdown() in two paths: - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore for fixing. - for f2fs_shutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore. | 2024-10-21 | 7.8 | CVE-2024-47691 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds In the function init_conns(), after the create_con() and create_cm() for loop if something fails. In the cleanup for loop after the destroy tag, we access out of bound memory because cid is set to clt_path->s.con_num. This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds in the cleanup loop later. | 2024-10-21 | 7.8 | CVE-2024-47695 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function flush_workqueue is invoked to flush the work queue iwcm_wq. But at that time, the work queue iwcm_wq was created via the function alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM. Because the current process is trying to flush the whole iwcm_wq, if iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current process is not reclaiming memory or running on a workqueue which doesn't have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to a deadlock. The call trace is as below: [ 125.350876][ T1430] Call Trace: [ 125.356281][ T1430] <TASK> [ 125.361285][ T1430] ? __warn (kernel/panic.c:693) [ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219) [ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239) [ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) [ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970) [ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151) [ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm [ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910) [ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) [ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm [ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma [ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma [ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231) [ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393) [ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339) [ 125.531837][ T1430] kthread (kernel/kthread.c:389) [ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147) [ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 125.566487][ T1430] </TASK> [ 125.566488][ T1430] ---[ end trace 0000000000000000 ]--- | 2024-10-21 | 7.8 | CVE-2024-47696 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Ensure index in rtl2830_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. | 2024-10-21 | 7.8 | CVE-2024-47697 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Ensure index in rtl2832_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. [hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg] | 2024-10-21 | 7.8 | CVE-2024-47698 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem. | 2024-10-21 | 7.8 | CVE-2024-47701 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't return OOB skb in manage_oob(). syzbot reported use-after-free in unix_stream_recv_urg(). [0] The scenario is 1. send(MSG_OOB) 2. recv(MSG_OOB) -> The consumed OOB remains in recv queue 3. send(MSG_OOB) 4. recv() -> manage_oob() returns the next skb of the consumed OOB -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared 5. recv(MSG_OOB) -> unix_sk(sk)->oob_skb is used but already freed The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb.") uncovered the issue. If the OOB skb is consumed and the next skb is peeked in manage_oob(), we still need to check if the skb is OOB. Let's do so by falling back to the following checks in manage_oob() and add the test case in selftest. Note that we need to add a similar check for SIOCATMARK. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235 CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640 unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2816 ___sys_recvmsg net/socket.c:2858 [inline] __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5360d6b4e9 Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9 RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003 RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001 </TASK> Allocated by task 5235: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667 alloc_skb include/linux/skbuff.h:1320 [inline] alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815 sock_alloc_send_skb include/net/sock.h:1778 [inline] queue_oob+0x108/0x680 net/unix/af_unix.c:2198 unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5235: kasan_save_stack mm/kasan/common.c:47 ---truncated--- | 2024-10-21 | 7.8 | CVE-2024-47711 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: always wait for both firmware loading attempts In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN. | 2024-10-21 | 7.8 | CVE-2024-47718 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: iommufd: Protect against overflow of ALIGN() during iova allocation Userspace can supply an iova and uptr such that the target iova alignment becomes really big and ALIGN() overflows which corrupts the selected area range during allocation. CONFIG_IOMMUFD_TEST can detect this: WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline] WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352 Modules linked in: CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline] RIP: 0010:iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352 Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 <0f> 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38 RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293 RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00 RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000 RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942 R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010 R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00 FS: 000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> iommufd_ioas_copy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274 iommufd_fops_ioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cap the automatic alignment to the huge page size, which is probably a better idea overall. Huge automatic alignments can fragment and chew up the available IOVA space without any reason. | 2024-10-21 | 7.8 | CVE-2024-47719 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't implemented, but driver expects number of handlers is NUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by removing ID. Addresses-Coverity-ID: 1598775 ("Out-of-bounds read") | 2024-10-21 | 7.1 | CVE-2024-47721 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: jfs: fix out-of-bounds in dbNextAG() and diAlloc() In dbNextAG() , there is no check for the case where bmp->db_numag is greater or same than MAXAG due to a polluted image, which causes an out-of-bounds. Therefore, a bounds check should be added in dbMount(). And in dbNextAG(), a check for the case where agpref is greater than bmp->db_numag should be added, so an out-of-bounds exception should be prevented. Additionally, a check for the case where agno is greater or same than MAXAG should be added in diAlloc() to prevent out-of-bounds. | 2024-10-21 | 7.1 | CVE-2024-47723 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix "in-kernel MMIO" check TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not. However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if userspace can point a syscall to an MMIO address, syscall does get_user() or put_user() on it, triggering MMIO #VE. The kernel will treat the #VE as in-kernel MMIO. Ensure that the target MMIO address is within the kernel before decoding instruction. | 2024-10-21 | 7.8 | CVE-2024-47727 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - inject error before stopping queue The master ooo cannot be completely closed when the accelerator core reports memory error. Therefore, the driver needs to inject the qm error to close the master ooo. Currently, the qm error is injected after stopping queue, memory may be released immediately after stopping queue, causing the device to access the released memory. Therefore, error is injected to close master ooo before stopping queue to ensure that the device does not access the released memory. | 2024-10-21 | 7.8 | CVE-2024-47730 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix potential use after free bug The free_device_compression_mode(iaa_device, device_mode) function frees "device_mode" but it iss passed to iaa_compression_modes[i]->free() a few lines later resulting in a use after free. The good news is that, so far as I can tell, nothing implements the ->free() function and the use after free happens in dead code. But, with this fix, when something does implement it, we'll be ready. :) | 2024-10-21 | 7.8 | CVE-2024-47732 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race setting file private on concurrent lseek using same fd When doing concurrent lseek(2) system calls against the same file descriptor, using multiple threads belonging to the same process, we have a short time window where a race happens and can result in a memory leak. The race happens like this: 1) A program opens a file descriptor for a file and then spawns two threads (with the pthreads library for example), lets call them task A and task B; 2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at file.c:find_desired_extent() while holding a read lock on the inode; 3) At the start of find_desired_extent(), it extracts the file's private_data pointer into a local variable named 'private', which has a value of NULL; 4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode in shared mode and enters file.c:find_desired_extent(), where it also extracts file->private_data into its local variable 'private', which has a NULL value; 5) Because it saw a NULL file private, task A allocates a private structure and assigns to the file structure; 6) Task B also saw a NULL file private so it also allocates its own file private and then assigns it to the same file structure, since both tasks are using the same file descriptor. At this point we leak the private structure allocated by task A. Besides the memory leak, there's also the detail that both tasks end up using the same cached state record in the private structure (struct btrfs_file_private::llseek_cached_state), which can result in a use-after-free problem since one task can free it while the other is still using it (only one task took a reference count on it). Also, sharing the cached state is not a good idea since it could result in incorrect results in the future - right now it should not be a problem because it end ups being used only in extent-io-tree.c:count_range_bits() where we do range validation before using the cached state. Fix this by protecting the private assignment and check of a file while holding the inode's spinlock and keep track of the task that allocated the private, so that it's used only by that task in order to prevent user-after-free issues with the cached state record as well as potentially using it incorrectly in the future. | 2024-10-21 | 7 | CVE-2024-47741 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously. | 2024-10-21 | 7.8 | CVE-2024-47742 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) [PM: subject line tweaks] | 2024-10-21 | 7.8 | CVE-2024-47745 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove. | 2024-10-21 | 7 | CVE-2024-47747 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set. | 2024-10-21 | 7.8 | CVE-2024-47748 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 Currently rsv_qp is freed before ib_unregister_device() is called on HIP08. During the time interval, users can still dereg MR and rsv_qp will be used in this process, leading to a UAF. Move the release of rsv_qp after calling ib_unregister_device() to fix it. | 2024-10-21 | 7.8 | CVE-2024-47750 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() Within kirin_pcie_parse_port(), the pcie->num_slots is compared to pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead to an overflow. Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move pcie->num_slots increment below the if-statement to avoid out-of-bounds array access. Found by Linux Verification Center (linuxtesting.org) with SVACE. [kwilczynski: commit log] | 2024-10-21 | 7.8 | CVE-2024-47751 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential oob read in nilfs_btree_check_delete() The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case. | 2024-10-21 | 7.1 | CVE-2024-47757 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() The kref_put() function will call nport->release if the refcount drops to zero. The nport->release release function is _efc_nport_free() which frees "nport". But then we dereference "nport" on the next line which is a use after free. Re-order these lines to avoid the use after free. | 2024-10-21 | 7.8 | CVE-2024-49852 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in OPTEE transport Channels can be shared between protocols, avoid freeing the same channel descriptors twice when unloading the stack. | 2024-10-21 | 7.8 | CVE-2024-49853 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for accessing waker_bfqq after splitting After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe. Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder. | 2024-10-21 | 7.8 | CVE-2024-49854 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. | 2024-10-21 | 7 | CVE-2024-49855 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ACPI: sysfs: validate return type of _STR method Only buffer objects are valid return values of _STR. If something else is returned description_show() will access invalid memory. | 2024-10-21 | 7.1 | CVE-2024-49860 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix helper writes to read-only maps Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments. In check_func_arg() when the argument is as mentioned, the meta->raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds. The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway. However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via *<ptr> = val. The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>). MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *<ptr> = val. | 2024-10-21 | 7.1 | CVE-2024-49861 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: powercap: intel_rapl: Fix off by one in get_rpi() The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >= to prevent an off by one access. | 2024-10-21 | 7.1 | CVE-2024-49862 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: move xa_alloc to prevent UAF Evil user can guess the next id of the vm before the ioctl completes and then call vm destroy ioctl to trigger UAF since create ioctl is still referencing the same vm. Move the xa_alloc all the way to the end to prevent this. v2: - Rebase (cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9) | 2024-10-21 | 7.8 | CVE-2024-49865 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: btrfs: send: fix buffer overflow detection when copying path to cache entry Starting with commit c0247d289e73 ("btrfs: send: annotate struct name_cache_entry with __counted_by()") we annotated the variable length array "name" from the name_cache_entry structure with __counted_by() to improve overflow detection. However that alone was not correct, because the length of that array does not match the "name_len" field - it matches that plus 1 to include the NUL string terminator, so that makes a fortified kernel think there's an overflow and report a splat like this: strcpy: detected buffer overflow: 20 byte write of buffer size 19 WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50 CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1 Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018 RIP: 0010:__fortify_report+0x45/0x50 Code: 48 8b 34 (...) RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246 RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027 RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8 RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400 R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8 FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0 Call Trace: <TASK> ? __warn+0x12a/0x1d0 ? __fortify_report+0x45/0x50 ? report_bug+0x154/0x1c0 ? handle_bug+0x42/0x70 ? exc_invalid_op+0x1a/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? __fortify_report+0x45/0x50 __fortify_panic+0x9/0x10 __get_cur_name_and_parent+0x3bc/0x3c0 get_cur_path+0x207/0x3b0 send_extent_data+0x709/0x10d0 ? find_parent_nodes+0x22df/0x25d0 ? mas_nomem+0x13/0x90 ? mtree_insert_range+0xa5/0x110 ? btrfs_lru_cache_store+0x5f/0x1e0 ? iterate_extent_inodes+0x52d/0x5a0 process_extent+0xa96/0x11a0 ? __pfx_lookup_backref_cache+0x10/0x10 ? __pfx_store_backref_cache+0x10/0x10 ? __pfx_iterate_backrefs+0x10/0x10 ? __pfx_check_extent_item+0x10/0x10 changed_cb+0x6fa/0x930 ? tree_advance+0x362/0x390 ? memcmp_extent_buffer+0xd7/0x160 send_subvol+0xf0a/0x1520 btrfs_ioctl_send+0x106b/0x11d0 ? __pfx___clone_root_cmp_sort+0x10/0x10 _btrfs_ioctl_send+0x1ac/0x240 btrfs_ioctl+0x75b/0x850 __se_sys_ioctl+0xca/0x150 do_syscall_64+0x85/0x160 ? __count_memcg_events+0x69/0x100 ? handle_mm_fault+0x1327/0x15c0 ? __se_sys_rt_sigprocmask+0xf1/0x180 ? syscall_exit_to_user_mode+0x75/0xa0 ? do_syscall_64+0x91/0x160 ? do_user_addr_fault+0x21d/0x630 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fae145eeb4f Code: 00 48 89 (...) RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004 RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927 R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8 R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004 </TASK> Fix this by not storing the NUL string terminator since we don't actually need it for name cache entries, this way "name_len" corresponds to the actual size of the "name" array. This requires marking the "name" array field with __nonstring and using memcpy() instead of strcpy() as recommended by the guidelines at: https://github.com/KSPP/linux/issues/90 | 2024-10-21 | 7.8 | CVE-2024-49869 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition In the svc_i3c_master_probe function, &master->hj_work is bound with svc_i3c_master_hj_work, &master->ibi_work is bound with svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the hj_work, svc_i3c_master_irq_handler can start the ibi_work. If we remove the module which will call svc_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | svc_i3c_master_hj_work svc_i3c_master_remove | i3c_master_unregister(&master->base)| device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in svc_i3c_master_remove. | 2024-10-21 | 7 | CVE-2024-49874 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: drm/xe: fix UAF around queue destruction We currently do stuff like queuing the final destruction step on a random system wq, which will outlive the driver instance. With bad timing we can teardown the driver with one or more work workqueue still being alive leading to various UAF splats. Add a fini step to ensure user queues are properly torn down. At this point GuC should already be nuked so queue itself should no longer be referenced from hw pov. v2 (Matt B) - Looks much safer to use a waitqueue and then just wait for the xa_array to become empty before triggering the drain. (cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3) | 2024-10-21 | 7.8 | CVE-2024-49876 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ext4: fix off by one issue in alloc_flex_gd() Wesley reported an issue: ================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0x99/0xd0 x64_sys_call+0x1206/0x20d0 do_syscall_64+0x72/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== While reviewing the patch, Honza found that when adjusting resize_bg in alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than flexbg_size. The reproduction of the problem requires the following: o_group = flexbg_size * 2 * n; o_size = (o_group + 1) * group_size; n_group: [o_group + flexbg_size, o_group + flexbg_size * 2) o_size = (n_group + 1) * group_size; Take n=0,flexbg_size=16 as an example: last:15 |o---------------|--------------n-| o_group:0 resize to n_group:30 The corresponding reproducer is: img=test.img rm -f $img truncate -s 600M $img mkfs.ext4 -F $img -b 1024 -G 16 8M dev=`losetup -f --show $img` mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 248M Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE() to prevent the issue from happening again. [ Note: another reproucer which this commit fixes is: img=test.img rm -f $img truncate -s 25MiB $img mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img truncate -s 3GiB $img dev=`losetup -f --show $img` mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 3G umount $dev losetup -d $dev -- TYT ] | 2024-10-21 | 7.8 | CVE-2024-49880 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ext4: aovid use-after-free in ext4_ext_insert_extent() As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and cause UAF. Below is a sample trace with dummy values: ext4_ext_insert_extent path = *ppath = 2000 ext4_ext_create_new_leaf(ppath) ext4_find_extent(ppath) path = *ppath = 2000 if (depth > path[0].p_maxdepth) kfree(path = 2000); *ppath = path = NULL; path = kcalloc() = 3000 *ppath = 3000; return path; /* here path is still 2000, UAF! */ eh = path[depth].p_hdr ================================================================== BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330 Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179 CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866 Call Trace: <TASK> ext4_ext_insert_extent+0x26d4/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 [...] Allocated by task 179: ext4_find_extent+0x81c/0x1f70 ext4_ext_map_blocks+0x146/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...] Freed by task 179: kfree+0xcb/0x240 ext4_find_extent+0x7c0/0x1f70 ext4_ext_insert_extent+0xa26/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...] ================================================================== So use *ppath to update the path to avoid the above problem. | 2024-10-21 | 7.8 | CVE-2024-49883 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates. | 2024-10-21 | 7.8 | CVE-2024-49884 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
linux -- linux_kernel |
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid use-after-free in ext4_ext_show_leaf() In ext4_find_extent(), path may be freed by error or be reallocated, so using a previously saved *ppath may have been freed and thus may trigger use-after-free, as follows: ext4_split_extent path = *ppath; ext4_split_extent_at(ppath) path = ext4_find_extent(ppath) ext4_split_extent_at(ppath) // ext4_find_extent fails to free path // but zeroout succeeds ext4_ext_show_leaf(inode, path) eh = path[depth].p_hdr // path use-after-free !!! Similar to ext4_split_extent_at(), we use *ppath directly as an input to ext4_ext_show_leaf(). Fix a spelling error by the way. Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly. This issue is triggered only when EXT_DEBUG is defined and therefore does not affect functionality. | 2024-10-21 | 7.8 | CVE-2024-49889 |