Reading view

There are new articles available, click to refresh the page.

Fuji Electric Monitouch V-SFT

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.5
  • ATTENTION: Low attack complexity
  • Vendor: Fuji Electric
  • Equipment: Monitouch V-SFT
  • Vulnerabilities: Out-of-Bounds Write, Stack-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Fuji Electric's Monitouch V-SFT, a screen configuration software, are affected:

  • Monitouch V-SFT: Versions prior to 6.2.3.0

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write because of a type confusion, which could result in arbitrary code execution.

CVE-2024-5271 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5271. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2024-34171 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34171. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

kimiy, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Fuji Electric recommends users update the product to Monitouch V-SFT v6.2.3.0.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • May 30, 2024: Initial Publication

Baxter Welch Allyn Configuration Tool

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.4
  • ATTENTION: Exploitable remotely
  • Vendor: Baxter
  • Equipment: Welch Allyn Configuration Tool
  • Vulnerability: Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to the unintended exposure of credentials to unauthorized users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Baxter (formerly Hillrom and Welch Allyn) products, are affected:

  • Welch Allyn Product Configuration Tool: Versions 1.9.4.1 and prior

3.2 Vulnerability Overview

3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Any credentials that were used for authentication or input while using the Welch Allyn Configuration Tool have the potential to be compromised and should be changed immediately.

CVE-2024-5176 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-5176. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Baxter reported this vulnerability to CISA.

4. MITIGATIONS

Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability. A new version of the product that mitigates the vulnerability will be available as follows:

  • Welch Allyn Product Configuration Tool versions 1.9.4.2: Available Q3 2024
  • No user action will be required once the update is released.

Baxter recommends the following workarounds to help reduce risk:

  • Apply proper network and physical security controls.
  • The Welch Allyn Configuration Tool has been removed from public access. Customers are advised to contact Baxter Technical Support or their Baxter Project Manager to create configuration files, as needed. Baxter Technical Support can be reached at (800)535-6663, option 2.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 30, 2024: Initial Publication

CISA Adds Two Known Exploited Vulnerabilities to Catalog

✇US-CERT Current Activity
CISA

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability
  • CVE-2024-1086 Linux Kernel Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Inosoft VisiWin

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.5
  • ATTENTION: Low attack complexity/public exploits are available
  • Vendor: Inosoft
  • Equipment: VisiWin
  • Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain SYSTEM privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Inosoft products are affected:

  • VisiWin 7: All versions prior to version 2024-1

3.2 Vulnerability Overview

3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276

VisiWin creates a directory with insufficient permissions, allowing a low-level user the ability to add and modify certain files that hold SYSTEM privileges, which could lead to privilege escalation.

CVE-2023-31468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

A CVSS v4 score has also been calculated for CVE-2023-31468. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CISA discovered a PoC (Proof of concept) as authored by Carlo Di Dato and reported it to Inosoft.

4. MITIGATIONS

Inosoft recommends users to update to VisiWin version 2024-1.

For more information, please visit VisiWin's support page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
    CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 30, 2024: Initial Publication

Baxter Welch Allyn Connex Spot Monitor

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.1
  • ATTENTION: Exploitable remotely
  • Vendor: Baxter
  • Equipment: Welch Allyn Connex Spot Monitor (CSM)
  • Vulnerability: Use of Default Cryptographic Key

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to modify device configuration and firmware data. Tampering with this data could lead to device compromise, resulting in impact and/or delay in patient care.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Baxter (formerly manufactured by Hillrom) medical devices are affected:

  • Welch Allyn Connex Spot Monitor (CSM): Versions 1.52 and prior

3.2 Vulnerability Overview

3.2.1 USE OF DEFAULT CRYPTOGRAPHIC KEY CWE-1394

The impacted product uses a default cryptographic key for potentially critical functionality. An attacker could modify device configurations and firmware data, resulting in impact and/or delay in patient care

CVE-2024-1275 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-1275. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Maarten Boone and Edwin Van Andel (CTO of Zerocopter) reported this vulnerability to Baxter.

4. MITIGATIONS

Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:

  • Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)

Baxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the Baxter disclosure page or the Hillrom disclosure page.

Baxter recommends the following workarounds to help reduce risk:

  • Apply proper network and physical security controls.
  • Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 30, 2024: Initial Publication

LenelS2 NetBox

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: LenelS2
  • Equipment: NetBox
  • Vulnerabilities: Use of Hard-coded Password, OS Command Injection, Argument Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute malicious commands with elevated permissions

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of LenelS2, a Carrier Brand, are affected:

  • NetBox: All versions prior to 5.6.2

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED PASSWORD CWE-259

LenelS2 NetBox access control and event monitoring system was discovered to contain hard-coded credentials in versions prior to and including 5.6.1, which allows an attacker to bypass authentication requirements.

CVE-2024-2420 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-2420. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78

LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.

CVE-2024-2421 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-2421. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L).

3.2.3 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND ('ARGUMENT INJECTION') CWE-88

LenelS2 NetBox access control and event monitoring system was discovered to contain an authenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands.

CVE-2024-2422 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-2422. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

These vulnerabilities have been mitigated in NetBox release 5.6.2. It is strongly recommended that users upgrade to NetBox release 5.6.2 by contacting their authorized installer.
Users should follow recommended deployment guidelines found in the NetBox hardening guide found in the NetBox built-in help menu.

For more information, see Carrier's security bulletin for LenelS2.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 30, 2024: Initial Publication

Westermo EDW-100

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Westermo
  • Equipment: EDW-100
  • Vulnerabilities: Use of Hard-coded Password, Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access the device using hardcoded credentials and download cleartext username and passwords.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Westermo EDW-100, a Serial to Ethernet converter, are affected:

  • EDW-100: All versions

3.2 Vulnerability Overview

3.2.1 Use of Hard-coded Password CWE-259

Westermo EDW-100 has a hidden administrator account with a hardcoded password. In the firmware package, in "image.bin", the username root and the password for this account are both hard-coded and exposed as strings that can trivially be extracted. Currently there is no way to change this password.

CVE-2024-36080 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-36080. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Insufficiently Protected Credentials CWE-522

Westermo EDW-100 allows an unauthenticated GET request that can download the configuration-file that contains the configuration, username, and passwords in clear-text.

CVE-2024-36081 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-36081. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Nicolai Grødum and Sofia Lindqvist of PwC Norway reported these vulnerabilities to CISA.

4. MITIGATIONS

To mitigate the risks associated with these vulnerabilities, Westermo recommends:

Network segregation, perimeter protection, network to network protection, and physical security measures. EDW-100 functions as an industrial serial to ethernet converter. This means that EDW-100 does not in itself have any of the protective measures you require in a modern security posture, EDW-100 should not be placed at the edge of the network but instead deployed using the techniques mentioned in the IEC 62443 standard.

This means the use of network segregation and perimeter protection which can be accomplished by for example deploying a firewall and the use of VLANs.

If data needs to flow into, or out of, the security zone containing EDW-100 it is important to have network to network protection enabled which for example can be applied with a Virtual Private Network (VPN).

It is also crucial to have physical security measures put in place as the unit can be vulnerable to physical attacks and tampering. A recommendation to mitigate this risk is to place the unit in a separate enclosure with locks and alarms if it opened outside of normal maintenance.

While the unit's design characteristics may necessitate extra precautions, implementing the suggested countermeasures ensures a secure deployment that effectively addresses associated risks.

Westermo recommends replacing EDW-100 with Lynx DSS L105-S1. For further reference see 5-Port Managed Industrial Device Server Switch | L105-S1 ᐈ Westermo.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 30, 2024: Initial Publication

CISA Releases Seven Industrial Control Systems Advisories

✇US-CERT Current Activity
CISA

CISA released seven Industrial Control Systems (ICS) advisories on May 30, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA Adds One Known Exploited Vulnerability to Catalog

✇US-CERT Current Activity
CISA

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-4978 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA Adds One Known Exploited Vulnerability to Catalog

✇US-CERT Current Activity
CISA

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Campbell Scientific CSI Web Server

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 6.9
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Campbell Scientific
  • Equipment: CSI Web Server
  • Vulnerabilities: Path Traversal, Weak Encoding for Password

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to download files and decode stored passwords.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Campbell Scientific CSI Web Server and RTMC (Real-Time Monitoring and Control) Pro, which contains the CSI Web Server are affected:

  • Campbell Scientific CSI Web Server: Versions 1.6 and prior
  • RTMC Pro: Version 5.0 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

The Campbell Scientific CSI Web Server supports a command that will return the most recent file that matches a given expression. A specially crafted expression can lead to a path traversal vulnerability. This command combined with a specially crafted expression allows anonymous, unauthenticated access (allowed by default) by an attacker to files and directories outside of the webserver root directory they should be restricted to.

CVE-2024-5433 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-5433. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.2 WEAK ENCODING FOR PASSWORD CWE-261

The Campbell Scientific CSI Web Server stores web authentication credentials in a file with a specific file name. Passwords within that file are stored in a weakly encoded format. There is no known way to remotely access the file unless it has been manually renamed. However, if an attacker were to gain access to the file, passwords could be decoded and reused to gain access.

CVE-2024-5434 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-5434. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Food and Agriculture, Water and Wastewater, and Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Patrick K. Sheehan, Grant Hume, and Donald Macary reported these vulnerabilities to CISA.

4. MITIGATIONS

Campbell Scientific recommends users to update to the version.
For user of CSI Web Server update to the most recent CSI Web Server 1.x patch

For users of RTMC Pro 5 update to the most recent RTMC Pro 5.x patch

For users of RTMC Pro 4 update to the most recent RTMC Pro 4.x patch.

Contact Campbell Scientific for more details.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 28, 2024: Initial Publication

Cisco Releases May 2024 Cisco ASA, FMC, and FTD Software Security Publication

✇US-CERT Current Activity
CISA

Cisco released a bundled publication for security advisories that address vulnerabilities in Cisco Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD) software. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

Users and administrators are encouraged to review the following publication and apply necessary updates:

CISA Adds One Known Exploited Vulnerability to Catalog

✇US-CERT Current Activity
CISA

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

AutomationDirect Productivity PLCs

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: AutomationDirect
  • Equipment: Productivity PLCs
  • Vulnerabilities: Buffer Access with Incorrect Length Value, Out-of-bounds Write, Stack-based Buffer Overflow, Improper Access Control, Active Debug Code, Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to remote code execution and denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

AutomationDirect reports the following versions of Productivity PLCs are affected:

  • Productivity 3000 P3-550E CPU: FW 1.2.10.9
  • Productivity 3000 P3-550E CPU: SW 4.1.1.10
  • Productivity 3000 P3-550 CPU: FW 1.2.10.9
  • Productivity 3000 P3-550 CPU: SW 4.1.1.10
  • Productivity 3000 P3-530 CPU: FW 1.2.10.9
  • Productivity 3000 P3-530 CPU: SW 4.1.1.10
  • Productivity 2000 P2-550 CPU: FW 1.2.10.10
  • Productivity 2000 P2-550 CPU: SW 4.1.1.10
  • Productivity 1000 P1-550 CPU: FW 1.2.10.10
  • Productivity 1000 P1-550 CPU: SW 4.1.1.10
  • Productivity 1000 P1-540 CPU: FW 1.2.10.10
  • Productivity 1000 P1-540 CPU: SW 4.1.1.10

3.2 Vulnerability Overview

3.2.1 Buffer Access with Incorrect Length Value CWE-805

A heap-based buffer overflow vulnerability exists in the Programming Software Connection FiBurn functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a buffer overflow. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24851 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24851. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 Out-of-bounds Write CWE-787

A length exceeded buffer overflow vulnerability exists in the Programming Software Connection CurrDir functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24946 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24946. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.3 Out-of-bounds Write CWE-787

An allocation failed buffer overflow vulnerability exists in the Programming Software Connection CurrDir functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24947 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24947. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.4 Out-of-bounds Write CWE-787

A null-byte write vulnerability exists in the Programming Software Connection FileSystem API functionality of AutomationDirect P3-550E 1.2.10.9. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities.

CVE-2024-24954 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24954. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.5 Out-of-bounds Write CWE-787

A null-byte write vulnerability exists in the Programming Software Connection FileSystem API functionality of AutomationDirect P3-550E 1.2.10.9. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities.

CVE-2024-24955 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24955. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

A null-byte write vulnerability exists in the Programming Software Connection FileSystem API functionality of AutomationDirect P3-550E 1.2.10.9. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities.

CVE-2024-24956 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24956. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.7 Out-of-bounds Write CWE-787

A null-byte write vulnerability exists in the Programming Software Connection FileSystem API functionality of AutomationDirect P3-550E 1.2.10.9. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities.

CVE-2024-24957 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24957. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.8 Out-of-bounds Write CWE-787

A null-byte write vulnerability exists in the Programming Software Connection FileSystem API functionality of AutomationDirect P3-550E 1.2.10.9. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities.

CVE-2024-24958 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24958. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.9 Out-of-bounds Write CWE-787

A null-byte write vulnerability exists in the Programming Software Connection FileSystem API functionality of AutomationDirect P3-550E 1.2.10.9. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities.

CVE-2024-24959 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24959. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.10 Stack-based Buffer Overflow CWE-121

A stack-based buffer overflow vulnerability exists in the Programming Software Connection FileSelect functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to stack-based buffer overflow. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24962 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24962. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.11 Stack-based Buffer Overflow CWE-121

A stack-based buffer overflow vulnerability exists in the Programming Software Connection FileSelect functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to stack-based buffer overflow. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24963 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24963. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.12 Improper Access Control CWE-284

A write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to an arbitrary write. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-22187 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22187. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.13 Improper Access Control CWE-284

A read-what-where vulnerability exists in the Programming Software Connection IMM 01A1 Memory Read functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-23315 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-23315. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.14 Active Debug Code CWE-489

Leftover debug code exists in the Telnet Diagnostic Interface functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted series of network requests can lead to unauthorized access. An attacker can send a sequence of requests to trigger this vulnerability.

CVE-2024-21785 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-21785. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.15 Insufficient Verification of Data Authenticity CWE-345

A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2024-23601 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23601. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Information Technology
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Matt Wiseman of CISCO TALOS reported these vulnerabilities to AutomationDirect.

4. MITIGATIONS

AutomationDirect recommends that users:

  • Update the Productivity Suite programming software to version 4.2.0.x or higher.
  • Update Productivity PLC's firmware to the latest version.

Although Automation Networks and Systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems. It is imperative that Automation Control System Networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems. AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.

AutomationDirect has identified the following mitigation for instances where systems cannot be upgraded to latest version:

  • Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.
  • Configure network segmentation to isolate PLC from other devices and systems withing the organization.
  • Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.

Please refer to the following link for supporting information related to security considerations. https://support.automationdirect.com/docs/securityconsiderations.pdf

If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 23, 2024: Initial Publication

Rockwell Automation Encourages Customers to Assess and Secure Public-Internet-Exposed Assets

✇US-CERT Current Activity
CISA

Rockwell Automation has released guidance encouraging users to remove connectivity on all Industrial Control Systems (ICS) devices connected to the public-facing internet to reduce exposure to unauthorized or malicious cyber activity. 

Users and administrators are encouraged review the following Rockwell Automation notice for more information:
 

LCDS LAquis SCADA

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.5
  • ATTENTION: Low attack complexity
  • Vendor: LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME
  • Equipment: LAquis SCADA
  • Vulnerabilities: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read and write files outside of their own directory.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of LAquis SCADA, an HMI program, are affected:

  • LAquis SCADA: Versions 4.7.1.7 and prior

3.2 Vulnerability Overview

3.2.1 Path Traversal CWE-22

There are multiple ways in LAquis SCADA for an attacker to access locations outside of their own directory.

CVE-2024-5040 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5040. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: South America
  • COMPANY HEADQUARTERS LOCATION: Brazil

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

LCDS recommends users update to version 4.7.1.371 or newer of LAquis SCADA. which has been configured to resolve the reported path traversal issues.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Ensure that principles of least privilege are followed.
  • Restrict physical access to critical systems.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • May 21, 2024: Initial Publication

Vulnerability Summary for the Week of May 13, 2024

✇US-CERT Current Activity
CISA

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source & Patch Info
8theme--XStore Core
 		 Improper Privilege Management vulnerability in 8theme XStore Core allows Privilege Escalation.This issue affects XStore Core: from n/a through 5.3.8. 2024-05-17 9.8 CVE-2024-33552
audit@patchstack.com
8theme--XStore Core
 		 Unrestricted Upload of File with Dangerous Type vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.8. 2024-05-17 8.2 CVE-2024-33556
audit@patchstack.com
AA-Team--WZone
 		 Improper Privilege Management vulnerability in AA-Team WZone allows Privilege Escalation.This issue affects WZone: from n/a through 14.0.10. 2024-05-17 8.8 CVE-2024-33549
audit@patchstack.com
ABB--RobotWare 6
 		 An attacker who successfully exploited these vulnerabilities could cause the robot to stop, make the robot controller inaccessible, or execute arbitrary code.  The vulnerability could potentially be exploited to perform unauthorized actions by an attacker. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 < 6.15.06 except 6.10.10, and 6.13.07 * OmniCore- RobotWare 7 < 7.14 2024-05-14 7.6 CVE-2024-1913
cybersecurity@ch.abb.com
AROX SOLUTION--School ERP Pro+Responsive
 		 Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/office_admin/' index in the parameters groups_id, examname, classes_id, es_voucherid, es_class, etc. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the database. 2024-05-14 9.8 CVE-2024-4824
cve-coordination@incibe.es
Abdul Hakeem--Build App Online
 		 Improper Privilege Management vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19. 2024-05-17 8.8 CVE-2023-51479
audit@patchstack.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-30284
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-30310
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-34094
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-34095
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-34096
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-34097
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-34098
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-34099
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 7.8 CVE-2024-34100
psirt@adobe.com
Adobe--Adobe Aero Desktop
 		 Adobe Aero Desktop versions 23.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30275
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30288
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30289
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30290
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30291
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30292
psirt@adobe.com
Adobe--Animate
 		 Animate versions 24.0.2, 23.0.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30282
psirt@adobe.com
Adobe--Animate
 		 Animate versions 24.0.2, 23.0.5 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30293
psirt@adobe.com
Adobe--Animate
 		 Animate versions 24.0.2, 23.0.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30294
psirt@adobe.com
Adobe--Animate
 		 Animate versions 24.0.2, 23.0.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30295
psirt@adobe.com
Adobe--Animate
 		 Animate versions 24.0.2, 23.0.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30296
psirt@adobe.com
Adobe--Animate
 		 Animate versions 24.0.2, 23.0.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30297
psirt@adobe.com
Adobe--Dreamweaver Desktop
 		 Dreamweaver Desktop versions 21.3 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does require user interaction. 2024-05-16 9.3 CVE-2024-30314
psirt@adobe.com
Adobe--Illustrator
 		 Illustrator versions 28.4, 27.9.3 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-20791
psirt@adobe.com
Adobe--Illustrator
 		 Illustrator versions 28.4, 27.9.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-20792
psirt@adobe.com
Adobe--Substance3D - Painter
 		 Substance3D - Painter versions 9.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30274
psirt@adobe.com
Adobe--Substance3D - Painter
 		 Substance3D - Painter versions 9.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 7.8 CVE-2024-30307
psirt@adobe.com
Agentejo--Cockpit CMS
 		 A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in '/media/api' parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure. 2024-05-14 9.8 CVE-2024-4825
cve-coordination@incibe.es
Apache Friends--XAMPP
 		 Uncontrolled resource consumption vulnerability in XAMPP Windows, versions 7.3.2 and earlier. This vulnerability exists when XAMPP attempts to process many incomplete HTTP requests, resulting in resource consumption and system crashes. 2024-05-17 7.5 CVE-2024-5055
cve-coordination@incibe.es
Asaancart--Simple PHP Shopping Cart
 		 SQL injection vulnerability in Simple PHP Shopping Cart affecting version 0.9. This vulnerability could allow an attacker to retrieve all the information stored in the database by sending a specially crafted SQL query, due to the lack of proper sanitisation of the category_id parameter in the category.php file. 2024-05-16 9.8 CVE-2024-4826
cve-coordination@incibe.es
Astoundify--Simple Registration for WooCommerce
 		 Improper Privilege Management vulnerability in Astoundify Simple Registration for WooCommerce allows Privilege Escalation.This issue affects Simple Registration for WooCommerce: from n/a through 1.5.6. 2024-05-17 9.8 CVE-2024-32511
audit@patchstack.com
Averta--Phlox Portfolio
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Portfolio allows PHP Local File Inclusion.This issue affects Phlox Portfolio: from n/a through 2.3.1. 2024-05-17 8.6 CVE-2023-38399
audit@patchstack.com
Averta--Phlox Shop
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Shop allows PHP Local File Inclusion.This issue affects Phlox Shop: from n/a through 2.0.0. 2024-05-17 8.6 CVE-2023-39163
audit@patchstack.com
B&R Industrial Automation--Automation Studio
 		 Improper DLL loading algorithms in B&R Automation Studio may allow an authenticated local attacker to execute code with elevated privileges. This issue affects Automation Studio versions before 4.12. 2024-05-14 7.2 CVE-2021-22280
cybersecurity@ch.abb.com
B&R Industrial Automation--Scene Viewer
 		 An authenticated local attacker who successfully exploited this vulnerability could insert and run arbitrary code using legitimate B&R software's. An Uncontrolled Search Path Element vulnerability in B&R Industrial Automation Scene Viewer, B&R Industrial  Automation Runtime, B&R Industrial Automation mapp Vision, B&R Industrial Automation mapp View, B&R Industrial Automation mapp Cockpit, B&R Industrial Automation mapp Safety, B&R Industrial Automation VC4 could allow an authenticated local attacker to execute malicious code by placing specially crafted files in the loading search path. This issue affects Scene Viewer: before 4.4.0; Automation Runtime: before J4.93; mapp Vision: before 5.26.1; mapp View: before 5.24.2; mapp Cockpit: before 5.24.2; mapp Safety: before 5.24.2; VC4: before 4.73.2. 2024-05-14 7.2 CVE-2024-2637
cybersecurity@ch.abb.com
BoldGrid--Total Upkeep
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BoldGrid Total Upkeep allows Relative Path Traversal.This issue affects Total Upkeep: from n/a through 1.15.8. 2024-05-17 7.5 CVE-2024-24869
audit@patchstack.com
Booking Ultra Pro--Booking Ultra Pro
 		 Improper Privilege Management vulnerability in Booking Ultra Pro allows Privilege Escalation.This issue affects Booking Ultra Pro: from n/a through 1.1.12. 2024-05-17 8.8 CVE-2024-32960
audit@patchstack.com
Brainstorm Force--ConvertPlus
 		 The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. 2024-05-16 8.8 CVE-2024-4838
security@wordfence.com
security@wordfence.com
Brainstorm Force--Spectra Pro
 		 The Spectra Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.5. This is due to the plugin allowing lower-privileged users to create registration forms and set the default role to administrator This makes it possible for authenticated attackers, with author-level access and above, to create administrator-level accounts. 2024-05-14 8.8 CVE-2024-3828
security@wordfence.com
security@wordfence.com
Brainstorm Force--Ultimate Addons for Beaver Builder
 		 Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder allows Privilege Escalation.This issue affects Ultimate Addons for Beaver Builder: from n/a through 1.35.14. 2024-05-17 8.8 CVE-2023-51398
audit@patchstack.com
Brainstorm Force--Ultimate Addons for Elementor
 		 Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Elementor allows Privilege Escalation.This issue affects Ultimate Addons for Elementor: from n/a through 1.36.20. 2024-05-17 8.8 CVE-2023-50890
audit@patchstack.com
Brainstorm Force--Ultimate Addons for WPBakery Page Builder
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows PHP Local File Inclusion.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through 3.19.14. 2024-05-17 7.1 CVE-2023-46205
audit@patchstack.com
Breakdance--Breakdance
 		 The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to edit this data via UI. As a result they can escalate their privileges or execute arbitrary code. 2024-05-14 8.8 CVE-2024-4605
security@wordfence.com
security@wordfence.com
By Averta--Shortcodes and extra features for Phlox theme
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in By Averta Shortcodes and extra features for Phlox theme allows PHP Local File Inclusion.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.14.0. 2024-05-17 7.6 CVE-2023-37888
audit@patchstack.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc. 2024-05-14 10 CVE-2024-29895
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue. 2024-05-14 9.1 CVE-2024-25641
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue. 2024-05-14 9.1 CVE-2024-34340
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. 2024-05-14 8.8 CVE-2024-31445
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. 2024-05-14 8 CVE-2024-31459
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue. 2024-05-14 7.6 CVE-2024-27082
security-advisories@github.com
Cerberus FTP Enterprise--Cerberus FTP Enterprise
 		 Denial of Service (DoS) vulnerability for Cerberus Enterprise 8.0.10.3 web administration. The vulnerability exists when the web server, default port 10001, attempts to process a large number of incomplete HTTP requests. 2024-05-17 7.5 CVE-2024-5052
cve-coordination@incibe.es
Cisco--Cisco ConfD
 		 A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could allow an authenticated, low-privileged, local attacker to read and write arbitrary files as root on the underlying operating system. This vulnerability is due to improper authorization enforcement when specific CLI commands are used. An attacker could exploit this vulnerability by executing an affected CLI command with crafted arguments. A successful exploit could allow the attacker to read or write arbitrary files on the underlying operating system with the privileges of the root user. 2024-05-16 7.8 CVE-2024-20326
ykramarz@cisco.com
ykramarz@cisco.com
Cisco--Cisco ConfD
 		 A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could allow an authenticated, low-privileged, local attacker to read and write arbitrary files as root on the underlying operating system. This vulnerability is due to improper authorization enforcement when specific CLI commands are used. An attacker could exploit this vulnerability by executing an affected CLI command with crafted arguments. A successful exploit could allow the attacker to read or write arbitrary files on the underlying operating system with the privileges of the root user. 2024-05-16 7.8 CVE-2024-20389
ykramarz@cisco.com
ykramarz@cisco.com
Cisco--Cisco Network Services Orchestrator
 		 A vulnerability in the Tail-f High Availability Cluster Communications (HCC) function pack of Cisco Crosswork Network Services Orchestrator (NSO) could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability exists because a user-controlled search path is used to locate executable files. An attacker could exploit this vulnerability by configuring the application in a way that causes a malicious file to be executed. A successful exploit could allow the attacker to execute arbitrary code on an affected device as the root user. To exploit this vulnerability, the attacker would need valid credentials on an affected device. 2024-05-15 7.8 CVE-2024-20366
ykramarz@cisco.com
CodeRevolution--Demo My WordPress
 		 Improper Privilege Management vulnerability in CodeRevolution Demo My WordPress allows Privilege Escalation.This issue affects Demo My WordPress: from n/a through 1.0.9.1. 2024-05-17 9.8 CVE-2024-31290
audit@patchstack.com
Contemporary Control System--BASrouter BACnet BASRT-B
 		 A vulnerability classified as critical was found in Contemporary Control System BASrouter BACnet BASRT-B 2.7.2. This vulnerability affects unknown code of the component Application Protocol Data Unit. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263890 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-14 7.5 CVE-2024-4791
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Copymatic--Copymatic AI Content Writer & Generator
 		 Unrestricted Upload of File with Dangerous Type vulnerability in Copymatic Copymatic - AI Content Writer & Generator.This issue affects Copymatic - AI Content Writer & Generator: from n/a through 1.6. 2024-05-17 10 CVE-2024-31351
audit@patchstack.com
Crocoblock--JetEngine
 		 Improper Privilege Management vulnerability in Crocoblock JetEngine allows Privilege Escalation.This issue affects JetEngine: from n/a through 3.2.4. 2024-05-17 8.8 CVE-2023-48757
audit@patchstack.com
Crocoblock--JetFormBuilder
 		 Improper Privilege Management vulnerability in Crocoblock JetFormBuilder allows Privilege Escalation.This issue affects JetFormBuilder: from n/a through 3.0.8. 2024-05-17 7.2 CVE-2023-37866
audit@patchstack.com
CyberPower--CyberPower PowerPanel Enterprise
 		 An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application. 2024-05-14 9.8 CVE-2024-32735
vulnreport@tenable.com
vulnreport@tenable.com
CyberPower--CyberPower PowerPanel Enterprise
 		 A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper. 2024-05-14 7.5 CVE-2024-32736
vulnreport@tenable.com
vulnreport@tenable.com
CyberPower--CyberPower PowerPanel Enterprise
 		 A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper. 2024-05-14 7.5 CVE-2024-32737
vulnreport@tenable.com
vulnreport@tenable.com
CyberPower--CyberPower PowerPanel Enterprise
 		 A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper. 2024-05-14 7.5 CVE-2024-32738
vulnreport@tenable.com
vulnreport@tenable.com
CyberPower--CyberPower PowerPanel Enterprise
 		 A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper. 2024-05-14 7.5 CVE-2024-32739
vulnreport@tenable.com
vulnreport@tenable.com
CyberPower--PowerPanel business
 		 Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the testing or production server. 2024-05-15 9.8 CVE-2024-32047
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CyberPower--PowerPanel business
 		 Hard-coded credentials are used by the  CyberPower PowerPanel platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel business application. 2024-05-15 9.8 CVE-2024-32053
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CyberPower--PowerPanel business
 		 CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication. 2024-05-15 9.8 CVE-2024-33625
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CyberPower--PowerPanel business
 		 CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges. 2024-05-15 9.8 CVE-2024-34025
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CyberPower--PowerPanel business
 		 An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code. 2024-05-15 8.8 CVE-2024-31856
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CyberPower--PowerPanel business
 		 A specially crafted Zip file containing path traversal characters can be imported to the CyberPower PowerPanel server, which allows file writing to the server outside the intended scope, and could allow an attacker to achieve remote code execution. 2024-05-15 8.8 CVE-2024-33615
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CyberPower--PowerPanel business
 		 The devices which CyberPower PowerPanel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data. 2024-05-15 7.7 CVE-2024-31410
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CycloneDX--cyclonedx-javascript-library
 		 The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1. 2024-05-14 8.1 CVE-2024-34345
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Darren Cooney--Instant Images
 		 Improper Privilege Management vulnerability in Darren Cooney Instant Images allows Privilege Escalation.This issue affects Instant Images: from n/a through 6.1.0. 2024-05-17 7.2 CVE-2024-33569
audit@patchstack.com
Dell--CPG BIOS
 		 Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with admin privileges could potentially exploit this vulnerability, leading to arbitrary code execution. 2024-05-17 7.5 CVE-2024-22429
security_alert@emc.com
DigiWin--EasyFlow .NET
 		 DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands. 2024-05-15 9.8 CVE-2024-4893
twcert@cert.org.tw
twcert@cert.org.tw
Elementor--Elementor Website Builder
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Manipulating Web Input to File System Calls.This issue affects Elementor Website Builder: from n/a through 3.19.0. 2024-05-17 8.5 CVE-2024-24934
audit@patchstack.com
EnterpriseDB--EDB Postgres Advanced Server
 		 All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 prior to 15.7.0 and from 16.0 prior to 16.3.0 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. 2024-05-14 7.7 CVE-2024-4545
20be33e2-bf35-4d13-8fad-18bd2f3e3659
20be33e2-bf35-4d13-8fad-18bd2f3e3659
20be33e2-bf35-4d13-8fad-18bd2f3e3659
EverPress--Mailster
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EverPress Mailster allows PHP Local File Inclusion.This issue affects Mailster: from n/a through 4.0.6. 2024-05-17 8.1 CVE-2024-32523
audit@patchstack.com
Favethemes--Houzez Login Register
 		 Improper Privilege Management vulnerability in favethemes Houzez Login Register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through 2.6.3. 2024-05-17 9.8 CVE-2023-26009
audit@patchstack.com
Favethemes--Houzez
 		 Improper Privilege Management vulnerability in Favethemes Houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 2.7.1. 2024-05-17 9.8 CVE-2023-26540
audit@patchstack.com
Fortinet--FortiOS
 		 A stack-based buffer overflow [CWE-121] vulnerability in Fortinet FortiOS version 7.2.1 through 7.2.6 and version 7.4.0 through 7.4.1 allows a privileged attacker over the administrative interface to execute arbitrary code or commands via crafted HTTP or HTTPs requests. 2024-05-14 7.2 CVE-2023-46714
psirt@fortinet.com
Fortinet--FortiPortal
 		 A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets. 2024-05-14 7.5 CVE-2024-23105
psirt@fortinet.com
Fortinet--FortiSandbox
 		 A client-side enforcement of server-side security in Fortinet FortiSandbox version 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 allows attacker to execute unauthorized code or commands via HTTP requests. 2024-05-14 8.8 CVE-2024-31491
psirt@fortinet.com
Fortinet--FortiVoice
 		 An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests. 2024-05-14 7.1 CVE-2023-40720
psirt@fortinet.com
GE HealthCare--EchoPAC Software Only
 		 Weak account password in GE HealthCare EchoPAC products 2024-05-14 9.6 CVE-2024-27107
171caf72-b841-4e04-a68e-93493aff2b94
GE HealthCare--EchoPAC Software Only
 		 Elevation of privilege vulnerability in GE HealthCare EchoPAC products 2024-05-14 8.4 CVE-2024-27110
171caf72-b841-4e04-a68e-93493aff2b94
GE HealthCare--EchoPAC Software Only
 		 Insufficiently protected credentials in GE HealthCare EchoPAC products 2024-05-14 7.6 CVE-2024-27109
171caf72-b841-4e04-a68e-93493aff2b94
GE HealthCare--Venue
 		 OS command injection vulnerabilities in GE HealthCare ultrasound devices 2024-05-14 8.4 CVE-2024-1628
171caf72-b841-4e04-a68e-93493aff2b94
GE HealthCare--Venue
 		 Elevation of privileges via misconfigured access control list in GE HealthCare ultrasound devices 2024-05-14 7.4 CVE-2024-1486
171caf72-b841-4e04-a68e-93493aff2b94
GE HealthCare--Venue
 		 Path traversal vulnerability in "getAllFolderContents" function of Common Service Desktop, a GE HealthCare ultrasound device component 2024-05-14 7.7 CVE-2024-1630
171caf72-b841-4e04-a68e-93493aff2b94
Ghost Foundation--Ghost
 		 Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0. 2024-05-14 7.5 CVE-2024-34559
audit@patchstack.com
GiveWP--GiveWP
 		 Improper Privilege Management vulnerability in GiveWP allows Privilege Escalation.This issue affects GiveWP: from n/a through 2.33.0. 2024-05-17 8.8 CVE-2023-41665
audit@patchstack.com
Glowlogix--WP Frontend Profile
 		 Improper Privilege Management vulnerability in Glowlogix WP Frontend Profile allows Privilege Escalation.This issue affects WP Frontend Profile: from n/a through 1.3.1. 2024-05-17 9.8 CVE-2023-51483
audit@patchstack.com
HCL Software--Commerce
 		 Security vulnerability in HCL Commerce 9.1.12 and 9.1.13 could allow denial of service, disclosure of user personal data, and performing of unauthorized administrative operations. 2024-05-14 7.1 CVE-2024-23576
psirt@hcl.com
Hamid Alinia idehweb--Login with phone number
 		 Improper Privilege Management vulnerability in Hamid Alinia - idehweb Login with phone number allows Privilege Escalation.This issue affects Login with phone number: from n/a through 1.7.16. 2024-05-17 8.8 CVE-2024-32507
audit@patchstack.com
HasThemes--HT Mega
 		 Improper Privilege Management vulnerability in HasThemes HT Mega allows Privilege Escalation.This issue affects HT Mega: from n/a through 2.2.0. 2024-05-17 9.8 CVE-2023-37999
audit@patchstack.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31466
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31467
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There are buffer overflow vulnerabilities in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31468
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There are buffer overflow vulnerabilities in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31469
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There is a buffer overflow vulnerability in the underlying SAE (Simultaneous Authentication of Equals) service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31470
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There is a command injection vulnerability in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31471
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There are command injection vulnerabilities in the underlying Soft AP Daemon service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31472
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There is a command injection vulnerability in the underlying deauthentication service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. 2024-05-14 9.8 CVE-2024-31473
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There is an arbitrary file deletion vulnerability in the CLI service accessed by PAPI (Aruba's Access Point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the affected Access Point 2024-05-14 8.2 CVE-2024-31474
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 There is an arbitrary file deletion vulnerability in the Central Communications service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the affected Access Point. 2024-05-14 8.2 CVE-2024-31475
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. 2024-05-14 7.2 CVE-2024-31476
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. 2024-05-14 7.2 CVE-2024-31477
security-alert@hpe.com
Huawei--HarmonyOS
 		 Race condition vulnerability in the binder driver module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 8.4 CVE-2024-32997
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Privilege escalation vulnerability in the PMS module Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2024-05-14 7.1 CVE-2023-52719
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 7.5 CVE-2024-32991
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Insufficient verification vulnerability in the baseband module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 7.5 CVE-2024-32992
psirt@huawei.com
psirt@huawei.com
IBM--AIX
 		 IBM AIX could 7.2, 7.3, VIOS 3.1, and VIOS 4.1 allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands. IBM X-Force ID: 283985. 2024-05-16 8.4 CVE-2024-27260
psirt@us.ibm.com
psirt@us.ibm.com
IBM--Security Guardium
 		 IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 271524. 2024-05-14 9.1 CVE-2023-47709
psirt@us.ibm.com
psirt@us.ibm.com
IBM--Security Guardium
 		 IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a local user to gain elevated privileges on the system due to improper permissions control. IBM X-Force ID: 271527. 2024-05-14 7.8 CVE-2023-47712
psirt@us.ibm.com
psirt@us.ibm.com
IBM--i
 		 IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbitrary code leading to a denial of service of network ports on the system, caused by the deserialization of untrusted data. IBM X-Force ID: 287539. 2024-05-18 7.5 CVE-2024-31879
psirt@us.ibm.com
psirt@us.ibm.com
IOSS--WP MLM Unilevel
 		 Improper Privilege Management vulnerability in IOSS WP MLM Unilevel allows Privilege Escalation.This issue affects WP MLM Unilevel: from n/a through 4.0. 2024-05-17 9.8 CVE-2023-51476
audit@patchstack.com
InstaWP Team--InstaWP Connect
 		 Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8. 2024-05-17 8.8 CVE-2024-22145
audit@patchstack.com
J.N. Breetvelt a.k.a. OpaJaap--WP Photo Album Plus
 		 Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.7.01.001. 2024-05-14 10 CVE-2024-31377
audit@patchstack.com
JR King/Eran Schoellhorn--WP Masquerade
 		 Improper Privilege Management vulnerability in JR King/Eran Schoellhorn WP Masquerade allows Privilege Escalation.This issue affects WP Masquerade: from n/a through 1.1.0. 2024-05-17 8.8 CVE-2024-33550
audit@patchstack.com
JS Help Desk--JS Help Desk Best Help Desk & Support Plugin
 		 Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Using Malicious Files.This issue affects JS Help Desk - Best Help Desk & Support Plugin: from n/a through 2.7.7. 2024-05-17 9.1 CVE-2023-25444
audit@patchstack.com
Jordy Meow--AI Engine: ChatGPT Chatbot
 		 Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.2.63. 2024-05-14 9.1 CVE-2024-34440
audit@patchstack.com
Joseph C Dolson--My Tickets
 		 Missing Authorization vulnerability in Joseph C Dolson My Tickets.This issue affects My Tickets: from n/a through 1.9.11. 2024-05-17 7.5 CVE-2023-23988
audit@patchstack.com
JumpDEMAND Inc.--ActiveDEMAND
 		 Unrestricted Upload of File with Dangerous Type vulnerability in JumpDEMAND Inc. ActiveDEMAND allows Using Malicious Files.This issue affects ActiveDEMAND: from n/a through 0.2.41. 2024-05-17 10 CVE-2024-32809
audit@patchstack.com
Kioware--Kioware
 		 KioWare for Windows (versions all through 8.34) allows to escape the environment by downloading PDF files, which then by default are opened in an external PDF viewer. By using built-in functions of that viewer it is possible to launch a web browser, search through local files and, subsequently, launch any program with user privileges. 2024-05-14 8.4 CVE-2024-3459
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
Kioware--Kioware
 		 In KioWare for Windows (versions all through 8.34) it is possible to exit this software and use other already opened applications utilizing a short time window before the forced automatic logout occurs. Then, by using some built-in function of these applications, one may launch any other programs.  In order to exploit this vulnerability external applications must be left running when the KioWare software is launched. Additionally, an attacker must know the PIN set for this Kioware instance and also slow down the application with some specific task which extends the usable time window. 2024-05-14 7.4 CVE-2024-3460
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
Kognetiks--Kognetiks Chatbot for WordPress
 		 Unrestricted Upload of File with Dangerous Type vulnerability in Kognetiks Kognetiks Chatbot for WordPress.This issue affects Kognetiks Chatbot for WordPress: from n/a through 2.0.0. 2024-05-14 10 CVE-2024-32700
audit@patchstack.com
LWS--LWS Affiliation
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LWS LWS Affiliation allows PHP Local File Inclusion.This issue affects LWS Affiliation: from n/a through 2.2.6. 2024-05-17 9 CVE-2023-32297
audit@patchstack.com
Lenderd--1003 Mortgage Application
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Lenderd 1003 Mortgage Application allows Relative Path Traversal.This issue affects 1003 Mortgage Application: from n/a through 1.75. 2024-05-17 7.7 CVE-2022-45368
audit@patchstack.com
Lenovo--Printers
 		 A buffer overflow vulnerability was identified in some Lenovo printers that could allow an unauthenticated user to trigger a device restart by sending a specially crafted web request. 2024-05-16 7.5 CVE-2024-3286
psirt@lenovo.com
psirt@lenovo.com
MSI--MSI Afterburner
 		 MSI Afterburner v4.6.6.16381 Beta 3 is vulnerable to an ACL Bypass vulnerability in the RTCore64.sys driver, which leads to triggering vulnerabilities like CVE-2024-1443 and CVE-2024-1460 from a low privileged user. 2024-05-18 7.8 CVE-2024-3745
help@fluidattacks.com
help@fluidattacks.com
help@fluidattacks.com
MainWP--MainWP Code Snippets Extension
 		 Improper Control of Generation of Code ('Code Injection') vulnerability in MainWP MainWP Code Snippets Extension allows Code Injection.This issue affects MainWP Code Snippets Extension: from n/a through 4.0.2. 2024-05-17 9.9 CVE-2023-23645
audit@patchstack.com
Masteriyo--LMS
 		 Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation.This issue affects LMS: from n/a through 1.7.2. 2024-05-17 9.8 CVE-2024-24882
audit@patchstack.com
Microsoft--Azure Monitor
 		 Azure Monitor Agent Elevation of Privilege Vulnerability 2024-05-16 7.8 CVE-2024-30060
secure@microsoft.com
Microsoft--Dynamics 365
 		 Dynamics 365 Customer Insights Spoofing Vulnerability 2024-05-14 7.6 CVE-2024-30047
secure@microsoft.com
Microsoft--Dynamics 365
 		 Dynamics 365 Customer Insights Spoofing Vulnerability 2024-05-14 7.6 CVE-2024-30048
secure@microsoft.com
Microsoft--Microsoft SharePoint Enterprise Server 2016
 		 Microsoft SharePoint Server Remote Code Execution Vulnerability 2024-05-14 7.2 CVE-2024-30044
secure@microsoft.com
Microsoft--Office Online Server
 		 Microsoft Excel Remote Code Execution Vulnerability 2024-05-14 7.8 CVE-2024-30042
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability 2024-05-14 8.8 CVE-2024-30006
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-05-14 8.8 CVE-2024-30009
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Hyper-V Remote Code Execution Vulnerability 2024-05-14 8.8 CVE-2024-30017
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Cryptographic Services Remote Code Execution Vulnerability 2024-05-14 8.1 CVE-2024-30020
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-29994
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Common Log File System Driver Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-29996
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-05-14 7.5 CVE-2024-30014
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-05-14 7.5 CVE-2024-30015
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Kernel Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30018
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-05-14 7.5 CVE-2024-30022
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-05-14 7.5 CVE-2024-30023
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-05-14 7.5 CVE-2024-30024
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Common Log File System Driver Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30025
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 NTFS Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30027
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Win32k Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30028
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-05-14 7.5 CVE-2024-30029
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30031
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows DWM Core Library Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30032
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows DWM Core Library Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30035
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Common Log File System Driver Elevation of Privilege Vulnerability 2024-05-14 7.5 CVE-2024-30037
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Win32k Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30038
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30049
secure@microsoft.com
Microsoft--Windows 10 Version 21H2
 		 Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-26238
secure@microsoft.com
Microsoft--Windows Server 2008 Service Pack 2
 		 Win32k Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30030
secure@microsoft.com
Microsoft--Windows Server 2019
 		 Windows Hyper-V Remote Code Execution Vulnerability 2024-05-14 8.8 CVE-2024-30010
secure@microsoft.com
Microsoft--Windows Server 2022, 23H2 Edition (Server Core installation)
 		 Microsoft Brokering File System Elevation of Privilege Vulnerability 2024-05-14 8.8 CVE-2024-30007
secure@microsoft.com
Microsoft--Windows Server 2022
 		 Windows Search Service Elevation of Privilege Vulnerability 2024-05-14 7 CVE-2024-30033
secure@microsoft.com
MongoDB Inc--MongoDB Server
 		 Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. 2024-05-14 7.5 CVE-2024-3372
cna@mongodb.com
N/A--Pk Favicon Manager
 		 Unrestricted Upload of File with Dangerous Type vulnerability in Pk Favicon Manager.This issue affects Pk Favicon Manager: from n/a through 2.1. 2024-05-14 9.1 CVE-2024-34416
audit@patchstack.com
N/A--VMware Workstation
 		 VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in the Shader functionality. A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition. 2024-05-14 7.1 CVE-2024-22268
security@vmware.com
N/A--VMware Workstation
 		 VMware Workstation and Fusion contain an information disclosure vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. 2024-05-14 7.1 CVE-2024-22269
security@vmware.com
N/A--VMware Workstation
 		 VMware Workstation and Fusion contain an information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. 2024-05-14 7.1 CVE-2024-22270
security@vmware.com
NA--VMware Workstation
 		 VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. 2024-05-14 9.3 CVE-2024-22267
security@vmware.com
NI--FlexLogger
 		 A deserialization of untrusted data vulnerability exists in common code used by FlexLogger and InstrumentStudio that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects NI FlexLogger 2024 Q1 and prior versions as well as NI InstrumentStudio 2024 Q1 and prior versions. 2024-05-14 7.8 CVE-2024-4044
security@ni.com
Netflix--Genie
 		 A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18 2024-05-14 9.9 CVE-2024-4701
security-report@netflix.com
Nota-Info--Bookly
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Nota-Info Bookly allows Path Traversal, Manipulating Web Input to File System Calls.This issue affects Bookly: from n/a through 21.7.1. 2024-05-17 7.7 CVE-2023-26526
audit@patchstack.com
Nozomi Networks--Arc
 		 Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via 'zip slip' attacks. An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have arbitrary files extracted to arbitrary filesystem locations. Leveraging this issue, an attacker may be able to overwrite arbitrary files on the target filesystem and cause critical impacts on the system (e.g., arbitrary command execution on the victim's machine). 2024-05-15 8 CVE-2023-5938
prodsec@nozominetworks.com
Nozomi Networks--Arc
 		 When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed. 2024-05-15 7.4 CVE-2023-5935
prodsec@nozominetworks.com
Nozomi Networks--Arc
 		 On Unix systems (Linux, MacOS), Arc uses a temporary file with unsafe privileges. By tampering with such file, a malicious local user in the system may be able to trigger arbitrary code execution with root privileges. 2024-05-15 7.8 CVE-2023-5936
prodsec@nozominetworks.com
OceanWP--OceanWP
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1. 2024-05-17 7.6 CVE-2023-23700
audit@patchstack.com
OctoPrint--OctoPrint
 		 OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet. 2024-05-14 7.1 CVE-2024-32977
security-advisories@github.com
security-advisories@github.com
OpenText--iManager
 		 Remote Code Execution has been discovered in OpenTextâ„¢ iManager 3.2.6.0200. The vulnerability can trigger command injection and insecure deserialization issues. 2024-05-15 7.8 CVE-2024-3483
security@opentext.com
OpenText--iManager
 		 XML External Entity injection vulnerability found in OpenTextâ„¢ iManager 3.2.6.0200. This could lead to information disclosure and remote code execution. 2024-05-15 7.8 CVE-2024-3486
security@opentext.com
OpenText--iManager
 		 Remote Code Execution has been discovered in OpenTextâ„¢ iManager 3.2.6.0200. The vulnerability can trigger remote code execution unisng unsafe java object deserialization. 2024-05-15 7.6 CVE-2024-3967
security@opentext.com
OpenText--iManager
 		 Remote Code Execution has been discovered in OpenTextâ„¢ iManager 3.2.6.0200. The vulnerability can trigger remote code execution using custom file upload task. 2024-05-15 7.8 CVE-2024-3968
security@opentext.com
Owlet--Cam v2
 		 A command injection vulnerability exists in the IOCTL that manages OTA updates. A specially crafted command can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. 2024-05-15 7.2 CVE-2023-6321
cve-requests@bitdefender.com
P-THEMES--Porto Theme - Functionality
 		 The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the 'porto_portfolios' shortcode 'portfolio_layout' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. 2024-05-14 8.8 CVE-2024-3808
security@wordfence.com
security@wordfence.com
P-THEMES--Porto Theme - Functionality
 		 The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.9 via the 'slideshow_type' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. 2024-05-14 8.8 CVE-2024-3809
security@wordfence.com
security@wordfence.com
P-THEMES--Porto
 		 The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. 2024-05-14 9.8 CVE-2024-3806
security@wordfence.com
security@wordfence.com
P-THEMES--Porto
 		 The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This was partially patched in version 7.1.0 and fully patched in version 7.1.1. 2024-05-14 8.8 CVE-2024-3807
security@wordfence.com
security@wordfence.com
PHOENIX CONTACT--CHARX SEC-3000
 		 A local low privileged attacker can use an untrusted search path in a CHARX system utility to gain root privileges.  2024-05-14 7.8 CVE-2024-28133
info@cert.vde.com
PHOENIX CONTACT--CHARX SEC-3000
 		 An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based management access with the privileges of the currently logged in user due to cleartext transmission of sensitive information. No additional user interaction is required. The access is limited as only non-sensitive information can be obtained but the availability can be seriously affected.  2024-05-14 7 CVE-2024-28134
info@cert.vde.com
PHOENIX CONTACT--CHARX SEC-3000
 		 A local attacker with low privileges can use a command injection vulnerability to gain root privileges due to improper input validation using the OCPP Remote service. 2024-05-14 7.8 CVE-2024-28136
info@cert.vde.com
PHOENIX CONTACT--CHARX SEC-3000
 		 A local attacker with low privileges can perform a privilege escalation with an init script due to a TOCTOU vulnerability. 2024-05-14 7.8 CVE-2024-28137
info@cert.vde.com
PHPGurukul--Online Course Registration System
 		 A vulnerability was found in PHPGurukul Online Course Registration System 3.1. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264922 is the identifier assigned to this vulnerability. 2024-05-17 7.3 CVE-2024-5063
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
PHPGurukul--Online Course Registration System
 		 A vulnerability was found in PHPGurukul Online Course Registration System 3.1. It has been rated as critical. This issue affects some unknown processing of the file news-details.php. The manipulation of the argument nid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264923. 2024-05-17 7.3 CVE-2024-5064
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
PHPGurukul--Online Course Registration System
 		 A vulnerability classified as critical has been found in PHPGurukul Online Course Registration System 3.1. Affected is an unknown function of the file /onlinecourse/. The manipulation of the argument regno leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264924. 2024-05-17 7.3 CVE-2024-5065
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
POSIMYTH Innovation--The Plus Addons for Elementor Pro
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows PHP Local File Inclusion.This issue affects The Plus Addons for Elementor Pro: from n/a through 5.2.8. 2024-05-17 8.6 CVE-2023-47178
audit@patchstack.com
Phoenix--SecureCore for Intel Gemini Lake
 		 Potential buffer overflow in unsafe UEFI variable handling in Phoenix SecureCoreâ„¢ for Intel Gemini Lake.This issue affects: SecureCoreâ„¢ for Intel Gemini Lake: from 4.1.0.1 before 4.1.0.567. 2024-05-14 7.5 CVE-2024-1598
22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de
Phoenix--SecureCore for Intel Kaby Lake
 		 Potential buffer overflow in unsafe UEFI variable handling in Phoenix SecureCoreâ„¢ for select Intel platforms This issue affects: Phoenix SecureCoreâ„¢ for Intel Kaby Lake: from 4.0.1.1 before 4.0.1.998; Phoenix SecureCoreâ„¢ for Intel Coffee Lake: from 4.1.0.1 before 4.1.0.562; Phoenix SecureCoreâ„¢ for Intel Ice Lake: from 4.2.0.1 before 4.2.0.323; Phoenix SecureCoreâ„¢ for Intel Comet Lake: from 4.2.1.1 before 4.2.1.287; Phoenix SecureCoreâ„¢ for Intel Tiger Lake: from 4.3.0.1 before 4.3.0.236; Phoenix SecureCoreâ„¢ for Intel Jasper Lake: from 4.3.1.1 before 4.3.1.184; Phoenix SecureCoreâ„¢ for Intel Alder Lake: from 4.4.0.1 before 4.4.0.269; Phoenix SecureCoreâ„¢ for Intel Raptor Lake: from 4.5.0.1 before 4.5.0.218; Phoenix SecureCoreâ„¢ for Intel Meteor Lake: from 4.5.1.1 before 4.5.1.15. 2024-05-14 7.5 CVE-2024-0762
22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de
Phoenix--WinFlash Driver
 		 Exposed IOCTL with Insufficient Access Control in Phoenix WinFlash Driver on Windows allows Privilege Escalation which allows for modification of system firmware.This issue affects WinFlash Driver: before 4.5.0.0. 2024-05-14 7.8 CVE-2023-35841
22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de
22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de
22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de
PluginOps--Landing Page Builder
 		 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PluginOps Landing Page Builder allows Reflected XSS.This issue affects Landing Page Builder: from n/a through 1.5.1.8. 2024-05-17 7.1 CVE-2024-34752
audit@patchstack.com
PluginUS--HUSKY Products Filter for WooCommerce (formerly WOOF)
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in PluginUS HUSKY - Products Filter for WooCommerce (formerly WOOF) allows Using Malicious Files, Code Inclusion.This issue affects HUSKY - Products Filter for WooCommerce (formerly WOOF): from n/a through 1.3.5.2. 2024-05-17 8.8 CVE-2024-32680
audit@patchstack.com
Podlove--Podlove Podcast Publisher
 		 Missing Authorization vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.0.14. 2024-05-14 7.5 CVE-2024-32712
audit@patchstack.com
PowerDNS--DNSdist
 		 When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default. 2024-05-14 7.5 CVE-2024-25581
security@open-xchange.com
Premmerce--Premmerce Permalink Manager for WooCommerce
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Premmerce Premmerce Permalink Manager for WooCommerce allows PHP Local File Inclusion.This issue affects Premmerce Permalink Manager for WooCommerce: from n/a through 2.3.10. 2024-05-17 8.3 CVE-2024-27971
audit@patchstack.com
PrestaShop--PrestaShop
 		 PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag. 2024-05-14 9.6 CVE-2024-34716
security-advisories@github.com
security-advisories@github.com
ProfilePress Membership Team--ProfilePress
 		 Improper Privilege Management vulnerability in ProfilePress Membership Team ProfilePress allows Privilege Escalation.This issue affects ProfilePress: from n/a through 4.13.1. 2024-05-17 8.6 CVE-2023-41954
audit@patchstack.com
Progress Software Corporation--Telerik Reporting
 		 In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. 2024-05-15 7.7 CVE-2024-4200
security@progress.com
Progress Software Corporation--Telerik Reporting
 		 In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability. 2024-05-15 7.7 CVE-2024-4202
security@progress.com
Progress Software Corporation--Telerik UI for WinForms
 		 A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system. 2024-05-15 7.2 CVE-2024-3892
security@progress.com
Proofpoint--Enterprise Protection
 		 The Proofpoint Encryption endpoint of Proofpoint Enterprise Protection contains an Improper Input Validation vulnerability that allows an unauthenticated remote attacker with a specially crafted HTTP request to create additional Encryption user accounts under the attacker's control.  These accounts are able to send spoofed email to any users within the domains configured by the Administrator. 2024-05-14 7.5 CVE-2024-3676
security@proofpoint.com
Propovoice--Propovoice CRM
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Propovoice Propovoice CRM allows Stored XSS.This issue affects Propovoice CRM: from n/a through 1.7.6.2. 2024-05-14 7.1 CVE-2024-4747
audit@patchstack.com
QuanticaLabs--Chauffeur Taxi Booking System for WordPress
 		 Missing Authorization vulnerability in QuanticaLabs Chauffeur Taxi Booking System for WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Chauffeur Taxi Booking System for WordPress: from n/a through 6.9. 2024-05-17 8.2 CVE-2024-32692
audit@patchstack.com
Qube One Ltd.--Redirection for Contact Form 7
 		 Improper Privilege Management vulnerability in Qube One Ltd. Redirection for Contact Form 7 wpcf7-redirect allows Privilege Escalation.This issue affects Redirection for Contact Form 7: from n/a through 2.7.0. 2024-05-17 7.6 CVE-2023-23990
audit@patchstack.com
Rank Math--Rank Math SEO
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rank Math Rank Math SEO allows Path Traversal.This issue affects Rank Math SEO: from n/a through 1.0.107.2. 2024-05-17 7.6 CVE-2023-23888
audit@patchstack.com
Red Hat--Migration Toolkit for Containers
 		 A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. 2024-05-14 8.3 CVE-2024-3727
secalert@redhat.com
secalert@redhat.com
Repute Infosystems--ARMember
 		 Improper Privilege Management vulnerability in Repute Infosystems ARMember allows Privilege Escalation.This issue affects ARMember: from n/a through 4.0.10. 2024-05-17 8.8 CVE-2023-51356
audit@patchstack.com
Roku--Indoor Camera SE
 		 A stack-based buffer overflow vulnerability exists in the message parsing functionality of the Roku Indoor Camera SE version 3.0.2.4679 and Wyze Cam v3 version 4.36.11.5859. A specially crafted message can lead to stack-based buffer overflow. An attacker can make authenticated requests to trigger this vulnerability. 2024-05-15 7.2 CVE-2023-6322
cve-requests@bitdefender.com
Room 34 Creative Services, LLC--ICS Calendar
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Server-Side Request Forgery (SSRF) vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Absolute Path Traversal, : Server Side Request Forgery.This issue affects ICS Calendar: from n/a through 10.12.0.3. 2024-05-17 8.2 CVE-2023-46784
audit@patchstack.com
SAASPROJECT Booking Package--Booking Package
 		 Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98. 2024-05-17 8.8 CVE-2023-37389
audit@patchstack.com
SAP_SE--SAP BusinessObjects Business Intelligence Platform
 		 SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL which could lead to high impact on Confidentiality and Integrity of the application 2024-05-14 8.1 CVE-2024-28165
cna@sap.com
cna@sap.com
SAP_SE--SAP NetWeaver Application Server ABAP and ABAP Platform
 		 An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.  2024-05-14 9.6 CVE-2024-33006
cna@sap.com
cna@sap.com
SUBNET--PowerSYSTEM Center
 		 SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM Center. 2024-05-15 8.4 CVE-2024-28042
ics-cert@hq.dhs.gov
SailPoint--Identity Security Cloud
 		 An issue was identified in the Identity Security Cloud (ISC) Transform preview and IdentityProfile preview API endpoints that allowed an authenticated administrator to execute user-defined templates as part of attribute transforms which could allow remote code execution on the host. 2024-05-15 9.1 CVE-2024-3319
psirt@sailpoint.com
Saleswonder Team--WebinarIgnition
 		 Improper Privilege Management vulnerability in Saleswonder Team WebinarIgnition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through 3.05.0. 2024-05-17 9.8 CVE-2023-51424
audit@patchstack.com
SiAdmin--SiAdmin
 		 Vulnerability in SiAdmin 1.1 that allows SQL injection via the /modul/mod_pass/aksi_pass.php parameter in nama_lengkap. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in it. 2024-05-16 9.8 CVE-2024-4991
cve-coordination@incibe.es
SiAdmin--SiAdmin
 		 Vulnerability in SiAdmin 1.1 that allows SQL injection via the /modul/mod_kuliah/aksi_kuliah.php parameter in nim. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in it. 2024-05-16 9.8 CVE-2024-4992
cve-coordination@incibe.es
Siemens--CPC80 Central Processing/Communication
 		 A vulnerability has been identified in CPC80 Central Processing/Communication (All versions < V16.41), CPCI85 Central Processing/Communication (All versions < V5.30). The affected device firmwares contain an improper null termination vulnerability while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to denial of service condition. 2024-05-14 7.8 CVE-2024-31484
productcert@siemens.com
Siemens--CPCI85 Central Processing/Communication
 		 A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.30), SICORE Base system (All versions < V1.3.0). The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. 2024-05-14 7.2 CVE-2024-31485
productcert@siemens.com
Siemens--JT2Go
 		 A vulnerability has been identified in JT2Go (All versions < V2312.0001), Teamcenter Visualization V14.1 (All versions < V14.1.0.13), Teamcenter Visualization V14.2 (All versions < V14.2.0.10), Teamcenter Visualization V14.3 (All versions < V14.3.0.7), Teamcenter Visualization V2312 (All versions < V2312.0001). The affected applications contain a stack overflow vulnerability while parsing specially crafted XML files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-34085
productcert@siemens.com
Siemens--JT2Go
 		 A vulnerability has been identified in JT2Go (All versions < V2312.0001), Teamcenter Visualization V14.1 (All versions < V14.1.0.13), Teamcenter Visualization V14.2 (All versions < V14.2.0.10), Teamcenter Visualization V14.3 (All versions < V14.3.0.7), Teamcenter Visualization V2312 (All versions < V2312.0001). The affected applications contain an out of bounds write vulnerability when parsing a specially crafted CGM file. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-34086
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-32055
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21562) 2024-05-14 7.8 CVE-2024-32057
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected application is vulnerable to memory corruption while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21563) 2024-05-14 7.8 CVE-2024-32058
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21564) 2024-05-14 7.8 CVE-2024-32059
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21565) 2024-05-14 7.8 CVE-2024-32060
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21566) 2024-05-14 7.8 CVE-2024-32061
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21568) 2024-05-14 7.8 CVE-2024-32062
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21573) 2024-05-14 7.8 CVE-2024-32063
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21575) 2024-05-14 7.8 CVE-2024-32064
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21577) 2024-05-14 7.8 CVE-2024-32065
productcert@siemens.com
Siemens--PS/IGES Parasolid Translator Component
 		 A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21578) 2024-05-14 7.8 CVE-2024-32066
productcert@siemens.com
Siemens--Parasolid V35.1
 		 A vulnerability has been identified in Parasolid V35.1 (All versions < V35.1.256), Parasolid V36.0 (All versions < V36.0.210), Parasolid V36.1 (All versions < V36.1.185). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted X_T part file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-23468) 2024-05-14 7.8 CVE-2024-31980
productcert@siemens.com
Siemens--Parasolid V35.1
 		 A vulnerability has been identified in Parasolid V35.1 (All versions < V35.1.256), Parasolid V36.0 (All versions < V36.0.208), Parasolid V36.1 (All versions < V36.1.173). The affected applications contain an out of bounds read past the unmapped memory region while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-32635
productcert@siemens.com
Siemens--Parasolid V35.1
 		 A vulnerability has been identified in Parasolid V35.1 (All versions < V35.1.256), Parasolid V36.0 (All versions < V36.0.208), Parasolid V36.1 (All versions < V36.1.173). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-32636
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow the upload of arbitrary files of any unauthenticated user. An attacker could leverage this vulnerability and achieve arbitrary code execution with system privileges. 2024-05-14 9.8 CVE-2024-27939
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any authenticated user to send arbitrary SQL commands to the SQL server. An attacker could use this vulnerability to compromise the whole database. 2024-05-14 8.8 CVE-2024-27940
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected client systems do not properly sanitize input data before sending it to the SQL server. An attacker could use this vulnerability to compromise the whole database. 2024-05-14 8.8 CVE-2024-27941
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any unauthenticated client to disconnect any active user from the server. An attacker could use this vulnerability to prevent any user to perform actions in the system, causing a denial of service situation. 2024-05-14 7.5 CVE-2024-27942
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload generic files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. 2024-05-14 7.2 CVE-2024-27943
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload firmware files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. 2024-05-14 7.2 CVE-2024-27944
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The bulk import feature of the affected systems allow a privileged user to upload files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. 2024-05-14 7.2 CVE-2024-27945
productcert@siemens.com
Siemens--SIMATIC CN 4100
 		 A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains hard coded password which is used for the privileged system user `root` and for the boot loader `GRUB` by default . An attacker who manages to crack the password hash gains root access to the device. 2024-05-14 10 CVE-2024-32741
productcert@siemens.com
Siemens--SIMATIC CN 4100
 		 A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains undocumented users and credentials. An attacker could misuse the credentials to compromise the device locally or over the network. 2024-05-14 9.8 CVE-2024-32740
productcert@siemens.com
Siemens--SIMATIC CN 4100
 		 A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains an unrestricted USB port. An attacker with local access to the device could potentially misuse the port for booting another operating system and gain complete read/write access to the filesystem. 2024-05-14 7.6 CVE-2024-32742
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected systems use symmetric cryptography with a hard-coded key to protect the communication between client and server. This could allow an unauthenticated remote attacker to compromise confidentiality and integrity of the communication and, subsequently, availability of the system. A successful exploit requires the attacker to gain knowledge of the hard-coded key and to be able to intercept the communication between client and server on the network. 2024-05-14 10 CVE-2024-30207
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected systems transmit client-side resources without proper cryptographic protection. This could allow an attacker to eavesdrop on and modify resources in transit. A successful exploit requires an attacker to be in the network path between the RTLS Locating Manager server and a client (MitM). 2024-05-14 9.6 CVE-2024-30209
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected application assigns incorrect permissions to a user management component. This could allow a privileged attacker to escalate their privileges from the Administrators group to the Systemadministrator group. 2024-05-14 9.1 CVE-2024-33499
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Clients do not properly check the integrity of update files. This could allow an unauthenticated remote attacker to alter update files in transit and trick an authorized user into installing malicious code. A successful exploit requires the attacker to be able to modify the communication between server and client on the network. 2024-05-14 8.8 CVE-2024-30206
productcert@siemens.com
Siemens--Simcenter Nastran 2306
 		 A vulnerability has been identified in Simcenter Nastran 2306 (All versions), Simcenter Nastran 2312 (All versions), Simcenter Nastran 2406 (All versions < V2406.90). The affected applications contain a stack overflow vulnerability while parsing specially strings as argument for one of the application binaries. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-33577
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 5). The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-33489
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 5). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-33490
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 5). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-33491
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 5). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-33492
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 5). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-33493
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 2). The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-34771
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 4). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-34772
productcert@siemens.com
Siemens--Solid Edge
 		 A vulnerability has been identified in Solid Edge (All versions < V224.0 Update 2). The affected applications contain a stack overflow vulnerability while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. 2024-05-14 7.8 CVE-2024-34773
productcert@siemens.com
Siemens--Tecnomatix Plant Simulation V2302
 		 A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0011). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted MODEL file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-22974) 2024-05-14 7.8 CVE-2024-32639
productcert@siemens.com
Sirv--Sirv
 		 Improper Privilege Management vulnerability in Sirv allows Privilege Escalation.This issue affects Sirv: from n/a through 7.2.2. 2024-05-17 8.8 CVE-2024-32959
audit@patchstack.com
Sizam Design--Rehub
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sizam Design Rehub allows PHP Local File Inclusion.This issue affects Rehub: from n/a through 19.6.1. 2024-05-17 9 CVE-2024-31231
audit@patchstack.com
Sizam Design--Rehub
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sizam Design Rehub allows PHP Local File Inclusion.This issue affects Rehub: from n/a through 19.6.1. 2024-05-17 8 CVE-2024-31232
audit@patchstack.com
Snow Software AB--Snow License Manager
 		 Improper Authentication vulnerability in Snow Software AB Snow License Manager on Windows allows a networked attacker to perform an Authentication Bypass if Active Directory Authentication is enabled.This issue affects Snow License Manager: from 9.33.2 through 9.34.0. 2024-05-14 8.8 CVE-2024-4129
security@snowsoftware.com
SolarWinds--Access Rights Manager
 		 The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. 2024-05-14 9 CVE-2024-28075
psirt@solarwinds.com
psirt@solarwinds.com
psirt@solarwinds.com
SolarWinds--Access Rights Manager
 		 The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. 2024-05-14 8.6 CVE-2024-23473
psirt@solarwinds.com
psirt@solarwinds.com
Sonatype--Nexus Repository
 		 Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1. 2024-05-16 7.5 CVE-2024-4956
103e4ec9-0a87-450b-af77-479448ddef11
SourceCodester--Best House Rental Management System
 		 A vulnerability has been found in SourceCodester Best House Rental Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-265072. 2024-05-18 7.3 CVE-2024-5093
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Best House Rental Management System
 		 A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as critical. This issue affects some unknown processing of the file view_payment.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-265073 was assigned to this vulnerability. 2024-05-18 7.3 CVE-2024-5094
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Online Discussion Forum Site
 		 A vulnerability was found in SourceCodester Online Discussion Forum Site 1.0. It has been rated as critical. This issue affects some unknown processing of the file registerH.php. The manipulation of the argument ima leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264455. 2024-05-16 7.3 CVE-2024-4920
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Online Examination System
 		 A vulnerability was found in SourceCodester Online Examination System 1.0. It has been rated as critical. This issue affects some unknown processing of the file registeracc.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264743. 2024-05-17 7.3 CVE-2024-5046
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--SchoolWebTech
 		 A vulnerability was found in SourceCodester SchoolWebTech 1.0. It has been classified as critical. Affected is an unknown function of the file /improve/home.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-264534 is the identifier assigned to this vulnerability. 2024-05-16 7.3 CVE-2024-4966
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Student Management System
 		 A vulnerability classified as critical has been found in SourceCodester Student Management System 1.0. Affected is an unknown function of the file /student/controller.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264744. 2024-05-17 7.3 CVE-2024-5047
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
StylemixThemes--Consulting
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting allows PHP Local File Inclusion.This issue affects Consulting: from n/a through 6.5.6. 2024-05-17 7.3 CVE-2023-37385
audit@patchstack.com
Tenable--Nessus Agent
 		 A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus Agent host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus host. - CVE-2024-3292 2024-05-17 8.2 CVE-2024-3292
vulnreport@tenable.com
Tenable--Nessus Agent
 		 When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. 2024-05-17 7.8 CVE-2024-3291
vulnreport@tenable.com
Tenable--Nessus
 		 A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus host 2024-05-17 8.2 CVE-2024-3290
vulnreport@tenable.com
Tenable--Nessus
 		 When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. 2024-05-17 7.8 CVE-2024-3289
vulnreport@tenable.com
Teplitsa of social technologies--Leyka
 		 Improper Privilege Management vulnerability in Teplitsa of social technologies Leyka allows Privilege Escalation.This issue affects Leyka: from n/a through 3.30.2. 2024-05-14 8.8 CVE-2023-33327
audit@patchstack.com
ThemeKraft--BuddyForms
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeKraft BuddyForms allows Server Side Request Forgery, Relative Path Traversal.This issue affects BuddyForms: from n/a through 2.8.8. 2024-05-17 8.6 CVE-2024-32830
audit@patchstack.com
ThemeNectar--Salient Core
 		 The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. 2024-05-18 7.5 CVE-2024-3812
security@wordfence.com
security@wordfence.com
ThemeNectar--Salient Shortcodes
 		 The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. 2024-05-18 8.8 CVE-2024-3810
security@wordfence.com
security@wordfence.com
Themify--Themify Ultra
 		 Improper Privilege Management vulnerability in Themify Themify Ultra allows Privilege Escalation.This issue affects Themify Ultra: from n/a through 7.3.5. 2024-05-17 8.8 CVE-2023-46145
audit@patchstack.com
Thomas Scholl--canvasio3D Light
 		 Unrestricted Upload of File with Dangerous Type vulnerability in Thomas Scholl canvasio3D Light.This issue affects canvasio3D Light: from n/a through 2.5.0. 2024-05-14 9.9 CVE-2024-34411
audit@patchstack.com
Thrive Themes--Thrive Theme Builder
 		 Improper Privilege Management vulnerability in Thrive Themes Thrive Theme Builder allows Privilege Escalation.This issue affects Thrive Theme Builder: from n/a before 3.24.0. 2024-05-17 8.8 CVE-2023-47782
audit@patchstack.com
ThroughTek--Kalay SDK
 		 ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity 2024-05-15 8.1 CVE-2023-6324
cve-requests@bitdefender.com
Timber Team & Contributors--Timber
 		 Deserialization of Untrusted Data vulnerability in Timber Team & Contributors Timber.This issue affects Timber: from n/a through 1.23.0. 2024-05-14 8 CVE-2024-29800
audit@patchstack.com
Tips and Tricks HQ--WP Express Checkout (Accept PayPal Payments)
 		 Improper Validation of Specified Quantity in Input vulnerability in Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) allows Manipulating Hidden Fields.This issue affects WP Express Checkout (Accept PayPal Payments): from n/a through 2.3.7. 2024-05-17 7.5 CVE-2024-30527
audit@patchstack.com
Trellix--ePolicy Orchestrator
 		 Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator (ePO) on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing them to access the ePO database encryption key. This was possible through using a hard coded password for the keystore. Access Control restrictions on the file mean this would not be exploitable unless the user is the system admin for the server that ePO is running on. 2024-05-16 7.5 CVE-2024-4844
trellixpsirt@trellix.com
URBAN BASE--Z-Downloads
 		 Unrestricted Upload of File with Dangerous Type vulnerability in URBAN BASE Z-Downloads.This issue affects Z-Downloads: from n/a through 1.11.3. 2024-05-14 9.1 CVE-2024-34555
audit@patchstack.com
UkrSolution--Barcode Scanner with Inventory & Order Manager
 		 Improper Privilege Management vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager allows Privilege Escalation.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.3. 2024-05-17 9.8 CVE-2024-33567
audit@patchstack.com
Vova Anokhin--Shortcodes Ultimate
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Vova Anokhin Shortcodes Ultimate allows Absolute Path Traversal.This issue affects Shortcodes Ultimate: from n/a through 5.12.6. 2024-05-17 7.1 CVE-2023-25050
audit@patchstack.com
WP Automatic--Automatic
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0. 2024-05-17 9.3 CVE-2024-27954
audit@patchstack.com
WP Automatic--Automatic
 		 Cross-Site Request Forgery (CSRF) vulnerability in WP Automatic Automatic allows Privilege Escalation.This issue affects Automatic: from n/a through 3.92.0. 2024-05-17 8.3 CVE-2024-27955
audit@patchstack.com
WP Hive--Events Rich Snippets for Google
 		 Cross-Site Request Forgery (CSRF) vulnerability in WP Hive Events Rich Snippets for Google allows Exploitation of Trusted Credentials.This issue affects Events Rich Snippets for Google: from n/a through 1.8. 2024-05-17 7.1 CVE-2023-44478
audit@patchstack.com
WP Sharks--s2Member Pro
 		 Improper Privilege Management vulnerability in WP Sharks s2Member Pro allows Privilege Escalation.This issue affects s2Member Pro: from n/a through 240315. 2024-05-17 7.5 CVE-2024-31237
audit@patchstack.com
WP-etracker--WP etracker
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-etracker WP etracker allows Reflected XSS.This issue affects WP etracker: from n/a through 1.0.2. 2024-05-14 7.1 CVE-2024-34431
audit@patchstack.com
WPCustomify--Customify Site Library
 		 Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9. 2024-05-17 9.9 CVE-2024-33644
audit@patchstack.com
WPDeveloper--Essential Addons for Elementor
 		 Improper Privilege Management vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation.This issue affects Essential Addons for Elementor: from n/a through 5.8.8. 2024-05-17 8.8 CVE-2023-41955
audit@patchstack.com
WPFactory--EAN for WooCommerce
 		 Improper Privilege Management vulnerability in WPFactory EAN for WooCommerce allows Privilege Escalation.This issue affects EAN for WooCommerce: from n/a through 4.8.9. 2024-05-17 7.2 CVE-2024-34370
audit@patchstack.com
WPvivid Team--WPvivid Backup and Migration
 		 Improper Privilege Management vulnerability in WPvivid Team WPvivid Backup and Migration allows Privilege Escalation.This issue affects WPvivid Backup and Migration: from n/a through 0.9.90. 2024-05-17 8.8 CVE-2023-41243
audit@patchstack.com
WatchGuard--AuthPoint Password Manager
 		 Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in WatchGuard AuthPoint Password Manager on MacOS allows an a adversary with local access to execute code under the context of the AuthPoint Password Manager application. This issue affects AuthPoint Password Manager for MacOS versions before 1.0.6. 2024-05-16 7.8 CVE-2024-1417
5d1c2695-1a31-4499-88ae-e847036fd7e3
WebToffee--WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
 		 Improper Privilege Management vulnerability in WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels allows Privilege Escalation.This issue affects WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels: from n/a through 4.2.1. 2024-05-17 7.2 CVE-2023-51546
audit@patchstack.com
WebWizards--SalesKing
 		 Improper Privilege Management vulnerability in WebWizards SalesKing allows Privilege Escalation.This issue affects SalesKing: from n/a through 1.6.15. 2024-05-17 9.8 CVE-2024-22157
audit@patchstack.com
WebinarPress--WebinarPress
 		 Cross-Site Request Forgery (CSRF) vulnerability in WebinarPress.This issue affects WebinarPress: from n/a through 1.33.17. 2024-05-14 7.1 CVE-2024-34818
audit@patchstack.com
WhatArmy--WatchTowerHQ
 		 Improper Privilege Management vulnerability in WhatArmy WatchTowerHQ allows Privilege Escalation.This issue affects WatchTowerHQ: from n/a through 3.6.16. 2024-05-17 9.8 CVE-2023-25701
audit@patchstack.com
Wholesale--WholesaleX
 		 Improper Privilege Management vulnerability in Wholesale WholesaleX allows Privilege Escalation.This issue affects WholesaleX: from n/a through 1.3.2. 2024-05-17 9.8 CVE-2024-30542
audit@patchstack.com
Woo product importer--Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy
 		 Missing Authorization vulnerability in Woo product importer Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy.This issue affects Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy: from n/a through 2.1.1. 2024-05-14 7.5 CVE-2024-32724
audit@patchstack.com
WooCommerce--WooCommerce One Page Checkout
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WooCommerce WooCommerce One Page Checkout allows PHP Local File Inclusion.This issue affects WooCommerce One Page Checkout: from n/a through 2.3.0. 2024-05-17 7.6 CVE-2023-35881
audit@patchstack.com
XTemos--Woodmart Core
 		 Improper Privilege Management vulnerability in XTemos Woodmart Core allows Privilege Escalation.This issue affects Woodmart Core: from n/a through 1.0.36. 2024-05-17 9.8 CVE-2023-32244
audit@patchstack.com
YARPP--YARPP
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in YARPP allows PHP Local File Inclusion.This issue affects YARPP: from n/a through 5.30.4. 2024-05-17 7.7 CVE-2022-45374
audit@patchstack.com
YMS--VIS Pro
 		 YMS VIS Pro is an information system for veterinary and food administration, veterinarians and farm. Due to a combination of improper method for system credentials generation and weak password policy, passwords can be easily guessed and enumerated through brute force attacks. Successful attacks can lead to unauthorised access and execution of operations based on assigned user permissions. This vulnerability affects VIS Pro in versions <= 3.3.0.6. This vulnerability has been mitigated by changes in authentication mechanisms and implementation of additional authentication layer and strong password policies. 2024-05-14 9.8 CVE-2024-3263
incident@nbu.gov.sk
incident@nbu.gov.sk
ZTE--ZXUN-ePDG
 		 ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked. 2024-05-14 8.3 CVE-2024-22064
psirt@zte.com.cn
Zabbix--Zabbix
 		 Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. 2024-05-17 9.1 CVE-2024-22120
security@zabbix.com
abetlen--llama-cpp-python
 		 llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenizers,` and `hardware settings`, `__init__` also loads the `chat template` from targeted `.gguf` 's Metadata and furtherly parses it to `llama_chat_format.Jinja2ChatFormatter.to_chat_handler()` to construct the `self.chat_handler` for this model. Nevertheless, `Jinja2ChatFormatter` parse the `chat template` within the Metadate with sandbox-less `jinja2.Environment`, which is furthermore rendered in `__call__` to construct the `prompt` of interaction. This allows `jinja2` Server Side Template Injection which leads to remote code execution by a carefully constructed payload. 2024-05-14 9.6 CVE-2024-34359
security-advisories@github.com
security-advisories@github.com
alttextai--Alt Text AI Automatically generate image alt text for SEO and accessibility
 		 The Alt Text AI - Automatically generate image alt text for SEO and accessibility plugin for WordPress is vulnerable to generic SQL Injection via the 'last_post_id' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-05-15 8.8 CVE-2024-4847
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
appscreo--Easy Social Share Buttons
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in appscreo Easy Social Share Buttons allows PHP Local File Inclusion.This issue affects Easy Social Share Buttons: from n/a through 9.4. 2024-05-17 8.5 CVE-2024-31300
audit@patchstack.com
artbees--JupiterX
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in artbees JupiterX allows PHP Local File Inclusion.This issue affects JupiterX: from n/a through 3.0.0. 2024-05-17 7.6 CVE-2023-32110
audit@patchstack.com
aws--amazon-redshift-jdbc-driver
 		 The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code which has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, extended query mode. Note that `preferQueryMode` is not a supported parameter in Redshift JDBC driver, and is inherited code from Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected. This issue is patched in driver version 2.1.0.28. As a workaround, do not use the connection property `preferQueryMode=simple`. (NOTE: Those who do not explicitly specify a query mode use the default of extended query mode and are not affected by this issue.) 2024-05-15 10 CVE-2024-32888
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
dataease--dataease
 		 DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. The vulnerability has been fixed in v1.18.19. 2024-05-14 7.5 CVE-2024-31441
security-advisories@github.com
dotmesh-io--dotmesh
 		 Dotmesh is a git-like command-line interface for capturing, organizing and sharing application states. In versions 0.8.1 and prior, the unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder. The routine `untarFile` attempts to guard against creating symbolic links that point outside the directory a tar archive is extracted to. However, a malicious tarball first linking `subdir/parent` to `..` (allowed, because `subdir/..` falls within the archive root) and then linking `subdir/parent/escapes` to `..` results in a symbolic link pointing to the tarball's parent directory, contrary to the routine's goals. This issue may lead to arbitrary file write (with same permissions as the program running the unpack operation) if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, they may be able to read arbitrary system files the parent process has permissions to read. As of time of publication, no patch for this issue is available. 2024-05-14 8.1 CVE-2020-26312
security-advisories@github.com
security-advisories@github.com
eProsima--Fast-DDS
 		 FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves a malformed `RTPS` packet, the subscriber crashes when creating `pthread`. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue. 2024-05-14 8.2 CVE-2024-30258
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
eProsima--Fast-DDS
 		 FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves malformed `RTPS` packet, heap buffer overflow occurs on the subscriber. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue. 2024-05-14 8.2 CVE-2024-30259
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
freescout-helpdesk--freescout
 		 FreeScout is a free, self-hosted help desk and shared mailbox. A stored HTML Injection vulnerability has been identified in the Email Receival Module of the Freescout Application. The vulnerability allows attackers to inject malicious HTML content into emails sent to the application's mailbox. This vulnerability arises from improper handling of HTML content within incoming emails, allowing attackers to embed malicious HTML code in the context of the application's domain. Unauthenticated attackers can exploit this vulnerability to inject malicious HTML content into emails. This could lead to various attacks such as form hijacking, application defacement, or data exfiltration via CSS injection. Although unauthenticated attackers are limited to HTML injection, the consequences can still be severe. Version 1.8.139 implements strict input validation and sanitization mechanisms to ensure that any HTML content received via emails is properly sanitized to prevent malicious HTML injections. 2024-05-14 7.6 CVE-2024-34697
security-advisories@github.com
security-advisories@github.com
froxlor--Froxlor
 		 Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9. 2024-05-14 9.6 CVE-2024-34070
security-advisories@github.com
security-advisories@github.com
getgrav--grav
 		 Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account and read any file in the web server by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. A low privileged user may also perform a full account takeover of other registered users including Administrators. Version 1.7.46 contains a patch. 2024-05-15 8.5 CVE-2024-34082
security-advisories@github.com
security-advisories@github.com
git--git
 		 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. 2024-05-14 9 CVE-2024-32002
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
git--git
 		 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. 2024-05-14 8.1 CVE-2024-32004
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
git--git
 		 Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. 2024-05-14 7.3 CVE-2024-32465
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
google -- chrome
 		 Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) 2024-05-14 9.6 CVE-2024-4671
chrome-cve-admin@google.com
chrome-cve-admin@google.com
hakeemnala--Build App Online
 		 The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.21. This is due to missing authentication checking in the 'set_user_cart' function with the 'user_id' header value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. 2024-05-18 9.8 CVE-2024-3658
security@wordfence.com
security@wordfence.com
hoppscotch--hoppscotch-extension
 		 The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn't supposed to happen and be blocked by the origin not being present in the origin list. This vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn't have an alternative to upgrading to a fixed version. 2024-05-14 7.6 CVE-2024-34714
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
icegram--Email Subscribers by Icegram Express Email Marketing, Newsletters, Automation for WordPress & WooCommerce
 		 The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks. 2024-05-15 8.8 CVE-2024-4010
security@wordfence.com
security@wordfence.com
jetmonsters--Hotel Booking Lite
 		 The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. 2024-05-14 9.8 CVE-2024-4413
security@wordfence.com
security@wordfence.com
security@wordfence.com
jottlieb--Last Viewed Posts by WPBeginner
 		 The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. 2024-05-14 9.8 CVE-2024-3070
security@wordfence.com
security@wordfence.com
kognetiks--Kognetiks Chatbot for WordPress
 		 The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the chatbot_chatgpt_upload_file_to_assistant function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers, with to upload arbitrary files on the affected site's server which may make remote code execution possible. 2024-05-14 9.8 CVE-2024-4560
security@wordfence.com
security@wordfence.com
lobehub--lobe-chat
 		 Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information. 2024-05-14 9 CVE-2024-32964
security-advisories@github.com
security-advisories@github.com
mantisbt--mantisbt
 		 MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to. Version 2.26.2 contains a patch for the issue. As a workaround, one may mitigate the risk by reducing the verification token's validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in `constants_inc.php`). 2024-05-14 7.3 CVE-2024-34077
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
metaphorcreations--Ditty Responsive News Tickers, Sliders, and Lists
 		 The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. 2024-05-14 8.8 CVE-2024-3954
security@wordfence.com
security@wordfence.com
micromatch--braces
 		 The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. 2024-05-14 7.5 CVE-2024-4068
596c5446-0ce5-4ba2-aa66-48b3b757a647
596c5446-0ce5-4ba2-aa66-48b3b757a647
596c5446-0ce5-4ba2-aa66-48b3b757a647
micromatch--micromatch
 		 The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. 2024-05-14 7.5 CVE-2024-4067
596c5446-0ce5-4ba2-aa66-48b3b757a647
596c5446-0ce5-4ba2-aa66-48b3b757a647
596c5446-0ce5-4ba2-aa66-48b3b757a647
596c5446-0ce5-4ba2-aa66-48b3b757a647
microsoft -- windows_10_1507
 		 Windows MSHTML Platform Security Feature Bypass Vulnerability 2024-05-14 8.8 CVE-2024-30040
secure@microsoft.com
microsoft -- windows_10_1507
 		 Windows DWM Core Library Elevation of Privilege Vulnerability 2024-05-14 7.8 CVE-2024-30051
secure@microsoft.com
miniOrange--WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
 		 Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6. 2024-05-17 8 CVE-2023-47683
audit@patchstack.com
monetizemore--Advanced Ads  Ad Manager & AdSense
 		 The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placement_slug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. 2024-05-14 7.2 CVE-2024-2290
security@wordfence.com
security@wordfence.com
security@wordfence.com
n/a--Intel(R) Arc(TM) & Iris(R) Xe Graphics software
 		 Improper neutralization in some Intel(R) Arc(TM) & Iris(R) Xe Graphics software before version 31.0.101.5081 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent network access. 2024-05-16 7.8 CVE-2024-21864
secure@intel.com
n/a--Intel(R) BIOS Guard firmware
 		 Improper conditions check in some Intel(R) BIOS Guard firmware may allow a privileged user to potentially enable escalation of privilege via local access. 2024-05-16 7.2 CVE-2023-27504
secure@intel.com
n/a--Intel(R) BIOS Guard firmware
 		 Improper input validation in some Intel(R) BIOS Guard firmware may allow a privileged user to potentially enable escalation of privilege via local access. 2024-05-16 7.2 CVE-2023-28402
secure@intel.com
n/a--Intel(R) DTT software installers
 		 Exposure of resource to wrong sphere in some Intel(R) DTT software installers may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 7.9 CVE-2024-21813
secure@intel.com
n/a--Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware
 		 Improper access control in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local access. 2024-05-16 7.2 CVE-2022-37341
secure@intel.com
n/a--Intel(R) GPA Framework software installers
 		 Improper access control in some Intel(R) GPA Framework software installers before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 7.8 CVE-2023-43748
secure@intel.com
n/a--Intel(R) GPA software installers
 		 Incorrect default permissions in some Intel(R) GPA software installers before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 8.2 CVE-2023-24460
secure@intel.com
n/a--Intel(R) GPA software installers
 		 Improper access control in some Intel(R) GPA software installers before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 7.3 CVE-2023-40071
secure@intel.com
n/a--Intel(R) GPA software installers
 		 Incorrect default permissions in some Intel(R) GPA software installers before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 7.8 CVE-2023-43629
secure@intel.com
n/a--Intel(R) Neural Compressor software
 		 Improper input validation in some Intel(R) Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access. 2024-05-16 10 CVE-2024-22476
secure@intel.com
n/a--Intel(R) Power Gadget software for Windows
 		 Buffer overflow in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 8.8 CVE-2023-38581
secure@intel.com
n/a--Intel(R) Power Gadget software for Windows
 		 Improper neutralization in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 8.8 CVE-2023-42773
secure@intel.com
n/a--Intel(R) Power Gadget software for Windows
 		 Improper access control in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 8.8 CVE-2023-45217
secure@intel.com
n/a--Intel(R) Power Gadget software for Windows
 		 Use after free in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 7.9 CVE-2023-46691
secure@intel.com
n/a--Intel(R) Power Gadget software for macOS
 		 Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 8.8 CVE-2023-40070
secure@intel.com
n/a--Intel(R) Power Gadget software for macOS
 		 Improper neutralization in Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 8.8 CVE-2023-46689
secure@intel.com
n/a--Intel(R) Stratix 10 and Intel(R) Agilex 7 FPGAs
 		 Unchecked return value in SDM firmware for Intel(R) Stratix 10 and Intel(R) Agilex 7 FPGAs before version 23.3 may allow an authenticated user to potentially enable denial of service via adjacent access. 2024-05-16 7.6 CVE-2023-41092
secure@intel.com
n/a--Intel(R) TDX module software
 		 Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. 2024-05-16 7.9 CVE-2023-45745
secure@intel.com
n/a--Intel(R) Thunderbolt driver software
 		 Improper access control for some Intel(R) Thunderbolt driver software before version 89 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 7 CVE-2022-37410
secure@intel.com
n/a--PprRequestLog module in UEFI firmware for some Intel(R) Server D50DNP Family products
 		 Improper input validation in PprRequestLog module in UEFI firmware for some Intel(R) Server D50DNP Family products may allow a privileged user to enable escalation of privilege via local access. 2024-05-16 7.5 CVE-2024-22382
secure@intel.com
n/a--UEFI firmware for some Intel(R) Server D50DNP Family products
 		 Improper input validation in PlatformVariableInitDxe driver in UEFI firmware for some Intel(R) Server D50DNP Family products may allow a privileged user to enable escalation of privilege via local access. 2024-05-16 7.2 CVE-2024-22095
secure@intel.com
n/a--UEFI firmware for some Intel(R) Server D50DNP Family products
 		 Improper input validation in UserAuthenticationSmm driver in UEFI firmware for some Intel(R) Server D50DNP Family products may allow a privileged user to enable escalation of privilege via local access. 2024-05-16 7.5 CVE-2024-23487
secure@intel.com
n/a--UEFI firmware for some Intel(R) Server D50FCP Family products
 		 Improper buffer restrictions in PlatformPfrDxe driver in UEFI firmware for some Intel(R) Server D50FCP Family products may allow a privileged user to enable escalation of privilege via local access. 2024-05-16 7.5 CVE-2024-23980
secure@intel.com
n/a--UEFI firmware for some Intel(R) Server M50FCP Family products
 		 Improper input validation in PfrSmiUpdateFw driver in UEFI firmware for some Intel(R) Server M50FCP Family products may allow a privileged user to enable escalation of privilege via local access. 2024-05-16 7.5 CVE-2024-24981
secure@intel.com
n/a--n/a
 		 An issue was discovered in the installer in Samsung Portable SSD for T5 1.6.10 on Windows. Because it is possible to tamper with the directory and DLL files used during the installation process, an attacker can escalate privileges through arbitrary code execution. (An attacker must already have user privileges) 2024-05-14 7.3 CVE-2024-31954
cve@mitre.org
n/a--some Intel(R) PROSet/Wireless WiFi software for Windows
 		 Improper input validation for some some Intel(R) PROSet/Wireless WiFi software for Windows before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access. 2024-05-16 8.2 CVE-2023-38654
secure@intel.com
nautobot--nautobot
 		 Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4. 2024-05-14 7.5 CVE-2024-34707
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
nocodb--nocodb
 		 NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9. 2024-05-14 7.3 CVE-2023-49781
security-advisories@github.com
security-advisories@github.com
npgsql--npgsql
 		 Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths becomes too large. This causes Npgsql to write a message size that is too small when constructing a Postgres protocol message to send it over the network to the database. When parsing the message, the database will only read a small number of bytes and treat any following bytes as new messages while they belong to the old message. Attackers can abuse this to inject arbitrary Postgres protocol messages into the connection, leading to the execution of arbitrary SQL statements on the application's behalf. This vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and 8.0.3. 2024-05-14 8.1 CVE-2024-32655
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
nvidia--ChatRTX
 		 NVIDIA ChatRTX for Windows contains a vulnerability in Chat RTX UI, where a user can cause an improper privilege management issue by sending user inputs to change execution flow. A successful exploit of this vulnerability might lead to information disclosure, escalation of privileges, and data tampering. 2024-05-14 7.5 CVE-2024-0096
psirt@nvidia.com
nvidia--ChatRTX
 		 NVIDIA ChatRTX for Windows contains a vulnerability in ChatRTX UI, where a user can cause an improper privilege management issue by exploiting interprocess communication between different processes. A successful exploit of this vulnerability might lead to information disclosure, escalation of privileges, and data tampering. 2024-05-14 7.5 CVE-2024-0097
psirt@nvidia.com
nvidia--NVIDIA Triton Inference Server
 		 NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. 2024-05-14 9 CVE-2024-0087
psirt@nvidia.com
pencidesign--Penci Soledad Data Migrator
 		 The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This is limited to just PHP files. 2024-05-17 9.8 CVE-2024-3551
security@wordfence.com
security@wordfence.com
plainware--ShiftController Employee Shift Scheduling
 		 The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the `hc3_session`-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. 2024-05-16 7.5 CVE-2024-4733
security@wordfence.com
security@wordfence.com
plugins360--All-in-One Video Gallery
 		 The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. 2024-05-15 8.8 CVE-2024-4670
security@wordfence.com
security@wordfence.com
powerfulwp--Local Delivery Drivers for WooCommerce
 		 Improper Privilege Management vulnerability in powerfulwp Local Delivery Drivers for WooCommerce allows Privilege Escalation.This issue affects Local Delivery Drivers for WooCommerce: from n/a through 1.9.0. 2024-05-17 9.8 CVE-2023-51481
audit@patchstack.com
ravanh--XML Sitemap & Google News
 		 The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. 2024-05-14 8.1 CVE-2024-4441
security@wordfence.com
security@wordfence.com
smp7, wp.insider--Simple Membership
 		 Improper Authentication vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.3.4. 2024-05-17 8.8 CVE-2023-41956
audit@patchstack.com
smp7, wp.insider--Simple Membership
 		 Improper Privilege Management vulnerability in smp7, wp.Insider Simple Membership allows Privilege Escalation.This issue affects Simple Membership: from n/a through 4.3.4. 2024-05-17 8.6 CVE-2023-41957
audit@patchstack.com
spacemeshos--go-spacemesh
 		 go-spacemesh is a Go implementation of the Spacemesh protocol full node. Nodes can publish activations transactions (ATXs) which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards. This vulnerability is fixed in go-spacemesh 1.5.2-hotfix1 and Spacemesh API 1.37.1. 2024-05-14 8.2 CVE-2024-34360
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
spoonthemes--Adifier System
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spoonthemes Adifier System allows PHP Local File Inclusion.This issue affects Adifier System: from n/a before 3.1.4. 2024-05-17 7.5 CVE-2023-49753
audit@patchstack.com
stalwartlabs--mail-server
 		 Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, attackers who achieved Arbitrary Code Execution as the stalwart-mail user (including web interface admins) can gain complete root access to the system. Usually, system services are run as a separate user (not as root) to isolate an attacker with Arbitrary Code Execution to the current service. Therefore, other system services and the system itself remains protected in case of a successful attack. stalwart-mail runs as a separate user, but it can give itself full privileges again in a simple way, so this protection is practically ineffective. Server admins who handed out the admin credentials to the mail server, but didn't want to hand out complete root access to the system, as well as any attacked user when the attackers gained Arbitrary Code Execution using another vulnerability, may be vulnerable. Version 0.8.0 contains a patch for the issue. 2024-05-16 9.1 CVE-2024-35187
security-advisories@github.com
strongSwan--strongSwan
 		 strongSwan versions 5.9.2 through 5.9.5 are affected by authorization bypass through improper validation of certificate with host mismatch (CWE-297). When certificates are used to authenticate clients in TLS-based EAP methods, the IKE or EAP identity supplied by a client is not enforced to be contained in the client's certificate. So clients can authenticate with any trusted certificate and claim an arbitrary IKE/EAP identity as their own. This is problematic if the identity is used to make policy decisions. A fix was released in strongSwan version 5.9.6 in August 2022 (e4b4aabc4996fc61c37deab7858d07bc4d220136). 2024-05-14 7.7 CVE-2022-4967
security@ubuntu.com
security@ubuntu.com
security@ubuntu.com
supsystic.com--Popup by Supsystic
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in supsystic.Com Popup by Supsystic allows Relative Path Traversal.This issue affects Popup by Supsystic: from n/a through 1.10.19. 2024-05-17 8.8 CVE-2023-46197
audit@patchstack.com
techjewel--Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
 		 The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts. 2024-05-18 9.8 CVE-2024-2771
security@wordfence.com
security@wordfence.com
techjewel--Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
 		 The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings. 2024-05-18 7.5 CVE-2024-2782
security@wordfence.com
security@wordfence.com
techjewel--Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
 		 The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' parameter in versions up to, and including, 5.1.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, and access granted by an administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 7.2 CVE-2024-4709
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
themeisle--Visualizer: Tables and Charts Manager for WordPress
 		 The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on the getQueryData() function in all versions up to, and including, 3.10.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform arbitrary SQL queries that can be leveraged for privilege escalation among many other actions. 2024-05-16 8.8 CVE-2024-3750
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
themeum--Tutor LMS eLearning and online course solution
 		 The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data. 2024-05-16 9.8 CVE-2024-4223
security@wordfence.com
security@wordfence.com
themeum--Tutor LMS eLearning and online course solution
 		 The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the 'question_id' parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-05-16 8.8 CVE-2024-4318
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
themium--Tutor LMS Pro
 		 The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account. 2024-05-16 8.8 CVE-2024-4351
security@wordfence.com
security@wordfence.com
themium--Tutor LMS Pro
 		 The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the 'year' parameter of that function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-05-16 8.8 CVE-2024-4352
security@wordfence.com
security@wordfence.com
themium--Tutor LMS Pro
 		 The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. 2024-05-16 7.3 CVE-2024-4222
security@wordfence.com
security@wordfence.com
thimpress--LearnPress WordPress LMS Plugin
 		 The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'term_id' parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-05-14 9.8 CVE-2024-4434
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
thimpress--LearnPress WordPress LMS Plugin
 		 The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_post_materials' function in versions up to, and including, 4.2.6.5. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. 2024-05-14 8.8 CVE-2024-4397
security@wordfence.com
security@wordfence.com
security@wordfence.com
unitecms--Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
 		 The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.5.102 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-05-14 8.8 CVE-2024-3055
security@wordfence.com
security@wordfence.com
security@wordfence.com
unitecms--Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
 		 The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to command injection in all versions up to, and including, 1.5.102. This is due to insufficient filtering of template attributes during the creation of HTML for custom widgets This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary commands on the server. 2024-05-14 7.2 CVE-2024-2662
security@wordfence.com
security@wordfence.com
valtimo-platform--valtimo-frontend-libraries
 		 Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component. The following conditions have to be met in order to perform this attack: An attacker needs to have access to the network traffic on the `api.form.io` domain; the content of the `x-jwt-token` header is logged or otherwise available to the attacker; an attacker needs to have network access to the Valtimo API; and an attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes. Versions 10.8.4, 11.1.6 and 11.2.2 have been patched. 2024-05-14 9.8 CVE-2024-34706
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
vendor or project--product name
 		 A potential vulnerability has been identified for OpenText Operations Bridge Reporter. The vulnerability could be exploited to inject malicious SQL queries. An attack requires to be an authenticated administrator of OBR with network access to the OBR web application. 2024-05-17 7.2 CVE-2021-22508
security@opentext.com
vercel--next.js
 		 Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer. 2024-05-14 7.5 CVE-2024-34350
security-advisories@github.com
vercel--next.js
 		 Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`. 2024-05-14 7.5 CVE-2024-34351
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
weDevs--WP User Frontend
 		 Improper Privilege Management vulnerability in weDevs WP User Frontend allows Privilege Escalation.This issue affects WP User Frontend: from n/a through 3.6.5. 2024-05-17 7.2 CVE-2023-47682
audit@patchstack.com
wpForo--wpForo Forum
 		 Improper Privilege Management vulnerability in wpForo wpForo Forum allows Privilege Escalation.This issue affects wpForo Forum: from n/a through 2.2.3. 2024-05-17 7.3 CVE-2023-47868
audit@patchstack.com

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source & Patch Info
10Web Form Builder Team--Form Maker by 10Web
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Stored XSS.This issue affects Form Maker by 10Web: from n/a through 1.15.24. 2024-05-14 5.9 CVE-2024-34437
audit@patchstack.com
1Panel-dev--1Panel
 		 1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts. 2024-05-14 6.5 CVE-2024-34352
security-advisories@github.com
ABB--RobotWare 6
 		 An attacker who successfully exploited these vulnerabilities could cause the robot to stop, make the robot controller inaccessible. The vulnerability could potentially be exploited to perform unauthorized actions by an attacker. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 < 6.15.06 except 6.10.10, and 6.13.07 * OmniCore- RobotWare 7 < 7.14 2024-05-14 6.5 CVE-2024-1914
cybersecurity@ch.abb.com
AREOI--All Bootstrap Blocks
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AREOI All Bootstrap Blocks allows Stored XSS.This issue affects All Bootstrap Blocks: from n/a through 1.3.15. 2024-05-14 5.9 CVE-2024-35169
audit@patchstack.com
AROX SOLUTION--School ERP Pro+Responsive
 		 Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the username and password parameters in '/index.php'. This vulnerability allows an attacker to partially take control of the victim's browser session. 2024-05-14 6.5 CVE-2024-4822
cve-coordination@incibe.es
AROX SOLUTION--School ERP Pro+Responsive
 		 Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session. 2024-05-14 6.5 CVE-2024-4823
cve-coordination@incibe.es
Academy LMS--Academy LMS
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through 1.9.25. 2024-05-14 5.3 CVE-2024-35171
audit@patchstack.com
Adam DeHaven--Perfect Pullquotes
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adam DeHaven Perfect Pullquotes allows Stored XSS.This issue affects Perfect Pullquotes: from n/a through 1.7.5. 2024-05-14 6.5 CVE-2024-33951
audit@patchstack.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 5.5 CVE-2024-30311
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 5.5 CVE-2024-30312
psirt@adobe.com
Adobe--Acrobat Reader
 		 Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-15 5.5 CVE-2024-34101
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-30283
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-30286
psirt@adobe.com
Adobe--Adobe Framemaker
 		 Adobe Framemaker versions 2020.5, 2022.3 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-30287
psirt@adobe.com
Adobe--Animate
 		 Animate versions 24.0.2, 23.0.5 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-30298
psirt@adobe.com
Adobe--Illustrator
 		 Illustrator versions 28.4, 27.9.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-20793
psirt@adobe.com
Adobe--Substance3D - Designer
 		 Substance3D - Designer versions 13.1.1 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-30281
psirt@adobe.com
Adobe--Substance3D - Painter
 		 Substance3D - Painter versions 9.1.2 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-30308
psirt@adobe.com
Adobe--Substance3D - Painter
 		 Substance3D - Painter versions 9.1.2 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-05-16 5.5 CVE-2024-30309
psirt@adobe.com
Aleksei Polechin (alek)--Archives Calendar Widget
 		 Administrator Cross Site Scripting (XSS) in Archives Calendar Widget <= 1.0.15 versions. 2024-05-14 5.9 CVE-2024-33950
audit@patchstack.com
AlexaCRM--Dynamics 365 Integration
 		 Insertion of Sensitive Information into Log File vulnerability in AlexaCRM Dynamics 365 Integration.This issue affects Dynamics 365 Integration: from n/a through 1.3.17. 2024-05-14 5.3 CVE-2024-34550
audit@patchstack.com
Andy Moyle--Church Admin
 		 Missing Authorization vulnerability in Andy Moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through 4.1.6. 2024-05-17 6.3 CVE-2024-31281
audit@patchstack.com
Andy Moyle--Church Admin
 		 Cross-Site Request Forgery (CSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 4.1.32. 2024-05-14 4.3 CVE-2024-34828
audit@patchstack.com
AppPresser Team--AppPresser
 		 Missing Authorization vulnerability in AppPresser Team AppPresser.This issue affects AppPresser: from n/a through 4.3.0. 2024-05-14 6.5 CVE-2024-32776
audit@patchstack.com
Artbees--SellKit
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Artbees SellKit allows Relative Path Traversal.This issue affects SellKit: from n/a through 1.8.1. 2024-05-17 6.5 CVE-2024-30509
audit@patchstack.com
Atanas Yonkov--Pliska
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atanas Yonkov Pliska allows Stored XSS.This issue affects Pliska: from n/a through 0.3.5. 2024-05-14 6.5 CVE-2024-33954
audit@patchstack.com
Automattic--WP Job Manager
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Automattic WP Job Manager.This issue affects WP Job Manager: from n/a through 2.2.2. 2024-05-14 5.3 CVE-2024-34549
audit@patchstack.com
BdThemes--Ultimate Store Kit Elementor Addons
 		 Deserialization of Untrusted Data vulnerability in BdThemes Ultimate Store Kit Elementor Addons.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.6.2. 2024-05-14 5.4 CVE-2024-4606
audit@patchstack.com
Benoti--Brozzme Scroll Top
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benoti Brozzme Scroll Top allows Stored XSS.This issue affects Brozzme Scroll Top: from n/a through 1.8.5. 2024-05-14 5.9 CVE-2024-34426
audit@patchstack.com
BestWebSoft--Captcha by BestWebSoft
 		 Guessable CAPTCHA vulnerability in BestWebSoft Captcha by BestWebSoft allows Functionality Bypass.This issue affects Captcha by BestWebSoft: from n/a through 5.2.0. 2024-05-17 5.3 CVE-2024-31295
audit@patchstack.com
BetterAddons--Better Elementor Addons
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BetterAddons Better Elementor Addons better-elementor-addons allows Stored XSS.This issue affects Better Elementor Addons: from n/a through 1.4.4. 2024-05-14 6.5 CVE-2024-34432
audit@patchstack.com
Bootstrapped Ventures--Easy Affiliate Links
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bootstrapped Ventures Easy Affiliate Links allows Stored XSS.This issue affects Easy Affiliate Links: from n/a through 3.7.2. 2024-05-14 6.5 CVE-2024-34441
audit@patchstack.com
Brainstorm Force--Ultimate Addons for Beaver Builder
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder allows Relative Path Traversal.This issue affects Ultimate Addons for Beaver Builder: from n/a through 1.35.13. 2024-05-17 6.3 CVE-2023-51401
audit@patchstack.com
Byzoro--Smart S200 Management Platform
 		 A vulnerability was found in Byzoro Smart S200 Management Platform up to 20240507. It has been rated as critical. This issue affects some unknown processing of the file /useratte/userattestation.php. The manipulation of the argument web_img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264437 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-15 6.3 CVE-2024-4904
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
CRM Perks--Integration for Contact Form 7 HubSpot
 		 Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 HubSpot.This issue affects Integration for Contact Form 7 HubSpot: from n/a through 1.3.1. 2024-05-17 4.3 CVE-2024-34756
audit@patchstack.com
CRM Perks--Integration for Contact Form 7 and Salesforce
 		 Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Salesforce.This issue affects Integration for Contact Form 7 and Salesforce: from n/a through 1.3.9. 2024-05-17 4.3 CVE-2024-34755
audit@patchstack.com
CRM Perks--Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
 		 Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.0. 2024-05-14 4.3 CVE-2024-34817
audit@patchstack.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in commit a38b9046e9772612fda847b46308f9391a49891e. 2024-05-14 6.1 CVE-2024-30268
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. 2024-05-14 6.5 CVE-2024-31460
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue. 2024-05-14 5.4 CVE-2024-29894
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. 2024-05-14 5.7 CVE-2024-31443
security-advisories@github.com
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. 2024-05-14 4.6 CVE-2024-31444
security-advisories@github.com
Cacti--cacti
 		 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue. 2024-05-14 4.6 CVE-2024-31458
security-advisories@github.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability, which was classified as critical, was found in Campcodes Complete Web-Based School Management System 1.0. This affects an unknown part of the file /view/show_student1.php. The manipulation of the argument grade leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264441 was assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4906
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability has been found in Campcodes Complete Web-Based School Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /view/show_student2.php. The manipulation of the argument grade leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264442 is the identifier assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4907
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /view/student_attendance_history1.php. The manipulation of the argument index leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264443. 2024-05-15 6.3 CVE-2024-4908
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /view/student_due_payment.php. The manipulation of the argument due_year leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264444. 2024-05-15 6.3 CVE-2024-4909
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /view/student_exam_mark_insert_form1.php. The manipulation of the argument grade leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264445 was assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4910
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /view/student_exam_mark_update_form.php. The manipulation of the argument exam leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-264446 is the identifier assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4911
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability, which was classified as critical, was found in Campcodes Legal Case Management System 1.0. Affected is an unknown function of the file /admin/general-setting of the component Setting Handler. The manipulation of the argument favicon/logo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263622 is the identifier assigned to this vulnerability. 2024-05-14 4.7 CVE-2024-4681
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability classified as critical has been found in Campcodes Online Examination System 1.0. This affects an unknown part of the file addExamExe.php. The manipulation of the argument examTitle leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264447. 2024-05-15 6.3 CVE-2024-4912
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability classified as critical was found in Campcodes Online Examination System 1.0. This vulnerability affects unknown code of the file exam.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264448. 2024-05-15 6.3 CVE-2024-4913
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability, which was classified as critical, has been found in Campcodes Online Examination System 1.0. This issue affects some unknown processing of the file ranking-exam.php. The manipulation of the argument exam_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264449 was assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4914
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability, which was classified as critical, was found in Campcodes Online Examination System 1.0. Affected is an unknown function of the file result.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-264450 is the identifier assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4915
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability has been found in Campcodes Online Examination System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file selExamAttemptExe.php. The manipulation of the argument thisId leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264451. 2024-05-15 6.3 CVE-2024-4916
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability was found in Campcodes Online Examination System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file submitAnswerExe.php. The manipulation of the argument exmne_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264452. 2024-05-15 6.3 CVE-2024-4917
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability was found in Campcodes Online Examination System 1.0. It has been classified as critical. This affects an unknown part of the file updateQuestion.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264453 was assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4918
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Examination System
 		 A vulnerability was found in Campcodes Online Examination System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /adminpanel/admin/query/addCourseExe.php. The manipulation of the argument course_name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264454 is the identifier assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4919
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability, which was classified as critical, has been found in Campcodes Online Laundry Management System 1.0. This issue affects some unknown processing of the file /admin_class.php. The manipulation of the argument id/delete_category/delete_inv/delete_laundry/delete_supply/delete_user/login/save_inv/save_user leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263891. 2024-05-14 6.3 CVE-2024-4792
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability, which was classified as critical, was found in Campcodes Online Laundry Management System 1.0. Affected is an unknown function of the file /manage_laundry.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263892. 2024-05-14 6.3 CVE-2024-4793
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability has been found in Campcodes Online Laundry Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /manage_receiving.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263893 was assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4794
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability was found in Campcodes Online Laundry Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /manage_user.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-263894 is the identifier assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4795
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability was found in Campcodes Online Laundry Management System 1.0. It has been classified as critical. This affects an unknown part of the file /manage_inv.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263895. 2024-05-14 6.3 CVE-2024-4796
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability has been found in Campcodes Online Laundry Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file manage_user.php of the component HTTP Request Parameter Handler. The manipulation of the argument id leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263938 is the identifier assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4817
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability was found in Campcodes Online Laundry Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263939. 2024-05-14 5.3 CVE-2024-4818
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability was found in Campcodes Online Laundry Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file admin_class.php. The manipulation of the argument type with the input 1 leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263940. 2024-05-14 4.3 CVE-2024-4819
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Cisco--Cisco AppDynamics
 		 A vulnerability in Cisco AppDynamics Network Visibility Agent could allow an unauthenticated, local attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to the inability to handle unexpected input. An attacker who has local device access could exploit this vulnerability by sending an HTTP request to the targeted service. A successful exploit could allow the attacker to cause a DoS condition by stopping the Network Agent Service on the local device. 2024-05-15 5.5 CVE-2024-20394
ykramarz@cisco.com
Cisco--Cisco Network Services Orchestrator
 		 A vulnerability in the web-based management interface of Cisco Crosswork Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of a parameter in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website. 2024-05-15 4.7 CVE-2024-20369
ykramarz@cisco.com
Cisco--Cisco Secure Client
 		 A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an affected device to elevate privileges to SYSTEM. This vulnerability is due to a lack of authentication on a specific function. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges on an affected device. 2024-05-15 6.8 CVE-2024-20391
ykramarz@cisco.com
Cisco--Cisco Secure Email and Web Manager
 		 A vulnerability in the Cisco Crosswork NSO CLI and the ConfD CLI could allow an authenticated, low-privileged, local attacker to elevate privileges to root on the underlying operating system. The vulnerability is due to an incorrect privilege assignment when specific CLI commands are used. An attacker could exploit this vulnerability by executing an affected CLI command. A successful exploit could allow the attacker to elevate privileges to root on the underlying operating system. 2024-05-15 4.8 CVE-2024-20383
ykramarz@cisco.com
Cisco--Cisco Secure Email
 		 A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2024-05-15 6.1 CVE-2024-20258
ykramarz@cisco.com
Cisco--Cisco Secure Email
 		 A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to insufficient input validation of some parameters that are passed to the web-based management API of the affected system. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to perform cross-site scripting (XSS) attacks, resulting in the execution of arbitrary script code in the browser of the targeted user, or could allow the attacker to access sensitive, browser-based information. 2024-05-15 6.1 CVE-2024-20392
ykramarz@cisco.com
Cisco--Cisco Secure Email
 		 A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.r This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2024-05-15 4.8 CVE-2024-20257
ykramarz@cisco.com
Cisco--Cisco Secure Web Appliance
 		 A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Web Appliance could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2024-05-15 4.8 CVE-2024-20256
ykramarz@cisco.com
CodeBard--Fast Custom Social Share by CodeBard
 		 Cross-Site Request Forgery (CSRF) vulnerability in CodeBard Fast Custom Social Share by CodeBard.This issue affects Fast Custom Social Share by CodeBard: from n/a through 1.1.2. 2024-05-17 4.3 CVE-2024-34807
audit@patchstack.com
CodePeople--Appointment Hour Booking
 		 Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56. 2024-05-17 5.3 CVE-2024-32720
audit@patchstack.com
CodePeople--CP Polls
 		 : Improper Control of Interaction Frequency vulnerability in CodePeople CP Polls allows Flooding.This issue affects CP Polls: from n/a through 1.0.71. 2024-05-17 5.3 CVE-2024-24873
audit@patchstack.com
CodePeople--CP Polls
 		 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in CodePeople CP Polls allows Code Injection.This issue affects CP Polls: from n/a through 1.0.71. 2024-05-17 5.3 CVE-2024-24874
audit@patchstack.com
Codezips--E-Commerce Site
 		 A vulnerability has been found in Codezips E-Commerce Site 1.0 and classified as critical. This vulnerability affects unknown code of the file admin/addproduct.php. The manipulation of the argument profilepic leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264460. 2024-05-16 6.3 CVE-2024-4923
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Codezips--E-Commerce Site
 		 A vulnerability, which was classified as critical, has been found in Codezips E-Commerce Site 1.0. Affected by this issue is some unknown functionality of the file admin/editproduct.php. The manipulation of the argument profilepic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-264746 is the identifier assigned to this vulnerability. 2024-05-17 6.3 CVE-2024-5049
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Cozmoslabs, Razvan Mocanu, Madalin Ungureanu, Cristophor Hurduban--TranslatePress
 		 Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Razvan Mocanu, Madalin Ungureanu, Cristophor Hurduban TranslatePress.This issue affects TranslatePress: from n/a through 2.7.5. 2024-05-14 4.3 CVE-2024-34827
audit@patchstack.com
Cozmoslabs--Profile Builder
 		 Insufficient Verification of Data Authenticity vulnerability in Cozmoslabs Profile Builder allows Functionality Bypass.This issue affects Profile Builder: from n/a through 3.11.2. 2024-05-17 5.3 CVE-2024-31341
audit@patchstack.com
Creative Motion--Clearfy Cache
 		 Cross-Site Request Forgery (CSRF) vulnerability in Creative Motion Clearfy Cache.This issue affects Clearfy Cache: from n/a through 2.2.1. 2024-05-17 4.3 CVE-2024-34806
audit@patchstack.com
CriticalMoments--CMSaasStarter
 		 CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 into your fork. 2024-05-14 6.5 CVE-2024-34354
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
CyberPower--PowerPanel business
 		 Certain MQTT wildcards are not blocked on the CyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device. 2024-05-15 6.5 CVE-2024-31409
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
CyberPower--PowerPanel business
 		 The key used to encrypt passwords stored in the database can be found in the CyberPower PowerPanel application code, allowing the passwords to be recovered. 2024-05-15 4.9 CVE-2024-32042
ics-cert@hq.dhs.gov
ics-cert@hq.dhs.gov
Dassault Systmes--3DSwymer
 		 A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code. 2024-05-17 5.4 CVE-2023-5597
3DS.Information-Security@3ds.com
Dell--PowerScale OneFS
 		 Dell PowerScale OneFS versions 8.2.x through 9.7.0.2 contains an external control of file name or path vulnerability. A local high privilege attacker could potentially exploit this vulnerability, leading to denial of service. 2024-05-14 6.1 CVE-2024-25965
security_alert@emc.com
Dell--PowerScale OneFS
 		 Dell PowerScale OneFS versions 8.2.x through 9.7.0.1 contains an execution with unnecessary privileges vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 2024-05-14 6.7 CVE-2024-25967
security_alert@emc.com
Dell--PowerScale OneFS
 		 Dell PowerScale OneFS versions 8.2.x through 9.7.0.1 contains an allocation of resources without limits or throttling vulnerability. A local unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 2024-05-14 6.2 CVE-2024-25969
security_alert@emc.com
Dell--PowerScale OneFS
 		 Dell PowerScale OneFS versions 8.2.x through 9.7.0.1 contains an improper input validation vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to loss of integrity. 2024-05-14 6.5 CVE-2024-25970
security_alert@emc.com
Dell--PowerScale OneFS
 		 Dell PowerScale OneFS versions 8.2.x through 9.7.0.2 contains an improper handling of unexpected data type vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 2024-05-14 5.3 CVE-2024-25966
security_alert@emc.com
Dell--PowerScale OneFS
 		 Dell PowerScale OneFS versions 8.2.x through 9.7.0.2 contains a use of a broken or risky cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. 2024-05-14 5.9 CVE-2024-25968
security_alert@emc.com
Easy Digital Downloads--Easy Digital Downloads
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Easy Digital Downloads.This issue affects Easy Digital Downloads: from n/a through 3.2.11. 2024-05-14 5.3 CVE-2024-32100
audit@patchstack.com
Easy Digital Downloads--Easy Digital Downloads
 		 Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads.This issue affects Easy Digital Downloads: from n/a through 3.2.11. 2024-05-14 4.3 CVE-2024-31113
audit@patchstack.com
Elegant Themes--Divi Builder
 		 The Elegant Themes Divi theme, Extra theme, and Divi Page Builder plugin for WordPress are vulnerable to DOM-Based Stored Cross-Site Scripting via the 'title' parameter in versions up to, and including, 4.25.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4490
security@wordfence.com
security@wordfence.com
security@wordfence.com
EnvoThemes--Envo's Elementor Templates & Widgets for WooCommerce
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnvoThemes Envo's Elementor Templates & Widgets for WooCommerce allows Stored XSS.This issue affects Envo's Elementor Templates & Widgets for WooCommerce: from n/a through 1.4.8. 2024-05-14 6.5 CVE-2024-35167
audit@patchstack.com
Eric Alli--Google Typography
 		 Missing Authorization vulnerability in Eric Alli Google Typography.This issue affects Google Typography: from n/a through 1.1.2. 2024-05-14 4.3 CVE-2024-33942
audit@patchstack.com
Extend Themes--EmpowerWP
 		 Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes EmpowerWP.This issue affects EmpowerWP: from n/a through 1.0.21. 2024-05-17 4.3 CVE-2024-34809
audit@patchstack.com
Felix Moira--Popup More Popups
 		 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Felix Moira Popup More Popups allows Stored XSS.This issue affects Popup More Popups: from n/a through 2.3.1. 2024-05-17 5.9 CVE-2024-32800
audit@patchstack.com
Flothemes--Flo Forms
 		 Missing Authorization vulnerability in Flothemes Flo Forms.This issue affects Flo Forms: from n/a through 1.0.42. 2024-05-17 5.3 CVE-2024-35174
audit@patchstack.com
FmeAddons--Conditional Checkout Fields for WooCommerce
 		 Missing Authorization vulnerability in FmeAddons Conditional Checkout Fields for WooCommerce.This issue affects Conditional Checkout Fields for WooCommerce: from n/a through 1.2.3. 2024-05-17 5.3 CVE-2022-45070
audit@patchstack.com
Fortinet--FortiADC
 		 An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiADC version 7.4.1 and below, version 7.2.3 and below, version 7.1.4 and below, version 7.0.5 and below, version 6.2.6 and below may allow a read-only admin to view data pertaining to other admins. 2024-05-14 5.5 CVE-2023-50180
psirt@fortinet.com
Fortinet--FortiNAC
 		 An improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC version 9.4.0 through 9.4.4, 9.2.0 through 9.2.8, 9.1.0 through 9.1.10, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 7.2.0 through 7.2.3 may allow a remote authenticated attacker to perform stored and reflected cross site scripting (XSS) attack via crafted HTTP requests. 2024-05-14 6.8 CVE-2024-31488
psirt@fortinet.com
Fortinet--FortiOS
 		 A double free vulnerability [CWE-415] in Fortinet FortiOS before 7.0.0 may allow a privileged attacker to execute code or commands via crafted HTTP or HTTPs requests. 2024-05-14 6.6 CVE-2023-44247
psirt@fortinet.com
Fortinet--FortiOS
 		 An improper check or handling of exceptional conditions vulnerability [CWE-703] in Fortinet FortiOS version 7.4.1 allows an unauthenticated attacker to provoke a denial of service on the administrative interface via crafted HTTP requests. 2024-05-14 5.3 CVE-2024-26007
psirt@fortinet.com
Fortinet--FortiProxy
 		 A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiPAM versions 1.0.0 through 1.0.3, FortiOS versions 7.2.0, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.16 allows attacker to execute unauthorized code or commands via specially crafted commands 2024-05-14 6.7 CVE-2023-36640
psirt@fortinet.com
Fortinet--FortiProxy
 		 A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.5, 7.0.0 through 7.0.11, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6 FortiPAM versions 1.1.0, 1.0.0 through 1.0.3 FortiOS versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15 FortiSwitchManager versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.2 allows attacker to execute unauthorized code or commands via specially crafted cli commands and http requests. 2024-05-14 6.7 CVE-2023-45583
psirt@fortinet.com
Fortinet--FortiProxy
 		 An insufficient verification of data authenticity vulnerability [CWE-345] in Fortinet FortiOS SSL-VPN tunnel mode version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.7 and before 7.0.12 & FortiProxy SSL-VPN tunnel mode version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.7 and before 7.0.13 allows an authenticated VPN user to send (but not receive) packets spoofing the IP of another user via crafted network packets. 2024-05-14 5 CVE-2023-45586
psirt@fortinet.com
GE HealthCare--EchoPAC Software Only
 		 Non privileged access to critical file vulnerability in GE HealthCare EchoPAC products 2024-05-14 6.8 CVE-2024-27108
171caf72-b841-4e04-a68e-93493aff2b94
GE HealthCare--EchoPAC Software Only
 		 Vulnerable data in transit in GE HealthCare EchoPAC products 2024-05-14 5.7 CVE-2024-27106
171caf72-b841-4e04-a68e-93493aff2b94
GE HealthCare--Venue
 		 Path traversal vulnerability in "deleteFiles" function of Common Service Desktop, a GE HealthCare ultrasound device component 2024-05-14 6.2 CVE-2024-1629
171caf72-b841-4e04-a68e-93493aff2b94
GZTimeWalker--GZCTF
 		 GZ::CTF is a capture the flag platform. Prior to 0.20.1, unprivileged user can perform cross-site scripting attacks on other users by constructing malicious team names. This problem has been fixed in `v0.20.1`. 2024-05-14 6.5 CVE-2024-34699
security-advisories@github.com
security-advisories@github.com
German Mesky--GMAce
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in German Mesky GMAce allows Path Traversal.This issue affects GMAce: from n/a through 1.5.2. 2024-05-17 4.9 CVE-2023-23872
audit@patchstack.com
GhozyLab, Inc.--Popup Builder
 		 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in GhozyLab, Inc. Popup Builder allows Stored XSS.This issue affects Popup Builder: from n/a through 1.1.29. 2024-05-17 5.9 CVE-2024-34567
audit@patchstack.com
GitLab--GitLab
 		 An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server. 2024-05-14 6.5 CVE-2023-6682
cve@gitlab.com
cve@gitlab.com
GitLab--GitLab
 		 An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server. 2024-05-14 6.5 CVE-2023-6688
cve@gitlab.com
cve@gitlab.com
GitLab--GitLab
 		 An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request. 2024-05-14 6.5 CVE-2024-2454
cve@gitlab.com
cve@gitlab.com
GitLab--GitLab
 		 An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content. 2024-05-14 6.5 CVE-2024-2651
cve@gitlab.com
cve@gitlab.com
GitLab--GitLab
 		 An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF. 2024-05-14 5.7 CVE-2024-4597
cve@gitlab.com
GitLab--GitLab
 		 An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service. 2024-05-14 4.3 CVE-2024-4539
cve@gitlab.com
Google--Gvisor
 		 A denial of service exists in Gvisor Sandbox where a bug in reference counting code in mount point tracking could lead to a panic, making it possible for an attacker running as root and with permission to mount volumes to kill the sandbox. We recommend upgrading past commit 6a112c60a257dadac59962e0bc9e9b5aee70b5b6 2024-05-15 4.8 CVE-2023-7258
cve-coordination@google.com
Guido--VS Contact Form
 		 Guessable CAPTCHA vulnerability in Guido VS Contact Form allows Functionality Bypass.This issue affects VS Contact Form: from n/a through 14.7. 2024-05-17 5.3 CVE-2024-30540
audit@patchstack.com
Gutenify--Gutenify
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gutenify.This issue affects Gutenify: from n/a through 1.4.0. 2024-05-14 5.3 CVE-2024-35165
audit@patchstack.com
HCL Software--BigFix Platform
 		 An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems. 2024-05-17 6.7 CVE-2024-23583
psirt@hcl.com
HCL Software--BigFix Platform
 		 Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE). 2024-05-18 5.7 CVE-2024-23554
psirt@hcl.com
HCL Software--BigFix Platform
 		 SSL/TLS Renegotiation functionality potentially leading to DoS attack vulnerability. 2024-05-18 5.9 CVE-2024-23556
psirt@hcl.com
HCL Software--DRYiCE Lucy
 		 HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks. 2024-05-14 6.5 CVE-2023-37526
psirt@hcl.com
Harknell--AWSOM News Announcement
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harknell AWSOM News Announcement allows Stored XSS.This issue affects AWSOM News Announcement: from n/a through 1.6.0. 2024-05-14 5.9 CVE-2024-34428
audit@patchstack.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exists in the Soft AP daemon accessed via the PAPI protocol. Successful exploitation of these vulnerabilites result in the ability to interrupt the normal operation of the affected Access Point. 2024-05-14 5.3 CVE-2024-31478
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 Unauthenticated Denial of Service (DoS) vulnerabilities exist in the Central Communications service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected service. 2024-05-14 5.3 CVE-2024-31479
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 Unauthenticated Denial of Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected service. 2024-05-14 5.3 CVE-2024-31480
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 Unauthenticated Denial of Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected service. 2024-05-14 5.3 CVE-2024-31481
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 An unauthenticated Denial-of-Service (DoS) vulnerability exists in the ANSI escape code service accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected Access Point. 2024-05-14 5.3 CVE-2024-31482
security-alert@hpe.com
Hewlett Packard Enterprise (HPE)--Aruba InstantOS and Aruba Access Points running ArubaOS 10
 		 An authenticated sensitive information disclosure vulnerability exists in the CLI service accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system. 2024-05-14 4.9 CVE-2024-31483
security-alert@hpe.com
Hidden Depth--Sticky banner
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidden Depth Sticky banner allows Stored XSS.This issue affects Sticky banner: from n/a through 1.2.0. 2024-05-14 5.9 CVE-2024-35170
audit@patchstack.com
Highfivery LLC--Zero Spam
 		 Client-Side Enforcement of Server-Side Security vulnerability in Highfivery LLC Zero Spam allows Removing Important Client Functionality.This issue affects Zero Spam: from n/a through 5.5.6. 2024-05-17 5.3 CVE-2024-32521
audit@patchstack.com
Huawei--HarmonyOS
 		 The WindowManager module has a vulnerability in permission control. Impact: Successful exploitation of this vulnerability may affect confidentiality. 2024-05-14 6.2 CVE-2023-52721
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Permission verification vulnerability in the system sharing pop-up module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 6.1 CVE-2024-32990
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Denial of service (DoS) vulnerability in the AMS module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 6.2 CVE-2024-32995
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Privilege escalation vulnerability in the account module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 6.2 CVE-2024-32996
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Cracking vulnerability in the OS security module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 6.8 CVE-2024-32999
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Cracking vulnerability in the OS security module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 6.4 CVE-2024-4046
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Out-of-bounds access vulnerability in the memory module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 5.6 CVE-2024-32993
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 NULL pointer access vulnerability in the clock module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 5.9 CVE-2024-32998
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Double-free vulnerability in the RSMC module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 4.7 CVE-2023-52383
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Double-free vulnerability in the RSMC module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 4.7 CVE-2023-52384
psirt@huawei.com
psirt@huawei.com
Huawei--HarmonyOS
 		 Race condition vulnerability in the soundtrigger module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 4.1 CVE-2023-52720
psirt@huawei.com
psirt@huawei.com
Huseyin Berberoglu--WP Favorite Posts
 		 Cross-Site Request Forgery (CSRF) vulnerability in Huseyin Berberoglu WP Favorite Posts.This issue affects WP Favorite Posts: from n/a through 1.6.8. 2024-05-14 4.3 CVE-2024-34427
audit@patchstack.com
IBM--App Connect Enterprise
 		 IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 through 12.0.12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 285245. 2024-05-14 5.4 CVE-2024-28761
psirt@us.ibm.com
psirt@us.ibm.com
IBM--App Connect Enterprise
 		 IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 through 12.0.12.0 dashboard is vulnerable to a denial of service due to improper restrictions of resource allocation. IBM X-Force ID: 285244. 2024-05-14 4.3 CVE-2024-28760
psirt@us.ibm.com
psirt@us.ibm.com
IBM--QRadar SIEM
 		 IBM QRadar SIEM 7.5 could allow a privileged user to configure user management that would disclose unintended sensitive information across tenants. IBM X-Force ID: 284575. 2024-05-14 6.8 CVE-2024-27269
psirt@us.ibm.com
psirt@us.ibm.com
IBM--SDK, Java Technology Edition
 		 The IBM SDK, Java Technology Edition's Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578. 2024-05-14 5.9 CVE-2023-38264
psirt@us.ibm.com
psirt@us.ibm.com
IBM--Security Guardium
 		 IBM Security Guardium 12.0 could allow a privileged user to perform unauthorized actions that could lead to a denial of service. IBM X-Force ID: 271690. 2024-05-16 4.4 CVE-2023-47717
psirt@us.ibm.com
psirt@us.ibm.com
IBM--Spectrum Fusion HCI
 		 IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807. 2024-05-14 6.5 CVE-2023-43040
psirt@us.ibm.com
psirt@us.ibm.com
IBM--TXSeries for Multiplatforms
 		 IBM TXSeries for Multiplatforms 8.2 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 280191. 2024-05-14 6.1 CVE-2024-22344
psirt@us.ibm.com
psirt@us.ibm.com
IBM--TXSeries for Multiplatforms
 		 IBM TXSeries for Multiplatforms 8.2 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. IBM X-Force ID: 280192. 2024-05-14 6.2 CVE-2024-22345
psirt@us.ibm.com
psirt@us.ibm.com
IBM--TXSeries for Multiplatforms
 		 IBM TXSeries for Multiplatforms 8.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 280190. 2024-05-14 4 CVE-2024-22343
psirt@us.ibm.com
psirt@us.ibm.com
IBM--UrbanCode Deploy
 		 IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4, and 8.0 through 8.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 285654. 2024-05-14 5.4 CVE-2024-28781
psirt@us.ibm.com
psirt@us.ibm.com
ITPison--OMICARD EDM
 		 ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information. 2024-05-15 5.3 CVE-2024-4894
twcert@cert.org.tw
twcert@cert.org.tw
Imran Sayed--Headless CMS
 		 Missing Authorization vulnerability in Imran Sayed Headless CMS.This issue affects Headless CMS: from n/a through 2.0.3. 2024-05-17 5.3 CVE-2023-34186
audit@patchstack.com
JFrog--Artifactory
 		 A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim's user email. 2024-05-15 6.4 CVE-2024-2248
reefs@jfrog.com
JetBrains--TeamCity
 		 In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token 2024-05-16 5.5 CVE-2024-35301
cve@jetbrains.com
JetBrains--TeamCity
 		 In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible 2024-05-16 5.4 CVE-2024-35302
cve@jetbrains.com
JetBrains--YouTrack
 		 In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation 2024-05-16 5.9 CVE-2024-35299
cve@jetbrains.com
Justin Silver--Remote Content Shortcode
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Justin Silver Remote Content Shortcode allows PHP Local File Inclusion.This issue affects Remote Content Shortcode: from n/a through 1.5. 2024-05-17 6.5 CVE-2023-45652
audit@patchstack.com
Justin Tadlock--Unique
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Unique allows Stored XSS.This issue affects Unique: from n/a through 0.3.0. 2024-05-14 6.5 CVE-2024-33952
audit@patchstack.com
Kashipara--College Management System
 		 A vulnerability, which was classified as critical, was found in Kashipara College Management System 1.0. This affects an unknown part of the file view_each_faculty.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263919. 2024-05-14 6.3 CVE-2024-4799
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability has been found in Kashipara College Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file submit_student.php. The manipulation of the argument date_of_birth leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263920. 2024-05-14 6.3 CVE-2024-4800
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability was found in Kashipara College Management System 1.0 and classified as critical. This issue affects some unknown processing of the file submit_new_faculty.php. The manipulation of the argument address leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263921 was assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4801
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability was found in Kashipara College Management System 1.0. It has been classified as critical. Affected is an unknown function of the file submit_extracurricular_activity.php. The manipulation of the argument activity_datetime leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263922 is the identifier assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4802
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability was found in Kashipara College Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file submit_admin.php. The manipulation of the argument phone leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263923. 2024-05-14 6.3 CVE-2024-4803
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability was found in Kashipara College Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file edit_user.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263924. 2024-05-14 6.3 CVE-2024-4804
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability classified as critical has been found in Kashipara College Management System 1.0. This affects an unknown part of the file edit_faculty.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263925 was assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4805
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability classified as critical was found in Kashipara College Management System 1.0. This vulnerability affects unknown code of the file each_extracurricula_activities.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263926 is the identifier assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4806
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability, which was classified as critical, has been found in Kashipara College Management System 1.0. This issue affects some unknown processing of the file delete_user.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263927. 2024-05-14 6.3 CVE-2024-4807
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability, which was classified as critical, was found in Kashipara College Management System 1.0. Affected is an unknown function of the file delete_faculty.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263928. 2024-05-14 6.3 CVE-2024-4808
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kashipara--College Management System
 		 A vulnerability classified as critical has been found in Kashipara College Management System 1.0. Affected is an unknown function of the file view_students_each_detail.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-264438 is the identifier assigned to this vulnerability. 2024-05-15 6.3 CVE-2024-4905
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Kiboko Labs--Arigato Autoresponder and Newsletter
 		 Cross-Site Request Forgery (CSRF) vulnerability in Kiboko Labs Arigato Autoresponder and Newsletter.This issue affects Arigato Autoresponder and Newsletter: from n/a through 2.7.2.3. 2024-05-14 4.3 CVE-2024-34823
audit@patchstack.com
Kioware--Kioware
 		 KioWare for Windows (versions all through 8.35) allows to brute force the PIN number, which protects the application from being closed, as there are no mechanisms preventing a user from excessively guessing the number. 2024-05-14 6.2 CVE-2024-3461
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
Kubernetes--azure-file-csi-driver
 		 A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag. 2024-05-15 6.5 CVE-2024-3744
jordan@liggitt.net
jordan@liggitt.net
Linux--Linux kernel
 		 In register_device, the return value of ida_simple_get is unchecked, in witch ida_simple_get will use an invalid index value. To address this issue, index should be checked after ida_simple_get. When the index value is abnormal, a warning message should be printed, the port should be dropped, and the value should be recorded. 2024-05-14 5.3 CVE-2024-4810
security@openanolis.org
LionScripts--IP Blocker Lite
 		 Authentication Bypass by Spoofing vulnerability in LionScripts IP Blocker Lite allows Functionality Bypass.This issue affects IP Blocker Lite: from n/a through 11.1.1. 2024-05-17 5.3 CVE-2024-30479
audit@patchstack.com
LizardByte--Sunshine
 		 Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories. 2024-05-16 4.9 CVE-2024-31226
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Matt van Andel--Adventure Journal
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt van Andel Adventure Journal allows Stored XSS.This issue affects Adventure Journal: from n/a through 1.7.2. 2024-05-14 6.5 CVE-2024-33953
audit@patchstack.com
Metagauss--EventPrime
 		 Missing Authorization vulnerability in Metagauss EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 2.8.6. 2024-05-17 5.3 CVE-2023-33321
audit@patchstack.com
Metagauss--ProfileGrid
 		 Improper Restriction of Excessive Authentication Attempts vulnerability in Metagauss ProfileGrid allows Removing Important Client Functionality.This issue affects ProfileGrid : from n/a through 5.8.2. 2024-05-17 4.3 CVE-2024-32774
audit@patchstack.com
Microchip--SAME70
 		 A voltage glitch during the startup of EEFC NVM controllers on Microchip SAM E70/S70/V70/V71 microcontrollers allows access to the memory bus via the debug interface even if the security bit is set. 2024-05-16 6.3 CVE-2024-4760
dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
Microsoft--.NET 7.0
 		 Visual Studio Denial of Service Vulnerability 2024-05-14 5.9 CVE-2024-30046
secure@microsoft.com
Microsoft--.NET 8.0
 		 .NET and Visual Studio Remote Code Execution Vulnerability 2024-05-14 6.3 CVE-2024-30045
secure@microsoft.com
Microsoft--Azure Migrate
 		 Azure Migrate Cross-Site Scripting Vulnerability 2024-05-14 6.5 CVE-2024-30053
secure@microsoft.com
Microsoft--Microsoft Bing Search for iOS
 		 Microsoft Bing Search Spoofing Vulnerability 2024-05-14 5.4 CVE-2024-30041
secure@microsoft.com
Microsoft--Microsoft Edge (Chromium-based)
 		 Microsoft Edge (Chromium-based) Spoofing Vulnerability 2024-05-14 5.4 CVE-2024-30055
secure@microsoft.com
Microsoft--Microsoft Intune Mobile Application Management
 		 Microsoft Intune for Android Mobile Application Management Tampering Vulnerability 2024-05-14 6.1 CVE-2024-30059
secure@microsoft.com
Microsoft--Microsoft SharePoint Enterprise Server 2016
 		 Microsoft SharePoint Server Information Disclosure Vulnerability 2024-05-14 6.5 CVE-2024-30043
secure@microsoft.com
Microsoft--PowerBI-client JS SDK
 		 Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability 2024-05-14 6.5 CVE-2024-30054
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-29997
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-29998
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-29999
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30000
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30001
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30002
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30003
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30004
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30005
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30012
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mobile Broadband Driver Remote Code Execution Vulnerability 2024-05-14 6.8 CVE-2024-30021
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows DWM Core Library Information Disclosure Vulnerability 2024-05-14 5.5 CVE-2024-30008
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Cryptographic Services Information Disclosure Vulnerability 2024-05-14 5.5 CVE-2024-30016
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability 2024-05-14 5.5 CVE-2024-30034
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Remote Access Connection Manager Information Disclosure Vulnerability 2024-05-14 5.5 CVE-2024-30039
secure@microsoft.com
Microsoft--Windows 10 Version 1809
 		 Windows Mark of the Web Security Feature Bypass Vulnerability 2024-05-14 5.4 CVE-2024-30050
secure@microsoft.com
Microsoft--Windows Server 2019
 		 Windows Hyper-V Denial of Service Vulnerability 2024-05-14 6.5 CVE-2024-30011
secure@microsoft.com
Microsoft--Windows Server 2019
 		 DHCP Server Service Denial of Service Vulnerability 2024-05-14 6.5 CVE-2024-30019
secure@microsoft.com
Microsoft--Windows Server 2019
 		 Windows Deployment Services Information Disclosure Vulnerability 2024-05-14 6.5 CVE-2024-30036
secure@microsoft.com
MongoDB Inc--MongoDB Server
 		 An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5. 2024-05-14 5.3 CVE-2024-3374
cna@mongodb.com
N/A--N/A
 		 The 'WordPress RSS Aggregator' WordPress Plugin, versions < 4.23.9 are affected by a Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization of the  'notice_id'  GET parameter. 2024-05-14 5.4 CVE-2024-4860
vulnreport@tenable.com
Nathan Vonnahme--Configure Login Timeout
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nathan Vonnahme Configure Login Timeout allows Stored XSS.This issue affects Configure Login Timeout: from n/a through 1.0. 2024-05-14 5.9 CVE-2024-34419
audit@patchstack.com
Ninja Team--Filebird
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ninja Team Filebird.This issue affects Filebird: from n/a through 5.6.3. 2024-05-14 5.3 CVE-2024-35166
audit@patchstack.com
OCDI--One Click Demo Import
 		 Deserialization of Untrusted Data vulnerability in OCDI One Click Demo Import.This issue affects One Click Demo Import: from n/a through 3.2.0. 2024-05-14 4.4 CVE-2024-34433
audit@patchstack.com
OceanicJS--Oceanic
 		 Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library. 2024-05-14 6.5 CVE-2024-34712
security-advisories@github.com
security-advisories@github.com
OpenText--iManager
 		 Path Traversal found in OpenTextâ„¢ iManager 3.2.6.0200. This can lead to privilege escalation or file disclosure. 2024-05-15 5.7 CVE-2024-3484
security@opentext.com
OpenText--iManager
 		 Server Side Request Forgery vulnerability has been discovered in OpenTextâ„¢ iManager 3.2.6.0200. This could lead to senstive information disclosure. 2024-05-15 5.3 CVE-2024-3485
security@opentext.com
OpenText--iManager
 		 File Upload vulnerability in unauthenticated session found in OpenTextâ„¢ iManager 3.2.6.0200. The vulnerability could allow ant attacker to upload a file without authentication. 2024-05-15 5.6 CVE-2024-3488
security@opentext.com
OpenText--iManager
 		 Server Side Request Forgery vulnerability has been discovered in OpenTextâ„¢ iManager 3.2.6.0200. This could lead to senstive information disclosure by directory traversal. 2024-05-15 5.3 CVE-2024-3970
security@opentext.com
Orchestrated--Corona Virus (COVID-19) Banner & Live Data
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Orchestrated Corona Virus (COVID-19) Banner & Live Data allows Stored XSS.This issue affects Corona Virus (COVID-19) Banner & Live Data: from n/a through 1.8.0.2. 2024-05-14 5.9 CVE-2024-34429
audit@patchstack.com
PHOENIX CONTACT--CHARX SEC-3000
 		 A low privileged remote attacker can use a command injection vulnerability in the API which performs remote code execution as the user-app user due to improper input validation. The confidentiality is partly affected. 2024-05-14 5 CVE-2024-28135
info@cert.vde.com
PHPGurukul--Online Course Registration System
 		 A vulnerability classified as critical was found in PHPGurukul Online Course Registration System 3.1. Affected by this vulnerability is an unknown functionality of the file /pincode-verification.php. The manipulation of the argument pincode leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264925 was assigned to this vulnerability. 2024-05-17 6.3 CVE-2024-5066
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
PaperCut--PaperCut NG, PaperCut MF
 		 An arbitrary file deletion vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group). 2024-05-14 6 CVE-2024-3037
eb41dac7-0af8-4f84-9f6d-0272772514f4
PaperCut--PaperCut NG, PaperCut MF
 		 An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group). 2024-05-14 6 CVE-2024-4712
eb41dac7-0af8-4f84-9f6d-0272772514f4
Phil Baylog--QuickieBar
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Phil Baylog QuickieBar allows Stored XSS.This issue affects QuickieBar: from n/a through 1.8.4. 2024-05-14 5.9 CVE-2024-34425
audit@patchstack.com
PluginEver--Serial Numbers for WooCommerce License Manager
 		 Missing Authorization vulnerability in PluginEver Serial Numbers for WooCommerce - License Manager.This issue affects Serial Numbers for WooCommerce - License Manager: from n/a through 1.7.3. 2024-05-17 5.3 CVE-2024-35173
audit@patchstack.com
PrestaShop--PrestaShop
 		 PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. 2024-05-14 5.3 CVE-2024-34717
security-advisories@github.com
security-advisories@github.com
Progress Software Corporation--WhatsUp Gold
 		 In WhatsUp Gold versions released before 2023.1.2 , an SSRF vulnerability exists in Whatsup Gold's Issue exists in the HTTP Monitoring functionality.  Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery. 2024-05-14 5.4 CVE-2024-4562
security@progress.com
security@progress.com
Progress Software Corporation--WhatsUp Gold
 		 In WhatsUp Gold versions released before 2023.1.2 , a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server. 2024-05-14 4.2 CVE-2024-4561
security@progress.com
security@progress.com
Progress Software--Telerik Report Server
 		 An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. 2024-05-15 6.5 CVE-2024-4357
security@progress.com
Progress Software--Telerik Report Server
 		 In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via a trust boundary violation vulnerability. 2024-05-15 5.3 CVE-2024-4837
security@progress.com
Proofpoint--Enterprise Protection
 		 The Proofpoint Encryption endpoint of Proofpoint Enterprise Protection contains a Server-Side Request Forgery vulnerability that allows an authenticated user to relay HTTP requests from the Protection server to otherwise private network addresses. 2024-05-14 5 CVE-2024-0862
security@proofpoint.com
QODE Interactive--Qi Addons For Elementor
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QODE Interactive Qi Addons For Elementor allows PHP Local File Inclusion.This issue affects Qi Addons For Elementor: from n/a through 1.6.3. 2024-05-17 6.4 CVE-2023-47679
audit@patchstack.com
RadiusTheme--ShopBuilder Elementor WooCommerce Builder Addons
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in RadiusTheme ShopBuilder - Elementor WooCommerce Builder Addons.This issue affects ShopBuilder - Elementor WooCommerce Builder Addons: from n/a through 2.1.8. 2024-05-14 5.3 CVE-2024-34812
audit@patchstack.com
RafflePress--Giveaways and Contests
 		 Authentication Bypass by Spoofing vulnerability in RafflePress Giveaways and Contests allows Functionality Bypass.This issue affects Giveaways and Contests: from n/a through 1.12.7. 2024-05-17 5.3 CVE-2024-32827
audit@patchstack.com
Rashed Latif--TT Custom Post Type Creator
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rashed Latif TT Custom Post Type Creator allows Stored XSS.This issue affects TT Custom Post Type Creator: from n/a through 1.0. 2024-05-14 5.9 CVE-2024-34430
audit@patchstack.com
Red Hat--Red Hat Advanced Cluster Management for Kubernetes 2
 		 A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster. 2024-05-17 6.6 CVE-2024-5042
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
Red Hat--Red Hat Enterprise Linux 6
 		 A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the boot process leads to a guest triggerable crash via vhost_net_stop(). This flaw allows a malicious guest to crash the QEMU process on the host. 2024-05-14 5.5 CVE-2024-4693
secalert@redhat.com
secalert@redhat.com
Red Hat--Red Hat OpenStack Platform 16.2
 		 An flaw was found in the OpenStack Platform (RHOSP) director, a toolset for installing and managing a complete RHOSP environment. Plaintext passwords may be stored in log files, which can expose sensitive information to anyone with access to the logs. 2024-05-14 5.5 CVE-2024-4840
secalert@redhat.com
secalert@redhat.com
Red Hat--Red Hat Satellite 6
 		 A vulnerability was found in Satellite. When running a remote execution job on a host, the host's SSH key is not being checked. When the key changes, the Satellite still connects it because it uses "-o StrictHostKeyChecking=no". This flaw can lead to a man-in-the-middle attack (MITM), denial of service, leaking of secrets the remote execution job contains, or other issues that may arise from the attacker's ability to forge an SSH key. This issue does not directly allow unauthorized remote execution on the Satellite, although it can leak secrets that may lead to it. 2024-05-14 6.8 CVE-2024-4871
secalert@redhat.com
secalert@redhat.com
Revmakx--WPCal.io Easy Meeting Scheduler
 		 Cross-Site Request Forgery (CSRF) vulnerability in Revmakx WPCal.Io - Easy Meeting Scheduler.This issue affects WPCal.Io - Easy Meeting Scheduler: from n/a through 0.9.5.8. 2024-05-14 5.4 CVE-2024-34816
audit@patchstack.com
Ruijie--RG-UAC
 		 A vulnerability classified as critical has been found in Ruijie RG-UAC up to 20240506. Affected is an unknown function of the file /view/networkConfig/physicalInterface/interface_commit.php. The manipulation of the argument name leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-263934 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-14 6.3 CVE-2024-4813
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Ruijie--RG-UAC
 		 A vulnerability classified as critical was found in Ruijie RG-UAC up to 20240506. Affected by this vulnerability is an unknown functionality of the file /view/networkConfig/RouteConfig/StaticRoute/static_route_edit_commit.php. The manipulation of the argument oldipmask/oldgateway leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263935. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-14 6.3 CVE-2024-4814
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Ruijie--RG-UAC
 		 A vulnerability, which was classified as critical, has been found in Ruijie RG-UAC up to 20240506. Affected by this issue is some unknown functionality of the file /view/bugSolve/viewData/detail.php. The manipulation of the argument filename leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263936. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-14 6.3 CVE-2024-4815
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Ruijie--RG-UAC
 		 A vulnerability, which was classified as critical, was found in Ruijie RG-UAC up to 20240506. This affects an unknown part of the file /view/networkConfig/GRE/gre_add_commit.php. The manipulation of the argument name/remote/local/IP leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263937 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-14 6.3 CVE-2024-4816
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SAP_SE--SAP BusinessObjects Business Intelligence Platform (Webservices)
 		 SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. 2024-05-14 4.3 CVE-2024-33004
cna@sap.com
cna@sap.com
SAP_SE--SAP Enable Now
 		 SAP Enable Now Manager does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, the attacker with the role 'Learner' could gain access to other user's data in manager which will lead to a high impact to the confidentiality of the application. 2024-05-14 6.5 CVE-2024-32730
cna@sap.com
cna@sap.com
SAP_SE--SAP Global Label Management (GLM)
 		 SAP Global Label Management is vulnerable to SQL injection. On exploitation the attacker can use specially crafted inputs to modify database commands resulting in the retrieval of additional information persisted by the system. This could lead to low impact on Confidentiality and Integrity of the application. 2024-05-14 4.2 CVE-2024-33009
cna@sap.com
cna@sap.com
SAP_SE--SAP My Travel Requests 
 		 SAP My Travel Requests does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, the attacker can upload a malicious attachment to a business trip request which will lead to a low impact on the confidentiality, integrity and availability of the application.  2024-05-14 5.5 CVE-2024-32731
cna@sap.com
cna@sap.com
SAP_SE--SAP NetWeaver Application Server ABAP and ABAP Platform 
 		 Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application 2024-05-14 6.1 CVE-2024-32733
cna@sap.com
cna@sap.com
SAP_SE--SAP NetWeaver Application server for ABAP and ABAP Platform
 		 SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user's browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user's session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system. 2024-05-14 6.5 CVE-2024-34687
cna@sap.com
cna@sap.com
SAP_SE--SAP Replication Server 
 		 SAP Replication Server allows an attacker to use gateway for executing some commands to RSSD. This could result in crashing the Replication Server due to memory corruption with high impact on Availability of the system. 2024-05-14 4.9 CVE-2024-33008
cna@sap.com
cna@sap.com
SAP_SE--SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)
 		 Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of the application. Confidentiality and Availability are not affected. 2024-05-14 4.3 CVE-2024-4138
cna@sap.com
cna@sap.com
SAP_SE--SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)
 		 Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application. Confidentiality and Availability are not affected. 2024-05-14 4.3 CVE-2024-4139
cna@sap.com
cna@sap.com
SAP_SE--SAP S/4HANA (Document Service Handler for DPS)
 		 Document Service handler (obsolete) in Data Provisioning Service does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability with low impact on Confidentiality and Integrity of the application. 2024-05-14 6.1 CVE-2024-33002
cna@sap.com
cna@sap.com
SKT Themes--SKT Addons for Elementor
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SKT Themes SKT Addons for Elementor allows Stored XSS.This issue affects SKT Addons for Elementor: from n/a through 1.8. 2024-05-14 6.5 CVE-2024-34436
audit@patchstack.com
SKT Themes--SKT Addons for Elementor
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SKT Themes SKT Addons for Elementor allows Stored XSS.This issue affects SKT Addons for Elementor: from n/a through 1.8. 2024-05-14 6.5 CVE-2024-34445
audit@patchstack.com
SailPoint--Identity Security Cloud
 		 An improper access control was identified in the Identity Security Cloud (ISC) message server API that allowed an authenticated user to exfiltrate job processing metadata (opaque messageIDs, work queue depth and counts) for other tenants. 2024-05-15 6.5 CVE-2024-3317
psirt@sailpoint.com
SailPoint--Identity Security Cloud
 		 A file path traversal vulnerability was identified in the DelimitedFileConnector Cloud Connector that allowed an authenticated administrator to set arbitrary connector attributes, including the "file" attribute, which in turn allowed the user to access files uploaded for other sources. 2024-05-15 4.2 CVE-2024-3318
psirt@sailpoint.com
SakuraIsayeki--WOWS-Karma
 		 WOWS Karma is a reputation system for Wargaming's World of Warships. A user is able to click multiple times on "create" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user's metrics more than once, due to concurrent karma updates. This issue is fixed in 0.17.4.1. 2024-05-14 6.3 CVE-2024-34695
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Salon Booking System--Salon booking system
 		 Improper Privilege Management vulnerability in Salon Booking System Salon booking system allows Privilege Escalation.This issue affects Salon booking system: from n/a through 8.6. 2024-05-17 6.8 CVE-2023-48319
audit@patchstack.com
Samsung Open Source--Escargot
 		 Improper Input Validation vulnerability in Samsung Open Source escargot JavaScript engine allows Overflow Buffers. However, it occurs in the test code and does not include in the release. This issue affects escargot: 4.0.0. 2024-05-14 5.3 CVE-2024-32669
PSIRT@samsung.com
Samsung Open Source--Escargot
 		 A Segmentation Fault issue discovered in Samsung Open Source Escargot JavaScript engine allows remote attackers to cause a denial of service via crafted input. This issue affects Escargot: 4.0.0. 2024-05-14 5.3 CVE-2024-32672
PSIRT@samsung.com
Samuel Marshall--JCH Optimize
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samuel Marshall JCH Optimize.This issue affects JCH Optimize: from n/a through 4.2.0. 2024-05-16 4.3 CVE-2024-34808
audit@patchstack.com
ShortPixel--ShortPixel Adaptive Images
 		 Server-Side Request Forgery (SSRF) vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.3. 2024-05-14 4.4 CVE-2024-35172
audit@patchstack.com
ShortPixel--ShortPixel Adaptive Images
 		 Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.3. 2024-05-14 4.3 CVE-2024-4689
audit@patchstack.com
SiAdmin--SiAdmin
 		 Vulnerability in SiAdmin 1.1 that allows XSS via the /show.php query parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and thereby steal their cookie session credentials. 2024-05-16 6.3 CVE-2024-4993
cve-coordination@incibe.es
Siemens--OPUPI0 AMQP/MQTT
 		 A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30). The affected devices stores MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss. 2024-05-14 5.3 CVE-2024-31486
productcert@siemens.com
Siemens--Polarion ALM
 		 A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The Apache Lucene based query engine in the affected application lacks proper access controls. This could allow an authenticated user to query items beyond the user's allowed projects. 2024-05-14 6.5 CVE-2024-33647
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). Downloading files overwrites files with the same name in the installation directory of the affected systems. The filename for the target file can be specified, thus arbitrary files can be overwritten by an attacker with the required privileges. 2024-05-14 6.5 CVE-2024-27946
productcert@siemens.com
Siemens--RUGGEDCOM CROSSBOW
 		 A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems could allow log messages to be forwarded to a specific client under certain circumstances. An attacker could leverage this vulnerability to forward log messages to a specific compromised client. 2024-05-14 5.3 CVE-2024-27947
productcert@siemens.com
Siemens--S7-PCT
 		 A vulnerability has been identified in S7-PCT (All versions), Security Configuration Tool (SCT) (All versions), SIMATIC Automation Tool (All versions), SIMATIC BATCH V9.1 (All versions), SIMATIC NET PC Software (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC PDM V9.2 (All versions), SIMATIC Route Control V9.1 (All versions), SIMATIC STEP 7 V5 (All versions), SIMATIC WinCC OA V3.17 (All versions), SIMATIC WinCC OA V3.18 (All versions < V3.18 P025), SIMATIC WinCC OA V3.19 (All versions < V3.19 P010), SIMATIC WinCC Runtime Advanced (All versions), SIMATIC WinCC Runtime Professional V16 (All versions), SIMATIC WinCC Runtime Professional V17 (All versions), SIMATIC WinCC Runtime Professional V18 (All versions), SIMATIC WinCC Runtime Professional V19 (All versions), SIMATIC WinCC Unified PC Runtime (All versions), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions), SIMATIC WinCC V8.0 (All versions), SINAMICS Startdrive (All versions < V19 SP1), SINUMERIK ONE virtual (All versions < V6.23), SINUMERIK PLC Programming Tool (All versions), TIA Portal Cloud Connector (All versions < V2.0), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions < V19 Update 2). The affected applications contain an out of bounds read vulnerability. This could allow an attacker to cause a Blue Screen of Death (BSOD) crash of the underlying Windows kernel. 2024-05-14 6.5 CVE-2023-46280
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The "DBTest" tool of SIMATIC RTLS Locating Manager does not properly enforce access restriction. This could allow an authenticated local attacker to extract sensitive information from memory. 2024-05-14 6.3 CVE-2024-30208
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected components do not properly authenticate heartbeat messages. This could allow an unauthenticated remote attacker to affected the availability of secondary RTLS systems configured using a TeeRevProxy service and potentially cause loss of data generated during the time the attack is ongoing. 2024-05-14 6.5 CVE-2024-33494
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected application does not properly limit the size of specific logs. This could allow an unauthenticated remote attacker to exhaust system resources by creating a great number of log entries which could potentially lead to a denial of service condition. A successful exploitation requires the attacker to have access to specific SIMATIC RTLS Locating Manager Clients in the deployment. 2024-05-14 6.5 CVE-2024-33495
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Report Clients do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role. 2024-05-14 6.3 CVE-2024-33496
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Track Viewer Client do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role. 2024-05-14 6.3 CVE-2024-33497
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected applications do not properly release memory that is allocated when handling specifically crafted incoming packets. This could allow an unauthenticated remote attacker to cause a denial of service condition by crashing the service when it runs out of memory. The service is restarted automatically after a short time. 2024-05-14 5.3 CVE-2024-33498
productcert@siemens.com
SourceCodester--Best Courier Management System
 		 A vulnerability was found in SourceCodester Best Courier Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file view_parcel.php. The manipulation of the argument id leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264480. 2024-05-16 4.3 CVE-2024-4945
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Employee and Visitor Gate Pass Logging System
 		 A vulnerability classified as critical has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. Affected is an unknown function of the file /employee_gatepass/classes/Users.php?f=ssave. The manipulation of the argument img leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264456. 2024-05-16 6.3 CVE-2024-4921
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Gas Agency Management System
 		 A vulnerability has been found in SourceCodester Gas Agency Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file edituser.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264748. 2024-05-17 6.3 CVE-2024-5051
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Interactive Map with Marker
 		 A vulnerability was found in SourceCodester Interactive Map with Marker 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /endpoint/delete-mark.php. The manipulation of the argument mark leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264535. 2024-05-16 6.3 CVE-2024-4967
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Online Art Gallery Management System
 		 A vulnerability was found in SourceCodester Online Art Gallery Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file admin/adminHome.php. The manipulation of the argument sliderpic leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264481 was assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4946
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Online Birth Certificate Management System
 		 A vulnerability was found in SourceCodester Online Birth Certificate Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin. The manipulation leads to files or directories accessible. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264742 is the identifier assigned to this vulnerability. 2024-05-17 5.3 CVE-2024-5045
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Online Computer and Laptop Store
 		 A vulnerability, which was classified as critical, has been found in SourceCodester Online Computer and Laptop Store 1.0. Affected by this issue is some unknown functionality of the file /admin/maintenance/manage_brand.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-263918 is the identifier assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4798
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Online Computer and Laptop Store
 		 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /classes/SystemSettings.php?f=update_settings. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263941 was assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4820
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Open Source Clinic Management System
 		 A vulnerability has been found in SourceCodester Open Source Clinic Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file setting.php. The manipulation of the argument logo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263929 was assigned to this vulnerability. 2024-05-14 6.3 CVE-2024-4809
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--School Intramurals Student Attendance Management System
 		 A vulnerability was found in SourceCodester School Intramurals Student Attendance Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /intrams_sams/manage_course.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264461 was assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4925
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--School Intramurals Student Attendance Management System
 		 A vulnerability was found in SourceCodester School Intramurals Student Attendance Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /intrams_sams/manage_student.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-264462 is the identifier assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4926
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Bidding System
 		 A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /simple-online-bidding-system/admin/ajax.php?action=save_product. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264463. 2024-05-16 6.3 CVE-2024-4927
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Bidding System
 		 A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /simple-online-bidding-system/admin/ajax.php?action=delete_category. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264464. 2024-05-16 6.3 CVE-2024-4928
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Bidding System
 		 A vulnerability classified as critical was found in SourceCodester Simple Online Bidding System 1.0. This vulnerability affects unknown code of the file /simple-online-bidding-system/index.php?page=view_prod. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264466 is the identifier assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4930
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Bidding System
 		 A vulnerability, which was classified as critical, has been found in SourceCodester Simple Online Bidding System 1.0. This issue affects some unknown processing of the file /simple-online-bidding-system/admin/index.php?page=view_udet. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264467. 2024-05-16 6.3 CVE-2024-4931
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Bidding System
 		 A vulnerability, which was classified as critical, was found in SourceCodester Simple Online Bidding System 1.0. Affected is an unknown function of the file /simple-online-bidding-system/admin/index.php?page=manage_user. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264468. 2024-05-16 6.3 CVE-2024-4932
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Bidding System
 		 A vulnerability has been found in SourceCodester Simple Online Bidding System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /simple-online-bidding-system/admin/index.php?page=manage_product. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264469 was assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4933
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Bidding System
 		 A vulnerability classified as problematic has been found in SourceCodester Simple Online Bidding System 1.0. This affects an unknown part of the file /simple-online-bidding-system/admin/ajax.php?action=save_user. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264465 was assigned to this vulnerability. 2024-05-16 4.3 CVE-2024-4929
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Online Mens Salon Management System
 		 A vulnerability, which was classified as critical, has been found in SourceCodester Simple Online Mens Salon Management System 1.0. Affected by this issue is some unknown functionality of the file view_service.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-264926 is the identifier assigned to this vulnerability. 2024-05-17 6.3 CVE-2024-5069
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Sparkle WP--Editorialmag
 		 Missing Authorization vulnerability in Sparkle WP Editorialmag editorialmag.This issue affects Editorialmag: from n/a through 1.1.9. 2024-05-17 4.3 CVE-2023-32129
audit@patchstack.com
Stefano Lissa & The Newsletter Team--Newsletter
 		 Authentication Bypass by Spoofing vulnerability in Stefano Lissa & The Newsletter Team Newsletter allows Functionality Bypass.This issue affects Newsletter: from n/a through 8.2.0. 2024-05-17 5.3 CVE-2024-30522
audit@patchstack.com
Strategy11 Form Builder Team--Formidable Forms
 		 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Strategy11 Form Builder Team Formidable Forms allows Code Injection.This issue affects Formidable Forms: from n/a through 6.7. 2024-05-17 5.3 CVE-2024-23522
audit@patchstack.com
StylemixThemes--Cost Calculator Builder PRO
 		 Cost Calculator Builder Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to 3.1.72, via the send_demo_webhook() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 2024-05-17 6.4 CVE-2024-4789
security@wordfence.com
security@wordfence.com
Supsystic--Pricing Table by Supsystic
 		 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Supsystic Pricing Table by Supsystic allows Code Injection.This issue affects Pricing Table by Supsystic: from n/a through 1.9.12. 2024-05-17 4.3 CVE-2024-32790
audit@patchstack.com
Swift Ideas--Swift Framework
 		 The Swift Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sf_edit_directory_item() function in all versions up to, and including, 2.7.31. This makes it possible for unauthenticated attackers to update arbitrary posts with arbitrary content. Unfortunately, we did not receive a response from the vendor to send over the vulnerability details. 2024-05-14 5.3 CVE-2024-3915
security@wordfence.com
security@wordfence.com
Swift Ideas--Swift Framework
 		 The Swift Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 2.7.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Unfortunately, we did not receive a response from the vendor to send over the vulnerability details. 2024-05-14 5.3 CVE-2024-3916
security@wordfence.com
security@wordfence.com
Sylius--Sylius
 		 Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1. 2024-05-14 6.1 CVE-2024-34349
security-advisories@github.com
security-advisories@github.com
Synaptics--Synaptics Fingerprint Driver
 		 Missing lock check in SynHsaService may create a use-after-free condition which causes abnormal termination of the service, resulting in denial of service for the Synaptics Hardware Support App. 2024-05-14 5.5 CVE-2023-5447
PSIRT@synaptics.com
TIBCO--Hawk
 		 Install-type password disclosure vulnerability in Universal Installer including the Silent Installer in TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 allows user's Enterprise Message Service (EMS) password to be exposed outside of the hawkagent.cfg and hawkevent.cfg config files. 2024-05-15 6.5 CVE-2024-3182
security@tibco.com
TYPO3--typo3
 		 TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1 fix the problem described. 2024-05-14 5.4 CVE-2024-34356
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
TYPO3--typo3
 		 TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described. 2024-05-14 5.4 CVE-2024-34357
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
TYPO3--typo3
 		 TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described. 2024-05-14 5.3 CVE-2024-34358
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Tech9logy Creators--WPCS ( WordPress Custom Search )
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tech9logy Creators WPCS ( WordPress Custom Search ) allows Stored XSS.This issue affects WPCS ( WordPress Custom Search ): from n/a through 1.1. 2024-05-14 5.9 CVE-2024-34418
audit@patchstack.com
The Events Calendar--BookIt
 		 Improper Validation of Specified Quantity in Input vulnerability in The Events Calendar BookIt allows Manipulating Hidden Fields.This issue affects BookIt: from n/a through 2.4.0. 2024-05-17 6.5 CVE-2024-24715
audit@patchstack.com
Theme Freesia--Freesia Empire
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Freesia Freesia Empire allows Stored XSS.This issue affects Freesia Empire: from n/a through 1.4.1. 2024-05-14 6.5 CVE-2024-33955
audit@patchstack.com
ThemeFuse--Unyson
 		 Cross-Site Request Forgery (CSRF) vulnerability in ThemeFuse Unyson.This issue affects Unyson: from n/a through 2.7.29. 2024-05-14 5.4 CVE-2024-34814
audit@patchstack.com
ThemeLocation--Custom WooCommerce Checkout Fields Editor
 		 Missing Authorization vulnerability in ThemeLocation Custom WooCommerce Checkout Fields Editor.This issue affects Custom WooCommerce Checkout Fields Editor: from n/a through 1.3.0. 2024-05-14 4.3 CVE-2024-33956
audit@patchstack.com
ThemeNectar--Salient Shortcodes
 		 The Salient Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'icon' shortcode in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-3811
security@wordfence.com
security@wordfence.com
ThimPress--Thim Elementor Kit
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Thim Elementor Kit allows Stored XSS.This issue affects Thim Elementor Kit: from n/a through 1.1.8. 2024-05-14 6.5 CVE-2024-34415
audit@patchstack.com
ThroughTek--Kalay SDK
 		 ThroughTek Kalay SDK does not verify the authenticity of received messages, allowing an attacker to impersonate an authoritative server. 2024-05-15 4.3 CVE-2023-6323
cve-requests@bitdefender.com
Toidicode.com (thanhtaivtt)--Viet Nam Affiliate
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Toidicode.Com (thanhtaivtt) Viet Nam Affiliate allows Stored XSS.This issue affects Viet Nam Affiliate: from n/a through 1.0.0. 2024-05-14 5.9 CVE-2024-34417
audit@patchstack.com
Tongda--OA
 		 A vulnerability was found in Tongda OA 2017. It has been declared as critical. This vulnerability affects unknown code of the file /general/meeting/manage/delete.php. The manipulation of the argument M_ID_STR leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264436. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-15 6.3 CVE-2024-4903
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Trellix--ePolicy Orchestrator
 		 ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege. 2024-05-16 4.3 CVE-2024-4843
trellixpsirt@trellix.com
UkrSolution--Barcode Scanner with Inventory & Order Manager
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.4. 2024-05-14 5.3 CVE-2024-34556
audit@patchstack.com
UkrSolution--Barcode Scanner with Inventory & Order Manager
 		 Cross-Site Request Forgery (CSRF) vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.4. 2024-05-14 4.3 CVE-2024-34557
audit@patchstack.com
Uniform Server Zero--Uniform Server Zero
 		 vulnerability in Uniform Server Zero, version 10.2.5, consisting of an XSS through the /us_extra/phpinfo.php page. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and partially take over their session details. 2024-05-14 6.3 CVE-2023-5052
cve-coordination@incibe.es
Valiano--Unite Gallery Lite
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Valiano Unite Gallery Lite allows PHP Local File Inclusion.This issue affects Unite Gallery Lite: from n/a through 1.7.59. 2024-05-17 6 CVE-2023-33310
audit@patchstack.com
ValvePress--WordPress Automatic Plugin
 		 The WordPress Automatic Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'autoplay' parameter in all versions up to, and including, 3.94.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-4849
security@wordfence.com
security@wordfence.com
VeronaLabs--WP SMS
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS allows Stored XSS.This issue affects WP SMS: from n/a through 6.5.1. 2024-05-14 5.9 CVE-2024-34811
audit@patchstack.com
Visualmodo--Borderless Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
 		 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Visualmodo Borderless - Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg allows Stored XSS.This issue affects Borderless - Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg: from n/a through 1.5.3. 2024-05-17 6.5 CVE-2024-34757
audit@patchstack.com
W3 Eden Inc.--Download Manager
 		 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in W3 Eden Inc. Download Manager allows Functionality Bypass.This issue affects Download Manager: from n/a through 3.2.82. 2024-05-17 5.3 CVE-2024-32131
audit@patchstack.com
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through S3 disks (/admin/DeviceS3). Exploitation of this vulnerability could allow a remote user to execute arbitrary code. 2024-05-14 6.6 CVE-2024-3787
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through License (/admin/CDPUsers). Exploitation of this vulnerability could allow a remote user to execute arbitrary code. 2024-05-14 6.6 CVE-2024-3788
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Uncontrolled resource consumption vulnerability in White Bear Solutions WBSAirback, version 21.02.04. This vulnerability could allow an attacker to send multiple command injection payloads to influence the amount of resources consumed. 2024-05-14 6.5 CVE-2024-3789
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/SystemUsers, login / description fields, passwd1/ passwd2 parameters. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. 2024-05-14 4.8 CVE-2024-3790
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/SystemConfiguration, name / free memory limit fields , type / password parameters. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. 2024-05-14 4.8 CVE-2024-3791
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/DeviceReplication, execution range field, all parameters. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. 2024-05-14 4.8 CVE-2024-3792
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/CloudAccounts, account name / user password / server fields, all parameters. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. 2024-05-14 4.8 CVE-2024-3793
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/AdvancedSystem, description field, all parameters. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. 2024-05-14 4.8 CVE-2024-3794
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupTemplate, name / description fields. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. 2024-05-14 4.8 CVE-2024-3795
cve-coordination@incibe.es
WBSAirback--White Bear Solutions
 		 Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupSchedule, description field. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. 2024-05-14 4.8 CVE-2024-3796
cve-coordination@incibe.es
WP Club Manager--WP Club Manager
 		 Missing Authorization vulnerability in WP Club Manager.This issue affects WP Club Manager: from n/a through 2.2.11. 2024-05-14 5.3 CVE-2024-32719
audit@patchstack.com
WP Happy Coders--Comments Like Dislike
 		 Authentication Bypass by Spoofing vulnerability in WP Happy Coders Comments Like Dislike allows Functionality Bypass.This issue affects Comments Like Dislike: from n/a through 1.2.2. 2024-05-17 4.3 CVE-2024-25906
audit@patchstack.com
WP Royal--Royal Elementor Addons
 		 Authentication Bypass by Spoofing vulnerability in WP Royal Royal Elementor Addons allows Functionality Bypass.This issue affects Royal Elementor Addons: from n/a through 1.3.93. 2024-05-17 5.3 CVE-2024-32786
audit@patchstack.com
WPBlockart--Magazine Blocks
 		 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPBlockart Magazine Blocks allows Stored XSS.This issue affects Magazine Blocks: from n/a through 1.3.6. 2024-05-16 5.9 CVE-2024-34760
audit@patchstack.com
WPDeveloper--SchedulePress
 		 Missing Authorization vulnerability in WPDeveloper SchedulePress.This issue affects SchedulePress: from n/a through 5.0.8. 2024-05-14 6.5 CVE-2024-32717
audit@patchstack.com
WPMU DEV--Defender Security
 		 Insecure Storage of Sensitive Information vulnerability in WPMU DEV Defender Security allows : Screen Temporary Files for Sensitive Information.This issue affects Defender Security: from n/a through 3.3.2. 2024-05-17 5 CVE-2022-44581
audit@patchstack.com
WPMU DEV--Defender Security
 		 Authentication Bypass by Spoofing vulnerability in WPMU DEV Defender Security allows Functionality Bypass.This issue affects Defender Security: from n/a through 4.4.1. 2024-05-17 5.3 CVE-2024-25595
audit@patchstack.com
Wangshen--SecGate 3600
 		 A vulnerability, which was classified as critical, was found in Wangshen SecGate 3600 up to 20240516. This affects an unknown part of the file /?g=log_import_save. The manipulation of the argument reqfile leads to unrestricted upload. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-264747. 2024-05-17 6.3 CVE-2024-5050
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Warfare Plugins--Social Warfare
 		 Cross-Site Request Forgery (CSRF) vulnerability in Warfare Plugins Social Warfare.This issue affects Social Warfare: from n/a through 4.4.5.1. 2024-05-14 4.3 CVE-2024-34825
audit@patchstack.com
Web-Settler--Landing Page Builder Free Landing Page Templates
 		 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Web-Settler Landing Page Builder - Free Landing Page Templates allows Path Traversal.This issue affects Landing Page Builder - Free Landing Page Templates: from n/a through 3.1.9.9. 2024-05-17 6.8 CVE-2023-24379
audit@patchstack.com
WebToffee--Order Export & Order Import for WooCommerce
 		 Deserialization of Untrusted Data vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.9. 2024-05-16 4.4 CVE-2024-34751
audit@patchstack.com
Webvitaly--iFrame
 		 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webvitaly iFrame allows Stored XSS.This issue affects iFrame: from n/a through 5.0. 2024-05-16 6.5 CVE-2024-34805
audit@patchstack.com
Wireshark Foundation--Wireshark
 		 MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file 2024-05-14 6.4 CVE-2024-4854
cve@gitlab.com
cve@gitlab.com
cve@gitlab.com
cve@gitlab.com
WordPlus--BP Better Messages
 		 Missing Authorization vulnerability in WordPlus BP Better Messages allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BP Better Messages: from n/a through 2.4.32. 2024-05-17 5.3 CVE-2024-32802
audit@patchstack.com
Wpmet--Wp Ultimate Review
 		 Authentication Bypass by Spoofing vulnerability in Wpmet Wp Ultimate Review allows Functionality Bypass.This issue affects Wp Ultimate Review: from n/a through 2.3.2. 2024-05-17 5.3 CVE-2024-21746
audit@patchstack.com
Wpmet--Wp Ultimate Review
 		 Client-Side Enforcement of Server-Side Security vulnerability in Wpmet Wp Ultimate Review allows Functionality Bypass.This issue affects Wp Ultimate Review: from n/a through 2.2.5. 2024-05-17 5.3 CVE-2024-32685
audit@patchstack.com
Zoom Video Communications, Inc.--Zoom Workplace VDI App for Windows
 		 Insufficient verification of data authenticity in the installer for Zoom Workplace VDI App for Windows may allow an authenticated user to conduct an escalation of privilege via local access. 2024-05-15 6.7 CVE-2024-27244
security@zoom.us
Zoom Video Communications, Inc.--see references
 		 Buffer overflow in some Zoom Workplace Apps and SDK's may allow an authenticated user to conduct a denial of service via network access. 2024-05-15 6.5 CVE-2024-27243
security@zoom.us
abuhayat--HTML5 Audio Player- Best WordPress Audio Player Plugin
 		 The HTML5 Audio Player- Best WordPress Audio Player Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4398
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
aio-libs--aiosmtpd
 		 aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue. 2024-05-18 5.4 CVE-2024-34083
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
argoproj--argo-cd
 		 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16. 2024-05-14 6.5 CVE-2024-32476
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
asterisk--asterisk
 		 Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1. 2024-05-17 5.8 CVE-2024-35190
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
athemes--Sydney Toolbox
 		 The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "aThemes: Portfolio" widget in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4473
security@wordfence.com
security@wordfence.com
automattic--Jetpack WP Security, Backup, Speed, & Growth
 		 The Jetpack - WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4392
security@wordfence.com
security@wordfence.com
avimegladon--Custom Post Type Attachment
 		 The Custom Post Type Attachment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pdf_attachment' shortcode in all versions up to, and including, 3.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4546
security@wordfence.com
security@wordfence.com
bdthemes--Prime Slider Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)
 		 The Prime Slider - Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the General widget in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4339
security@wordfence.com
security@wordfence.com
blakeblackshear--frigate
 		 Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`. 2024-05-14 6.8 CVE-2024-32874
security-advisories@github.com
security-advisories@github.com
blocksera--Image Hover Effects Elementor Addon
 		 The Image Hover Effects - Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hover Effects Widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-1166
security@wordfence.com
security@wordfence.com
boldgrid--Post and Page Builder by BoldGrid Visual Drag and Drop Editor
 		 The Post and Page Builder by BoldGrid - Visual Drag and Drop Editor plguin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.26.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4400
security@wordfence.com
security@wordfence.com
brainstormforce--Elementor Header & Footer Builder
 		 The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hfe_svg_mime_types' function in versions up to, and including, 1.6.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4634
security@wordfence.com
security@wordfence.com
security@wordfence.com
brainstormforce--Elementor Header & Footer Builder
 		 The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary HTML in pages that will be shown whenever a user accesses an injected page. 2024-05-16 5 CVE-2024-2619
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
brainstormforce--Starter Templates Elementor, WordPress & Beaver Builder Templates
 		 The Starter Templates - Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_upload_mimes' function in versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4630
security@wordfence.com
security@wordfence.com
security@wordfence.com
brainstormforce--Starter Templates Elementor, WordPress & Beaver Builder Templates
 		 The Starter Templates - Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.6 via the ai_api_request(). This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 2024-05-14 4.3 CVE-2024-1467
security@wordfence.com
security@wordfence.com
security@wordfence.com
britner--Gutenberg Blocks with AI by Kadence WP Page Builder Features
 		 The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the typer effect in the advanced heading widget in all versions up to, and including, 3.2.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 6.4 CVE-2024-4208
security@wordfence.com
security@wordfence.com
britner--Gutenberg Blocks with AI by Kadence WP Page Builder Features
 		 The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown timer in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4209
security@wordfence.com
security@wordfence.com
security@wordfence.com
britner--Gutenberg Blocks with AI by Kadence WP Page Builder Features
 		 The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4481
security@wordfence.com
security@wordfence.com
britner--Gutenberg Blocks with AI by Kadence WP Page Builder Features
 		 The Gutenberg Blocks by Kadence Blocks - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Testimonial', 'Progress Bar', 'Lottie Animations', 'Row Layout', 'Google Maps', and 'Advanced Gallery' blocks in all versions up to, and including, 3.2.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 5.4 CVE-2024-3189
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
buddypress--BuddyPress
 		 The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_name' parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3974
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
carazo--Import and export users and customers
 		 The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user agent header in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 4.4 CVE-2024-4656
security@wordfence.com
security@wordfence.com
carazo--Import and export users and customers
 		 The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2024-05-15 4.4 CVE-2024-4734
security@wordfence.com
security@wordfence.com
code-projects--Budget Management
 		 A vulnerability classified as critical was found in code-projects Budget Management 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument edit leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264745 was assigned to this vulnerability. 2024-05-17 6.3 CVE-2024-5048
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects--Simple Chat System
 		 A vulnerability classified as critical has been found in code-projects Simple Chat System 1.0. This affects an unknown part of the file /login.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264537 was assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4972
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects--Simple Chat System
 		 A vulnerability classified as critical was found in code-projects Simple Chat System 1.0. This vulnerability affects unknown code of the file /register.php. The manipulation of the argument name/number/address leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264538 is the identifier assigned to this vulnerability. 2024-05-16 6.3 CVE-2024-4973
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
codename065--Sliding Widgets
 		 Missing Authorization vulnerability in codename065 Sliding Widgets allows Cross-Site Scripting (XSS).This issue affects Sliding Widgets: from n/a through 1.5.0. 2024-05-14 6.5 CVE-2024-33938
audit@patchstack.com
codewoogeek--Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro
 		 The The Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.3.1. This is due to the plugin for WordPress allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. 2024-05-14 6.5 CVE-2024-4038
security@wordfence.com
security@wordfence.com
creativethemeshq--Blocksy Companion
 		 The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4487
security@wordfence.com
security@wordfence.com
security@wordfence.com
creativethemeshq--Blocksy
 		 The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' parameter in versions up to, and including, 2.0.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4158
security@wordfence.com
security@wordfence.com
croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin
 		 The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to, and including, 1.6.7.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4288
security@wordfence.com
security@wordfence.com
security@wordfence.com
daext--Soccer Engine Soccer Plugin for WordPress
 		 The Soccer Engine - Soccer Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation when saving match and team settings. This makes it possible for unauthenticated attackers to change plugin settings as well as teams, players, etc. via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-05-14 4.3 CVE-2024-4312
security@wordfence.com
security@wordfence.com
davidanderson--Testimonial Slider
 		 The Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'testimonialcategory' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4193
security@wordfence.com
security@wordfence.com
deTheme--DethemeKit For Elementor
 		 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in deTheme DethemeKit For Elementor allows Stored XSS.This issue affects DethemeKit For Elementor: from n/a through 2.1.2. 2024-05-17 6.5 CVE-2024-34575
audit@patchstack.com
detheme--DethemeKit For Elementor
 		 The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-4374
security@wordfence.com
security@wordfence.com
devitemsllc--HT Mega Absolute Addons For Elementor
 		 The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gallery Justify Widget in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3989
security@wordfence.com
security@wordfence.com
devitemsllc--HT Mega Absolute Addons For Elementor
 		 The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tooltip & Popover Widget in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3990
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
devitemsllc--ShopLentor WooCommerce Builder for Elementor & Gutenberg +12 Modules All in One Solution (formerly WooLentor)
 		 The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them. 2024-05-14 5.3 CVE-2023-6327
security@wordfence.com
security@wordfence.com
security@wordfence.com
directus--directus
 		 Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0. 2024-05-14 5.4 CVE-2024-34709
security-advisories@github.com
security-advisories@github.com
directus--directus
 		 Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will return `**********` however if we change the request to `?alias[workaround]=redacted` we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them. This vulnerability is fixed in 10.11.0. 2024-05-14 4.9 CVE-2024-34708
security-advisories@github.com
security-advisories@github.com
divSpot--DS Site Message
 		 Cross-Site Request Forgery (CSRF) vulnerability in divSpot DS Site Message.This issue affects DS Site Message: from n/a through 1.14.4. 2024-05-14 4.3 CVE-2024-34439
audit@patchstack.com
envothemes--Envo Extra
 		 The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 1.8.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4385
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
fluxcd--source-controller
 		 The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity. 2024-05-15 5.1 CVE-2024-31216
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
frappe--frappe
 		 Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0. 2024-05-14 6.1 CVE-2024-34074
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
freescout-helpdesk--freescout
 		 FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along with arbitrarily nested properties. The merge operation assigns the nested properties to the `params` object's prototype instead of the target object itself. As a result, the attacker can pollute the prototype with properties containing harmful values, which are then inherited by user-defined objects and subsequently used by the application dangerously. The vulnerability lets an attacker control properties of objects that would otherwise be inaccessible. If the application subsequently handles an attacker-controlled property in an unsafe way, this can potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, HTML Injection, etc. Version 1.8.139 contains a patch for the issue. 2024-05-14 4.6 CVE-2024-34698
security-advisories@github.com
security-advisories@github.com
giuliopanda--ADFO Custom data in admin dashboard
 		 The ADFO - Custom data in admin dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dbp_id' parameter in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2024-05-14 6.1 CVE-2024-4104
security@wordfence.com
security@wordfence.com
security@wordfence.com
giuliopanda--ADFO Custom data in admin dashboard
 		 The ADFO - Custom data in admin dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.0. This is due to missing or incorrect nonce validation on several functions hooked via the controller() function. This makes it possible for unauthenticated attackers to edit the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-05-14 4.3 CVE-2024-4103
security@wordfence.com
security@wordfence.com
https://elementor.com/--Elementor Website Builder Pro
 		 The Elementor Website Builder - More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in versions up to, and including, 3.21.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4107
security@wordfence.com
security@wordfence.com
iePlexus--Featured Content Gallery
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iePlexus Featured Content Gallery allows Stored XSS.This issue affects Featured Content Gallery: from n/a through 3.2.0. 2024-05-14 5.9 CVE-2024-34424
audit@patchstack.com
iqonicdesign--Graphina Elementor Charts and Graphs
 		 The Graphina - Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4574
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
ithemelandco--Bulk Posts Editing For WordPress
 		 The Bulk Posts Editing For WordPress plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 4.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to invoke their corresponding functions. This may lead to post creation and duplication, post content retrieval, post taxonomy manipulation. 2024-05-15 4.3 CVE-2024-4199
security@wordfence.com
security@wordfence.com
ithemelandco--Bulk Posts Editing For WordPress
 		 The Bulk Posts Editing For WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to missing or incorrect nonce validation on the plugin's AJAX actions.. This makes it possible for unauthenticated attackers to create and duplicate posts, retrieve post content, and modify post taxonomy among other things via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-05-16 4.3 CVE-2024-4204
security@wordfence.com
security@wordfence.com
justinbusa--Beaver Builder WordPress Page Builder
 		 The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link_target parameter in all versions up to, and including, 2.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3923
security@wordfence.com
security@wordfence.com
security@wordfence.com
justinbusa--Beaver Builder WordPress Page Builder
 		 The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the photo widget crop attribute in all versions up to, and including, 2.8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4430
security@wordfence.com
security@wordfence.com
security@wordfence.com
kraftplugins--Mega Elements Addons for Elementor
 		 The Mega Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 6.4 CVE-2024-4702
security@wordfence.com
security@wordfence.com
levelfourstorefront--Shopping Cart & eCommerce Store
 		 The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.4 via the order report functionality. This makes it possible for unauthenticated attackers to extract sensitive data including order details such as payment details, addresses and other PII. 2024-05-14 5.3 CVE-2024-4213
security@wordfence.com
security@wordfence.com
litonice13--Master Addons Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor
 		 The Master Addons - Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title_html_tag attribute in all versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-3134
security@wordfence.com
security@wordfence.com
litonice13--Master Addons Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor
 		 The Master Addons - Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4580
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
mantisbt--mantisbt
 		 MantisBT (Mantis Bug Tracker) is an open source issue tracker. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when resolving or closing issues (`bug_change_status_page.php`) belonging to a project linking said custom field, viewing issues (`view_all_bug_page.php`) when the custom field is displayed as a column, or printing issues (`print_all_bug_page.php`) when the custom field is displayed as a column. Version 2.26.2 contains a patch for the issue. As a workaround, ensure Custom Field Names do not contain HTML tags. 2024-05-14 6.6 CVE-2024-34081
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
mantisbt--mantisbt
 		 MantisBT (Mantis Bug Tracker) is an open source issue tracker. If an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip. This can result in disclosure of the existence of the note, the note author name, the note creation timestamp, and the issue id the note belongs to. Version 2.26.2 contains a patch for the issue. No known workarounds are available. 2024-05-14 5.3 CVE-2024-34080
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
matrix-org--matrix-sdk-crypto
 		 The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available. 2024-05-14 5.5 CVE-2024-34353
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
matter-labs--era-compiler-solidity
 		 era-compiler-solidity is the ZKsync compiler for Solidity. The problem occurred during instruction selection in the `DAGCombine` phase while visiting the XOR operation. The issue arises when attempting to fold the expression `!(x cc y)` into `(x !cc y)`. To perform this transformation, the second operand of XOR should be a constant representing the true value. However, it was incorrectly assumed that -1 represents the true value, when in fact, 1 is the correct representation, so this transformation for this case should be skipped. This vulnerability is fixed in 1.4.1. 2024-05-14 5.9 CVE-2024-34704
security-advisories@github.com
mgibbs189--Custom Field Suite
 		 The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cfs[fields][*][name]' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2024-05-14 4.4 CVE-2024-3068
security@wordfence.com
security@wordfence.com
security@wordfence.com
mihdan--Mihdan: Yandex Turbo Feed
 		 The Mihdan: Yandex Turbo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.6.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4411
security@wordfence.com
security@wordfence.com
miraheze--CreateWiki
 		 CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This allows them to go to that request entry's on Special:RequestWikiQueue on the wiki where their local user ID matches and take any actions that the wiki requester is allowed to take from there. Commit 02e0f298f8d35155c39aa74193cb7b867432c5b8 fixes the issue. Important note about the fix: This vulnerability has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the "global wiki" in `$wgCreateWikiGlobalWiki` in a user's MediaWiki settings. As a workaround, it is possible to disable the special pages outside of one's own global wiki by doing something similar to `miraheze/mw-config` commit e5664995fbb8644f9a80b450b4326194f20f9ddc that is adapted to one's own setup. As for the REST API, before the fix, there wasn't any REST endpoint that allowed one to make writes. Regardless, it is possible to also disable it outside of the global wiki by using `$wgCreateWikiDisableRESTAPI` and `$wgConf` in the configuration for one's own wiki farm.. 2024-05-14 5.9 CVE-2024-34701
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
monetizemore--Advanced Ads  Ad Manager & AdSense
 		 The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Ad widget in all versions up to, and including, 1.52.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3952
security@wordfence.com
security@wordfence.com
security@wordfence.com
mra13--Simple Membership
 		 The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4383
security@wordfence.com
security@wordfence.com
security@wordfence.com
n/a--DedeCMS
 		 A vulnerability classified as problematic has been found in DedeCMS 5.7.114. This affects an unknown part of the file /sys_verifies.php?action=view. The manipulation of the argument filename with the input ../../../../../etc/passwd leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263889 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-14 4.3 CVE-2024-4790
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a--Emlog Pro
 		 A vulnerability was found in Emlog Pro 2.3.4 and classified as critical. Affected by this issue is some unknown functionality of the file admin/setting.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264740. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-17 4.7 CVE-2024-5043
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a--Endurance Gaming Mode software installers
 		 Incorrect default permissions in some Endurance Gaming Mode software installers before version 1.3.937.0 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-42433
secure@intel.com
n/a--Intel(R) Advisor software
 		 Uncontrolled search path in some Intel(R) Advisor software before version 2024.0 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21772
secure@intel.com
n/a--Intel(R) BIOS PPAM firmware
 		 Improper conditions check in some Intel(R) BIOS PPAM firmware may allow a privileged user to potentially enable escalation of privilege via local access. 2024-05-16 6.1 CVE-2023-28383
secure@intel.com
n/a--Intel(R) CST software
 		 Uncontrolled search path for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-40155
secure@intel.com
n/a--Intel(R) CST software
 		 Improper access control for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 4.4 CVE-2023-39433
secure@intel.com
n/a--Intel(R) CST software
 		 Null pointer dereference for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 4.4 CVE-2023-41082
secure@intel.com
n/a--Intel(R) CST
 		 Improper access control in some Intel(R) CST before version 2.1.10300 may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 4.7 CVE-2023-43487
secure@intel.com
n/a--Intel(R) Chipset Device Software
 		 Uncontrolled search path for some Intel(R) Chipset Device Software before version 10.1.19444.8378 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21814
secure@intel.com
n/a--Intel(R) Computing Improvement Program software
 		 Uncontrolled search path for some Intel(R) Computing Improvement Program software before version 2.4.0.10654 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21843
secure@intel.com
n/a--Intel(R) Core(TM) Ultra Processors
 		 Sequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 4.7 CVE-2023-46103
secure@intel.com
n/a--Intel(R) DLB driver software
 		 Improper input validation for some Intel(R) DLB driver software before version 8.5.0 may allow an authenticated user to potentially denial of service via local access. 2024-05-16 6.5 CVE-2024-22015
secure@intel.com
n/a--Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors
 		 Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access. 2024-05-16 6.4 CVE-2024-21823
secure@intel.com
n/a--Intel(R) DSA software uninstallers
 		 Uncontrolled search path in some Intel(R) DSA software uninstallers before version 23.4.39.10 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-45743
secure@intel.com
n/a--Intel(R) Data Center GPU Max Series 1100 and 1550 products
 		 Improper conditions check in the Intel(R) Data Center GPU Max Series 1100 and 1550 products may allow an privileged user to potentially enable denial of service via local access. 2024-05-16 6 CVE-2023-47165
secure@intel.com
n/a--Intel(R) Distribution for GDB software
 		 Uncontrolled search path for some Intel(R) Distribution for GDB software before version 2024.0 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21841
secure@intel.com
n/a--Intel(R) Ethernet Controller Administrative Tools software
 		 Improper access control in some Intel(R) Ethernet Controller Administrative Tools software before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21828
secure@intel.com
n/a--Intel(R) FPGA products
 		 Out of bounds write in firmware for some Intel(R) FPGA products before version 2.9.0 may allow escalation of privilege and information disclosure. 2024-05-16 5.7 CVE-2023-49614
secure@intel.com
n/a--Intel(R) FPGA products
 		 Improper input validation in firmware for some Intel(R) FPGA products before version 2.9.1 may allow denial of service. 2024-05-16 4.4 CVE-2024-22390
secure@intel.com
n/a--Intel(R) GPA Framework software
 		 Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-35192
secure@intel.com
n/a--Intel(R) GPA Framework software
 		 Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.4 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21861
secure@intel.com
n/a--Intel(R) GPA software
 		 Uncontrolled search path in some Intel(R) GPA software before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-41961
secure@intel.com
n/a--Intel(R) GPA software
 		 Uncontrolled search path in some Intel(R) GPA software before version 2023.4 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21788
secure@intel.com
n/a--Intel(R) Graphics Windows DCH driver software
 		 Uncontrolled search path in Intel(R) Graphics Command Center Service bundled in some Intel(R) Graphics Windows DCH driver software before versions 31.0.101.3790/31.0.101.2114 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-43751
secure@intel.com
n/a--Intel(R) Inspector software
 		 Uncontrolled search path in some Intel(R) Inspector software before version 2024.0 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-22379
secure@intel.com
n/a--Intel(R) Media SDK software
 		 Improper input validation in Intel(R) Media SDK software all versions may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 5.9 CVE-2023-48368
secure@intel.com
n/a--Intel(R) Media SDK
 		 Improper buffer restrictions in Intel(R) Media SDK all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 4.8 CVE-2023-45221
secure@intel.com
n/a--Intel(R) Neural Compressor software
 		 Time-of-check Time-of-use race condition in Intel(R) Neural Compressor software before version 2.5.0 may allow an authenticated user to potentially enable information disclosure via local access. 2024-05-16 4.7 CVE-2024-21792
secure@intel.com
n/a--Intel(R) PCM software
 		 Uncontrolled search path in some Intel(R) PCM software before version 202311 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21818
secure@intel.com
n/a--Intel(R) PROSet/Wireless WiFi software for Windows
 		 Race condition for some some Intel(R) PROSet/Wireless WiFi software for Windows before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access. 2024-05-16 4.3 CVE-2023-40536
secure@intel.com
n/a--Intel(R) PROSet/Wireless WiFi software for linux
 		 Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access. 2024-05-16 4.7 CVE-2023-47210
secure@intel.com
n/a--Intel(R) PROSet/Wireless WiFi software
 		 Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access. 2024-05-16 4.3 CVE-2023-38417
secure@intel.com
n/a--Intel(R) Power Gadget software for Windows
 		 Insecure inherited permissions in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-45736
secure@intel.com
n/a--Intel(R) Power Gadget software for Windows
 		 NULL pointer dereference in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 5 CVE-2023-41234
secure@intel.com
n/a--Intel(R) Power Gadget software for Windwos
 		 Improper initialization in some Intel(R) Power Gadget software for Windwos all versions may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 5.5 CVE-2023-45315
secure@intel.com
n/a--Intel(R) Power Gadget software for macOS
 		 Incomplete cleanup in Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 5.5 CVE-2023-45846
secure@intel.com
n/a--Intel(R) Processor Diagnostic Tool software
 		 Uncontrolled search path in some Intel(R) Processor Diagnostic Tool software before version 4.1.9.41 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21831
secure@intel.com
n/a--Intel(R) Processor Identification Utility software
 		 Uncontrolled search path in some Intel(R) Processor Identification Utility software before versions 6.10.34.1129, 7.1.6 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21774
secure@intel.com
n/a--Intel(R) Quartus(R) Prime Lite Edition Design software
 		 Improper conditions check for some Intel(R) Quartus(R) Prime Lite Edition Design software before version 23.1 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21809
secure@intel.com
n/a--Intel(R) Quartus(R) Prime Lite Edition Design software
 		 Uncontrolled search path in some Intel(R) Quartus(R) Prime Lite Edition Design software before version 23.1 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21837
secure@intel.com
n/a--Intel(R) Quartus(R) Prime Pro Edition Design software
 		 Uncontrolled search path in some Intel(R) Quartus(R) Prime Pro Edition Design software before version 23.4 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21777
secure@intel.com
n/a--Intel(R) Quartus(R) Prime Standard Edition Design software
 		 Uncontrolled search path in some Intel(R) Quartus(R) Prime Standard Edition Design software before version 23.1 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21862
secure@intel.com
n/a--Intel(R) TDX module software
 		 Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. 2024-05-16 6 CVE-2023-47855
secure@intel.com
n/a--Intel(R) VTune(TM) Profiler software
 		 Uncontrolled search path element in some Intel(R) VTune(TM) Profiler software before version 2024.0 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-45320
secure@intel.com
n/a--Intel(R) Wireless Bluetooth products for Windows
 		 Improper access control for some Intel(R) Wireless Bluetooth products for Windows before version 23.20 may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 5.5 CVE-2023-47859
secure@intel.com
n/a--Intel(R) Wireless Bluetooth(R) products for Windows
 		 Improper conditions check for some Intel(R) Wireless Bluetooth(R) products for Windows before version 23.20 may allow a privileged user to potentially enable denial of service via local access. 2024-05-16 4.4 CVE-2023-45845
secure@intel.com
n/a--Intel(R) XTU software
 		 Insecure inherited permissions in some Intel(R) XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2024-21835
secure@intel.com
n/a--Libva software maintained by Intel(R)
 		 Uncontrolled search path in some Libva software maintained by Intel(R) before version 2.20.0 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-39929
secure@intel.com
n/a--UEFI firmware for some Intel(R) Server Board S2600BP products
 		 Improper input validation of EpsdSrMgmtConfig in UEFI firmware for some Intel(R) Server Board S2600BP products may allow a privileged user to potentially enable denial of service via local access. 2024-05-16 5.8 CVE-2023-22662
secure@intel.com
n/a--n/a
 		 An issue was discovered in Samsung Magician 8.0.0 on macOS. Because symlinks are used during the installation process, an attacker can escalate privileges via arbitrary file permission writes. (The attacker must already have user privileges, and an administrator password must be entered during the program installation stage for privilege escalation.) 2024-05-14 6.7 CVE-2024-31952
cve@mitre.org
n/a--n/a
 		 An issue was discovered in Samsung Magician 8.0.0 on macOS. Because it is possible to tamper with the directory and executable files used during the installation process, an attacker can escalate privileges through arbitrary code execution. (The attacker must already have user privileges, and an administrator password must be entered during the program installation stage for privilege escalation.) 2024-05-14 6.7 CVE-2024-31953
cve@mitre.org
n/a--n/a
 		 A crafted network packet may cause a buffer overrun in Wind River VxWorks 7 through 23.09. 2024-05-14 4.3 CVE-2024-28759
cve@mitre.org
cve@mitre.org
n/a--onboard video driver software for Intel(R) Server Boards based on Intel(R) 62X Chipset
 		 Incorrect default permissions in some onboard video driver software before version 1.14 for Intel(R) Server Boards based on Intel(R) 62X Chipset may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 6.7 CVE-2023-42668
secure@intel.com
nalam-1--Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
 		 The Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's text effect widget in all versions up to, and including, 1.1.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-2923
security@wordfence.com
security@wordfence.com
nko--Visual Portfolio, Photo Gallery & Post Grid
 		 The Visual Portfolio, Photo Gallery & Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 6.4 CVE-2024-4363
security@wordfence.com
security@wordfence.com
security@wordfence.com
nocodb--nocodb
 		 NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the database. Version 0.202.10 contains a patch for the issue. 2024-05-14 6.5 CVE-2023-50718
security-advisories@github.com
nocodb--nocodb
 		 NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site scripting attack. This allows remote attacker to execute JavaScript code in the context of the user accessing the vector. An attacker could have used this vulnerability to execute requests in the name of a logged-in user or potentially collect information about the attacked user by displaying a malicious form. Version 0.202.10 contains a patch for the issue. 2024-05-14 5.7 CVE-2023-50717
security-advisories@github.com
nvidia--ChatRTX
 		 NVIDIA ChatRTX for Windows contains a vulnerability in the ChatRTX UI and backend, where a user can cause a clear-text transmission of sensitive information issue by data sniffing. A successful exploit of this vulnerability might lead to information disclosure. 2024-05-14 5.5 CVE-2024-0098
psirt@nvidia.com
nvidia--NVIDIA Triton Inference Server
 		 NVIDIA Triton Inference Server for Linux contains a vulnerability in the tracing API, where a user can corrupt system files. A successful exploit of this vulnerability might lead to denial of service and data tampering. 2024-05-14 6.5 CVE-2024-0100
psirt@nvidia.com
nvidia--NVIDIA Triton Inference Server
 		 NVIDIA Triton Inference Server for Linux contains a vulnerability in shared memory APIs, where a user can cause an improper memory access issue by a network API. A successful exploit of this vulnerability might lead to denial of service and data tampering. 2024-05-14 5.5 CVE-2024-0088
psirt@nvidia.com
optimole--Image Optimization by Optimole Lazy Load, CDN, Convert WebP & AVIF
 		 The Image Optimization by Optimole - Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allow_meme_types' function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 6.4 CVE-2024-4636
security@wordfence.com
security@wordfence.com
security@wordfence.com
paperless-ngx--paperless-ngx
 		 Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue. 2024-05-15 5.5 CVE-2024-35184
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
phpbits--Forty Four 404 Plugin for WordPress
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phpbits Forty Four - 404 Plugin for WordPress allows Stored XSS.This issue affects Forty Four - 404 Plugin for WordPress: from n/a through 1.4. 2024-05-14 5.9 CVE-2024-34423
audit@patchstack.com
piotnetdotcom--Piotnet Addons For Elementor
 		 The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.4.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-4432
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
posimyththemes--The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
 		 The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's element attributes in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-34373 is likely a duplicate of this issue. 2024-05-14 6.4 CVE-2024-0445
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
posimyththemes--The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
 		 The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-2785
security@wordfence.com
security@wordfence.com
security@wordfence.com
prasunsen--Hostel
 		 The Hostel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.3. This is due to missing or incorrect nonce validation when managing rooms. This makes it possible for unauthenticated attackers to create and delete rooms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-05-14 4.3 CVE-2024-4314
security@wordfence.com
security@wordfence.com
pt-guy--Content Views Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)
 		 The Content Views - Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagingType' parameter in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4446
security@wordfence.com
security@wordfence.com
pure-chat--Pure Chat Live Chat Plugin & More!
 		 The Pure Chat - Live Chat Plugin & More! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the purechatwid and purechatwname parameter in all versions up to, and including, 2.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3595
security@wordfence.com
security@wordfence.com
rankmath--Rank Math SEO with AI Best SEO Tools
 		 The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'textAlign' parameter in versions up to, and including, 1.0.217 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4335
security@wordfence.com
security@wordfence.com
security@wordfence.com
rankmath--Rank Math SEO with AI Best SEO Tools
 		 The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in versions up to, and including, 1.0.218 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4617
security@wordfence.com
security@wordfence.com
security@wordfence.com
realmag777--WordPress Meta Data and Taxonomies Filter (MDTF)
 		 Incorrect Authorization vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Inclusion, Functionality Misuse.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.2. 2024-05-17 6.5 CVE-2024-34434
audit@patchstack.com
redbitcz--SimpleShop
 		 The SimpleShop plugin for WordPress is vulnerable to unauthorized disconnection from SimpleShop due to a missing capability check on the maybe_disconnect_simpleshop function in all versions up to, and including, 2.10.2. This makes it possible for unauthenticated attackers to disconnect the SimpleShop. 2024-05-14 5.3 CVE-2024-1229
security@wordfence.com
security@wordfence.com
security@wordfence.com
redbitcz--SimpleShop
 		 The SimpleShop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.0. This is due to missing or incorrect nonce validation on the maybe_disconnect_simpleshop function. This makes it possible for unauthenticated attackers to disconnect the site from simpleshop via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-05-14 4.3 CVE-2024-1230
security@wordfence.com
security@wordfence.com
security@wordfence.com
reviewx--ReviewX Multi-criteria Rating & Reviews for WooCommerce
 		 The ReviewX - Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image function in all versions up to, and including, 1.6.27. This makes it possible for authenticated attackers, with subscriber access and above, to delete attachments. 2024-05-16 4.3 CVE-2024-3609
security@wordfence.com
security@wordfence.com
ruby--rexml
 		 REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. 2024-05-16 5.3 CVE-2024-35176
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
sbouey--Falang multilanguage for WordPress
 		 The Falang multilanguage for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2024-05-14 4.4 CVE-2024-4417
security@wordfence.com
security@wordfence.com
sc0ttkclark--Pods Custom Content Types and Fields
 		 The Pods - Custom Content Types and Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pod Form widget in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 5.4 CVE-2024-3956
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
shaonsina--Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
 		 The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via several parameters in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4333
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
shaonsina--Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
 		 The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Particle Layer widget in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 6.4 CVE-2024-4373
security@wordfence.com
security@wordfence.com
smartersite--WP Compress Image Optimizer [All-In-One]
 		 The WP Compress - Image Optimizer [All-In-One] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. 2024-05-14 6.5 CVE-2024-4445
security@wordfence.com
security@wordfence.com
security@wordfence.com
smartersite--WP Compress Image Optimizer [All-In-One]
 		 The WP Compress - Image Optimizer [All-In-One plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.20.01. This is due to insufficient validation on the redirect url supplied via the 'css' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. 2024-05-14 4.3 CVE-2023-6812
security@wordfence.com
security@wordfence.com
smartypants--SP Project & Document Manager
 		 The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary folder name that do not belong to them. 2024-05-14 4.3 CVE-2024-1693
security@wordfence.com
security@wordfence.com
solidus--solidus
 		 Solidus <= 4.3.4 is affected by a Stored Cross-Site Scripting vulnerability in the order tracking URL. 2024-05-14 5.7 CVE-2024-4859
vulnreport@tenable.com
squelch--Squelch Tabs and Accordions Shortcodes
 		 The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.7. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-05-14 4.3 CVE-2024-4463
security@wordfence.com
security@wordfence.com
stacklok--minder
 		 Minder is a software supply chain security platform. Prior to version 0.0.49, the Minder REST ingester is vulnerable to a denial of service attack via an attacker-controlled REST endpoint that can crash the Minder server. The REST ingester allows users to interact with REST endpoints to fetch data for rule evaluation. When fetching data with the REST ingester, Minder sends a request to an endpoint and will use the data from the body of the response as the data to evaluate against a certain rule. If the response is sufficiently large, it can drain memory on the machine and crash the Minder server. The attacker can control the remote REST endpoints that Minder sends requests to, and they can configure the remote REST endpoints to return responses with large bodies. They would then instruct Minder to send a request to their configured endpoint that would return the large response which would crash the Minder server. Version 0.0.49 fixes this issue. 2024-05-16 5.3 CVE-2024-35185
security-advisories@github.com
security-advisories@github.com
stalwartlabs--mail-server
 		 Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, when using `RUN_AS_USER`, the specified user (and therefore, web interface admins) can read arbitrary files as root. This issue affects admins who have set up to run stalwart with `RUN_AS_USER` who handed out admin credentials to the mail server but expect these to only grant access according to the `RUN_AS_USER` and are attacked where the attackers managed to achieve Arbitrary Code Execution using another vulnerability. Version 0.8.0 contains a patch for the issue. 2024-05-15 6.8 CVE-2024-35179
security-advisories@github.com
stellar--stellar-core
 		 Stellar-core is a reference implementation for the peer-to-peer agent that manages the Stellar network. Prior to 20.4.0, core nodes could be randomly crashed due to a race condition with a 3rd party library. The likelihood of affecting the network is low since crashed nodes come back up online right away. Code fix mitigation is part of Stellar-core v20.4.0 release 2024-05-14 5.9 CVE-2024-32985
security-advisories@github.com
swte--Swift Performance Lite
 		 The Swift Performance Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_handler() function in all versions up to, and including, 2.3.6.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve and modify settings. 2024-05-14 5.4 CVE-2024-3722
security@wordfence.com
security@wordfence.com
talspotim--Comments Evolved for WordPress
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in talspotim Comments Evolved for WordPress allows Stored XSS.This issue affects Comments Evolved for WordPress: from n/a through 1.6.3. 2024-05-14 5.9 CVE-2024-34420
audit@patchstack.com
techjewel--Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
 		 The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 5.1.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Fluent Forms settings, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This can be chained with CVE-2024-2771 for a low-privileged user to inject malicious web scripts. 2024-05-18 6.4 CVE-2024-2772
security@wordfence.com
security@wordfence.com
tg123--sshpiper
 		 sshpiper is a reverse proxy for sshd. Starting in version 1.0.50 and prior to version 1.3.0, the way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. Commit 2ddd69876a1e1119059debc59fe869cb4e754430 added the proxy protocol listener as the only listener in sshpiper, with no option to toggle this functionality off. This means that any connection that sshpiper is directly (or in some cases indirectly) exposed to can use proxy protocol to forge its source address. Any users of sshpiper who need logs from it for whitelisting/rate limiting/security investigations could have them become much less useful if an attacker is sending a spoofed source address. Version 1.3.0 contains a patch for the issue. 2024-05-14 5.3 CVE-2024-35175
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
thehappymonster--Happy Addons for Elementor
 		 The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Event Calendar widget in all versions up to, and including, 3.10.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4391
security@wordfence.com
security@wordfence.com
security@wordfence.com
thehappymonster--Happy Addons for Elementor
 		 The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group widget in all versions up to, and including, 3.10.7 due to insufficient input sanitization and output escaping on user supplied 'tooltip_position' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4478
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
thehappymonster--Happy Addons for Elementor
 		 The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_id' parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-4865
security@wordfence.com
security@wordfence.com
security@wordfence.com
thehappymonster--Happy Addons for Elementor
 		 The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_id' parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-5088
security@wordfence.com
security@wordfence.com
security@wordfence.com
themeisle--Menu Icons by ThemeIsle
 		 The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_mime_type' function in versions up to, and including, 0.13.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4635
security@wordfence.com
security@wordfence.com
security@wordfence.com
themelooks--Enter Addons Ultimate Template Builder for Elementor
 		 The Enter Addons - Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Animation Title widget's img tag in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3680
security@wordfence.com
security@wordfence.com
themelooks--Enter Addons Ultimate Template Builder for Elementor
 		 The Enter Addons - Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-3831
security@wordfence.com
security@wordfence.com
themeum--Tutor LMS eLearning and online course solution
 		 The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course. 2024-05-16 6.5 CVE-2024-4279
security@wordfence.com
security@wordfence.com
security@wordfence.com
themifyme--Themify Shortcodes
 		 The Themify Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themify_button shortcode in all versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4567
security@wordfence.com
security@wordfence.com
thimpress--LearnPress WordPress LMS Plugin
 		 The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout_html' parameter in all versions up to, and including, 4.2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4277
security@wordfence.com
security@wordfence.com
thimpress--LearnPress WordPress LMS Plugin
 		 The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. 2024-05-14 5.3 CVE-2024-4444
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
thimpress--Thim Elementor Kit
 		 The Thim Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4329
security@wordfence.com
security@wordfence.com
tigroumeow--Gallery Block (Meow Gallery)
 		 The Gallery Block (Meow Gallery) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_atts' parameter in versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4386
security@wordfence.com
security@wordfence.com
security@wordfence.com
timstrifler--Exclusive Addons for Elementor
 		 The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member widget in all versions up to, and including, 2.6.9.6 due to insufficient input sanitization and output escaping on user supplied 'url' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 6.4 CVE-2024-4618
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
trinhtuantai--Viet Affiliate Link
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trinhtuantai Viet Affiliate Link allows Stored XSS.This issue affects Viet Affiliate Link: from n/a through 1.2. 2024-05-14 5.9 CVE-2024-34422
audit@patchstack.com
uapp--Testimonial Carousel For Elementor
 		 The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'show_line_text ' and 'slide_button_hover_animation' parameters in versions up to, and including, 10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-4698
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
unitecms--Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
 		 The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_connect_error' parameter in all versions up to, and including, 1.5.102 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2024-05-14 6.1 CVE-2024-3547
security@wordfence.com
security@wordfence.com
upwerd--Visual Footer Credit Remover
 		 The Visual Footer Credit Remover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'selector' parameter in all versions up to, and including, 2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2024-05-14 4.4 CVE-2024-2846
security@wordfence.com
security@wordfence.com
videousermanuals--White Label CMS
 		 The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings. 2024-05-14 5.3 CVE-2024-4280
security@wordfence.com
security@wordfence.com
villatheme--Orders Tracking for WooCommerce
 		 The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. A partial patch was released in 1.2.10, and a complete patch was released in 1.2.11. 2024-05-14 6.5 CVE-2024-4039
security@wordfence.com
security@wordfence.com
security@wordfence.com
visualmodo--Borderless Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
 		 The Borderless - Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4666
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
weForms--weForms
 		 Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20. 2024-05-17 5.3 CVE-2024-32512
audit@patchstack.com
webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform
 		 The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-3714
security@wordfence.com
security@wordfence.com
webtechideas--WTI Like Post
 		 Authentication Bypass by Spoofing vulnerability in webtechideas WTI Like Post allows Functionality Bypass.This issue affects WTI Like Post: from n/a through 1.4.6. 2024-05-17 5.3 CVE-2024-33917
audit@patchstack.com
wolfi-dev--wolfictl
 		 wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user's GitHub token to be sent to remote servers other than `github.com`. Most git-dependent functionality in wolfictl relies on its own `git` package, which contains centralized logic for implementing interactions with git repositories. Some of this functionality requires authentication in order to access private repositories. A central function `GetGitAuth` looks for a GitHub token in the environment variable `GITHUB_TOKEN` and returns it as an HTTP basic auth object to be used with the `github.com/go-git/go-git/v5` library. Most callers (direct or indirect) of `GetGitAuth` use the token to authenticate to github.com only; however, in some cases callers were passing this authentication without checking that the remote git repository was hosted on github.com. This behavior has existed in one form or another since commit 0d06e1578300327c212dda26a5ab31d09352b9d0 - committed January 25, 2023. This impacts anyone who ran the `wolfictl check update` commands with a Melange configuration that included a `git-checkout` directive step that referenced a git repository not hosted on github.com. This also impacts anyone who ran `wolfictl update <url>` with a remote URL outside of github.com. Additionally, these subcommands must have run with the `GITHUB_TOKEN` environment variable set to a valid GitHub token. Users should upgrade to version 0.16.10 to receive a patch. 2024-05-15 4.4 CVE-2024-35183
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
wpdevteam--EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
 		 The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 3.9.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4316
security@wordfence.com
security@wordfence.com
wpdevteam--Essential Addons for Elementor Best Elementor Templates, Widgets, Kits & WooCommerce Builders
 		 The Essential Addons for Elementor - Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Interactive Circle widget in all versions up to, and including, 5.9.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4275
security@wordfence.com
security@wordfence.com
wpdevteam--Essential Addons for Elementor Best Elementor Templates, Widgets, Kits & WooCommerce Builders
 		 The Essential Addons for Elementor - Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table' widgets in all versions up to, and including, 5.9.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.5 CVE-2024-4448
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpdevteam--Essential Addons for Elementor Best Elementor Templates, Widgets, Kits & WooCommerce Builders
 		 The Essential Addons for Elementor - Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Fancy Text', 'Filter Gallery', 'Sticky Video', 'Content Ticker', 'Woo Product Gallery', & 'Twitter Feed' widgets in all versions up to, and including, 5.9.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4449
security@wordfence.com
security@wordfence.com
wpdevteam--Essential Addons for Elementor Best Elementor Templates, Widgets, Kits & WooCommerce Builders
 		 The Essential Addons for Elementor - Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugins for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eael_ext_toc_title_tag' parameter in versions up to, and including, 5.9.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4624
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpdevteam--Essential Blocks Page Builder Gutenberg Blocks, Patterns & Templates
 		 The Essential Blocks - Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' parameter in versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-18 6.4 CVE-2024-4891
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpexpertsio--Password Protected Ultimate Plugin to Password Protect Your WordPress Content with Ease
 		 The Password Protected - Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the API. This makes it possible for authenticated attackers, with subscriber access or higher, to extract post titles and content, thus bypassing the plugin's password protection. 2024-05-15 4.3 CVE-2024-0437
security@wordfence.com
security@wordfence.com
wpjoli--Joli FAQ SEO WordPress FAQ Plugin
 		 The Joli FAQ SEO - WordPress FAQ Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-05-14 4.3 CVE-2024-4082
security@wordfence.com
security@wordfence.com
wpkube--Simple Basic Contact Form
 		 The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the functionality of other plugins installed in the environment. 2024-05-14 6.5 CVE-2024-4144
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpkube--Simple Basic Contact Form
 		 The Simple Basic Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'scf_email' parameter in versions up to, and including, 20221201 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2024-05-14 6.1 CVE-2024-4150
security@wordfence.com
security@wordfence.com
security@wordfence.com
wproyal--Royal Elementor Addons and Templates
 		 The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Form Builder widget in all versions up to, and including, 1.3.974 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 5.4 CVE-2024-3887
security@wordfence.com
security@wordfence.com
wpsurface--BlogLentor
 		 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsurface BlogLentor allows Stored XSS.This issue affects BlogLentor: from n/a through 1.0.8. 2024-05-14 6.5 CVE-2024-34421
audit@patchstack.com
wpzoom--WPZOOM Addons for Elementor (Templates, Widgets)
 		 The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget Image Box in all versions up to, and including, 1.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-15 6.4 CVE-2024-4370
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
xpro--140+ Widgets | Best Addons For Elementor FREE
 		 The 140+ Widgets | Best Addons For Elementor - FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 6.4 CVE-2024-4440
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
yithemes--YITH WooCommerce Gift Cards
 		 The YITH WooCommerce Gift Cards plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_mail_status' and 'save_email_settings' functions in all versions up to, and including, 4.12.0. This makes it possible for unauthenticated attackers to modify WooCommerce settings. 2024-05-14 5.3 CVE-2024-0870
security@wordfence.com
security@wordfence.com
yoast--Yoast SEO
 		 The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2024-05-14 6.1 CVE-2024-4041
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
yoast--Yoast SEO
 		 The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-16 6.4 CVE-2024-4984
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source & Patch Info
Bill Minozzi--Car Dealer
 		 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Bill Minozzi Car Dealer allows Code Injection.This issue affects Car Dealer: from n/a through 4.15. 2024-05-17 2.7 CVE-2024-4214
audit@patchstack.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability classified as problematic was found in Campcodes Complete Web-Based School Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view/show_student_subject.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263593 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4672
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability, which was classified as problematic, has been found in Campcodes Complete Web-Based School Management System 1.0. Affected by this issue is some unknown functionality of the file /view/show_student_grade_subject.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-263594 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4673
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability, which was classified as problematic, was found in Campcodes Complete Web-Based School Management System 1.0. This affects an unknown part of the file /view/show_friend_request.php. The manipulation of the argument my_index leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263595. 2024-05-14 3.5 CVE-2024-4674
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability has been found in Campcodes Complete Web-Based School Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /view/show_events.php. The manipulation of the argument event_id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263596. 2024-05-14 3.5 CVE-2024-4675
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /view/range_grade_text.php. The manipulation of the argument count leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263597 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4676
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /view/my_student_exam_marks1.php. The manipulation of the argument year leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263598 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4677
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /view/find_friends.php. The manipulation of the argument my_type leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263599. 2024-05-14 3.5 CVE-2024-4678
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability has been found in Campcodes Complete Web-Based School Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /view/exam_timetable_update_form.php. The manipulation of the argument exam leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263623. 2024-05-14 3.5 CVE-2024-4682
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /view/exam_timetable_insert_form.php. The manipulation of the argument exam leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263624. 2024-05-14 3.5 CVE-2024-4683
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /view/exam_timetable_grade_wise.php. The manipulation of the argument exam leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263625 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4684
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /view/exam_timetable.php. The manipulation of the argument exam leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263626 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4685
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /view/emarks_range_grade_update_form.php. The manipulation of the argument grade leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263627. 2024-05-14 3.5 CVE-2024-4686
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability classified as problematic has been found in Campcodes Complete Web-Based School Management System 1.0. Affected is an unknown function of the file /view/create_events.php. The manipulation of the argument my_index leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263628. 2024-05-14 3.5 CVE-2024-4687
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability classified as problematic was found in Campcodes Complete Web-Based School Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view/conversation_history_admin.php. The manipulation of the argument conversation_id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263629 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4688
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability classified as problematic was found in Campcodes Complete Web-Based School Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view/all_teacher.php. The manipulation of the argument page leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263791. 2024-05-14 3.5 CVE-2024-4713
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability, which was classified as problematic, has been found in Campcodes Complete Web-Based School Management System 1.0. Affected by this issue is some unknown functionality of the file /model/update_subject.php. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263792. 2024-05-14 3.5 CVE-2024-4714
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability, which was classified as problematic, was found in Campcodes Complete Web-Based School Management System 1.0. This affects an unknown part of the file /model/update_grade.php. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263793 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4715
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability has been found in Campcodes Complete Web-Based School Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /model/update_exam.php. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263794 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4716
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /model/update_classroom.php. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263795. 2024-05-14 3.5 CVE-2024-4717
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /model/delete_student_grade_subject.php. The manipulation of the argument index leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263796. 2024-05-14 3.5 CVE-2024-4718
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /model/delete_record.php. The manipulation of the argument page leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263797 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4719
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /model/approve_petty_cash.php. The manipulation of the argument admin_index leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-263798 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4720
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability classified as problematic has been found in Campcodes Complete Web-Based School Management System 1.0. This affects an unknown part of the file /model/add_student_subject.php. The manipulation of the argument index leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263799. 2024-05-14 3.5 CVE-2024-4721
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Complete Web-Based School Management System
 		 A vulnerability classified as problematic was found in Campcodes Complete Web-Based School Management System 1.0. This vulnerability affects unknown code of the file index.php. The manipulation of the argument category leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263800. 2024-05-14 3.5 CVE-2024-4722
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability, which was classified as problematic, has been found in Campcodes Legal Case Management System 1.0. This issue affects some unknown processing of the file /admin/case-status. The manipulation of the argument case_status leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263801 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4723
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability, which was classified as problematic, was found in Campcodes Legal Case Management System 1.0. Affected is an unknown function of the file /admin/case-type. The manipulation of the argument case_type_name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263802 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4724
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability has been found in Campcodes Legal Case Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/client_user. The manipulation of the argument f_name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263803. 2024-05-14 3.5 CVE-2024-4725
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability was found in Campcodes Legal Case Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/clients. The manipulation of the argument f_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263804. 2024-05-14 3.5 CVE-2024-4726
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability was found in Campcodes Legal Case Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/court-type. The manipulation of the argument court_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263805 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4727
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability was found in Campcodes Legal Case Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/court. The manipulation of the argument court_name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263806 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4728
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability was found in Campcodes Legal Case Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/expense-type. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263807. 2024-05-14 3.5 CVE-2024-4729
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability classified as problematic has been found in Campcodes Legal Case Management System 1.0. Affected is an unknown function of the file /admin/judge. The manipulation of the argument judge_name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263808. 2024-05-14 3.5 CVE-2024-4730
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability classified as problematic was found in Campcodes Legal Case Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/role. The manipulation of the argument slug leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263809 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4731
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability, which was classified as problematic, has been found in Campcodes Legal Case Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/service. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-263810 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4732
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability has been found in Campcodes Legal Case Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/tasks. The manipulation of the argument task_subject leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263821 was assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4735
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability was found in Campcodes Legal Case Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/tax. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-263822 is the identifier assigned to this vulnerability. 2024-05-14 3.5 CVE-2024-4736
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability was found in Campcodes Legal Case Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/vendor. The manipulation of the argument company_name/mobile leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263823. 2024-05-14 3.5 CVE-2024-4737
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Legal Case Management System
 		 A vulnerability was found in Campcodes Legal Case Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation of the argument new_client leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263824. 2024-05-14 3.5 CVE-2024-4738
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Campcodes--Online Laundry Management System
 		 A vulnerability was found in Campcodes Online Laundry Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /ajax.php. The manipulation of the argument name/customer_name/username leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263896. 2024-05-14 3.5 CVE-2024-4797
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
Filipe Seabra--WordPress Manuteno
 		 Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordPress Manutenção allows Functionality Bypass.This issue affects WordPress Manutenção: from n/a through 1.0.6. 2024-05-17 3.7 CVE-2024-22139
audit@patchstack.com
Huawei--HarmonyOS
 		 Insufficient verification vulnerability in the system sharing pop-up module Impact: Successful exploitation of this vulnerability will affect availability. 2024-05-14 3.3 CVE-2024-32989
psirt@huawei.com
psirt@huawei.com
IBM--Security Guardium
 		 IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow an authenticated user to upload files that would cause a denial of service. IBM X-Force ID: 271526. 2024-05-14 2.7 CVE-2023-47711
psirt@us.ibm.com
psirt@us.ibm.com
JetBrains--TeamCity
 		 In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible 2024-05-16 3.5 CVE-2024-35300
cve@jetbrains.com
Nozomi Networks--Arc
 		 On Windows systems, the Arc configuration files resulted to be world-readable. This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration files. 2024-05-15 3.8 CVE-2023-5937
prodsec@nozominetworks.com
OpenText--iManager
 		 Broken Authentication vulnerability discovered in OpenTextâ„¢ iManager 3.2.6.0200. This vulnerability allows an attacker to manipulate certain parameters to bypass authentication. 2024-05-15 3.5 CVE-2024-3487
security@opentext.com
Pippin Williamson--CGC Maintenance Mode
 		 Authentication Bypass by Spoofing vulnerability in Pippin Williamson CGC Maintenance Mode allows Functionality Bypass.This issue affects CGC Maintenance Mode: from n/a through 1.2. 2024-05-17 3.7 CVE-2024-30480
audit@patchstack.com
SAP_SE--SAP Bank Account Management
 		 SAP Bank Account Management does not perform necessary authorization check for an authorized user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality to the system. 2024-05-14 3.5 CVE-2024-33000
cna@sap.com
cna@sap.com
SAP_SE--SAPUI5 (PDFViewer)
 		 PDFViewer is a control delivered as part of SAPUI5 product which shows the PDF content in an embedded mode by default. If a PDF document contains embedded JavaScript (or any harmful client-side script), the PDFViewer will execute the JavaScript embedded in the PDF which can cause a potential security threat. 2024-05-14 3.5 CVE-2024-33007
cna@sap.com
cna@sap.com
Siemens--Parasolid V35.1
 		 A vulnerability has been identified in Parasolid V35.1 (All versions < V35.1.256), Parasolid V36.0 (All versions < V36.0.208), Parasolid V36.1 (All versions < V36.1.173). The affected applications contain a null pointer dereference vulnerability while parsing specially crafted X_T files. An attacker could leverage this vulnerability to crash the application causing denial of service condition. 2024-05-14 3.3 CVE-2024-32637
productcert@siemens.com
Siemens--SIMATIC RTLS Locating Manager
 		 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected application contains a hidden configuration item to enable debug functionality. This could allow an authenticated local attacker to gain insight into the internal configuration of the deployment. 2024-05-14 3.3 CVE-2024-33583
productcert@siemens.com
SourceCodester--Interactive Map with Marker
 		 A vulnerability was found in SourceCodester Interactive Map with Marker 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file Marker Name of the component Add Marker. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264536. 2024-05-16 3.5 CVE-2024-4968
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
SourceCodester--Simple Image Stack Website
 		 A vulnerability, which was classified as problematic, was found in SourceCodester Simple Image Stack Website 1.0. This affects an unknown part. The manipulation of the argument page leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264459. 2024-05-16 3.5 CVE-2024-4922
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
TYPO3--typo3
 		 TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described. 2024-05-14 3.5 CVE-2024-34355
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
Wireshark Foundation--editcap
 		 Memory handling issue in editcap could cause denial of service via crafted capture file 2024-05-14 3.6 CVE-2024-4853
cve@gitlab.com
cve@gitlab.com
Wireshark Foundation--editcap
 		 Use after free issue in editcap could cause denial of service via crafted capture file 2024-05-14 3.6 CVE-2024-4855
cve@gitlab.com
cve@gitlab.com
cve@gitlab.com
cve@gitlab.com
cea-hpc--sshproxy
 		 sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant. 2024-05-14 3.5 CVE-2024-34713
security-advisories@github.com
security-advisories@github.com
code-projects--Simple Chat System
 		 A vulnerability, which was classified as problematic, was found in code-projects Simple Chat System 1.0. Affected is an unknown function of the file /register.php. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264540. 2024-05-16 3.5 CVE-2024-4974
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects--Simple Chat System
 		 A vulnerability, which was classified as problematic, has been found in code-projects Simple Chat System 1.0. This issue affects some unknown processing of the component Message Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264539. 2024-05-16 3.5 CVE-2024-4975
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
git--git
 		 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. 2024-05-14 3.9 CVE-2024-32020
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
git--git
 		 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. 2024-05-14 3.9 CVE-2024-32021
security-advisories@github.com
gocd--gocd
 		 GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation. Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context. The issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity). 2024-05-14 3.1 CVE-2024-28866
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
helderk--Maintenance Mode
 		 Authentication Bypass by Spoofing vulnerability in helderk Maintenance Mode allows Functionality Bypass.This issue affects Maintenance Mode: from n/a through 3.0.1. 2024-05-17 3.7 CVE-2024-32708
audit@patchstack.com
n/a--Emlog Pro
 		 A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-264741 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-05-17 3.7 CVE-2024-5044
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a--Intel(R) CBI software
 		 Improper input validation in some Intel(R) CBI software before version 1.1.0 may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 2.8 CVE-2023-43745
secure@intel.com
n/a--Intel(R) Media SDK and some Intel(R) oneVPL software
 		 Out-of-bounds read in Intel(R) Media SDK and some Intel(R) oneVPL software before version 23.3.5 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 3.9 CVE-2023-22656
secure@intel.com
n/a--Intel(R) Media SDK software
 		 Improper buffer restrictions in Intel(R) Media SDK software all versions may allow an authenticated user to potentially enable denial of service via local access. 2024-05-16 3.3 CVE-2023-47169
secure@intel.com
n/a--Intel(R) Power Gadget software for macOS
 		 Improper conditions check in Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable information disclosure via local access. 2024-05-16 3.8 CVE-2023-38420
secure@intel.com
n/a--Intel(R) Processors
 		 Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access. 2024-05-16 2.8 CVE-2023-45733
secure@intel.com
n/a--Intel(R) Trace Analyzer and Collector software
 		 Out-of-bounds read for some Intel(R) Trace Analyzer and Collector software before version 2022.0.0 published Nov 2023 may allow an authenticated user to potentially enable information disclosure via local access. 2024-05-16 2.8 CVE-2024-22384
secure@intel.com
n/a--Intel(R) oneVPL software
 		 Out-of-bounds write in Intel(R) Media SDK all versions and some Intel(R) oneVPL software before version 23.3.5 may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-05-16 3.9 CVE-2023-47282
secure@intel.com
n/a--Intel(R) oneVPL software
 		 NULL pointer dereference in some Intel(R) oneVPL software before version 23.3.5 may allow an authenticated user to potentially enable information disclosure via local access. 2024-05-16 3.3 CVE-2023-48727
secure@intel.com
n/a--PostgreSQL
 		 Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected. 2024-05-14 3.1 CVE-2024-4317
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
octo-sts--app
 		 octo-sts is a GitHub App that acts like a Security Token Service (STS) for the Github API. This vulnerability can spike the resource utilization of the STS service, and combined with a significant traffic volume could potentially lead to a denial of service. This vulnerability is fixed in 0.1.0 2024-05-14 3.7 CVE-2024-34079
security-advisories@github.com
security-advisories@github.com

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source & Patch Info
Aidin--Phormer
 		 Phormer prior to version 3.35 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote unauthenticated attacker may execute an arbitrary script on the web browser of the user. 2024-05-14 not yet calculated CVE-2024-34749
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
Ant Media--Ant Media Server Community Edition
 		 Ant Media Server Community Edition in a default configuration is vulnerable to an improper HTTP header based authorization, leading to a possible use of non-administrative API calls reserved only for authorized users.  All versions up to 2.9.0 (tested) and possibly newer ones are believed to be vulnerable as the vendor has not confirmed releasing a patch. 2024-05-14 not yet calculated CVE-2024-3462
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
Apache Software Foundation--Apache Airflow
 		 Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs.  Users are recommended to upgrade to version 2.9.1, which fixes this issue. 2024-05-14 not yet calculated CVE-2024-32077
security@apache.org
security@apache.org
Apple--iOS and iPadOS
 		 A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Ventura 13.6.7, macOS Sonoma 14.4. An app may be able to access user-sensitive data. 2024-05-14 not yet calculated CVE-2024-27789
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 The issue was addressed with improved checks. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. An attacker may be able to elevate privileges. 2024-05-14 not yet calculated CVE-2024-27796
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 A permissions issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access may be able to share items from the lock screen. 2024-05-14 not yet calculated CVE-2024-27803
product-security@apple.com
Apple--iOS and iPadOS
 		 The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges. 2024-05-14 not yet calculated CVE-2024-27804
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 A path handling issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to read sensitive location information. 2024-05-14 not yet calculated CVE-2024-27810
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 A logic issue was addressed with improved checks. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An attacker may be able to access user data. 2024-05-14 not yet calculated CVE-2024-27816
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. An attacker may be able to cause unexpected app termination or arbitrary code execution. 2024-05-14 not yet calculated CVE-2024-27818
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 A path handling issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. A shortcut may output sensitive user data without consent. 2024-05-14 not yet calculated CVE-2024-27821
product-security@apple.com
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 The issue was addressed with improved checks. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, macOS Sonoma 14.5. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. 2024-05-14 not yet calculated CVE-2024-27834
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to an iOS device may be able to access notes from the lock screen. 2024-05-14 not yet calculated CVE-2024-27835
product-security@apple.com
Apple--iOS and iPadOS
 		 A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in iOS 17.5 and iPadOS 17.5. A malicious application may be able to determine a user's current location. 2024-05-14 not yet calculated CVE-2024-27839
product-security@apple.com
Apple--iOS and iPadOS
 		 The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. An app may be able to disclose kernel memory. 2024-05-14 not yet calculated CVE-2024-27841
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 This issue was addressed with improved checks This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. An app may be able to bypass Privacy preferences. 2024-05-14 not yet calculated CVE-2024-27847
product-security@apple.com
product-security@apple.com
Apple--iOS and iPadOS
 		 A privacy issue was addressed with improved client ID handling for alternative app marketplaces. This issue is fixed in iOS 17.5 and iPadOS 17.5. A maliciously crafted webpage may be able to distribute a script that tracks users on other webpages. 2024-05-14 not yet calculated CVE-2024-27852
product-security@apple.com
Apple--iTunes for Windows
 		 The issue was addressed with improved checks. This issue is fixed in iTunes 12.13.2 for Windows. Parsing a file may lead to an unexpected app termination or arbitrary code execution. 2024-05-14 not yet calculated CVE-2024-27793
product-security@apple.com
Apple--macOS
 		 This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Ventura 13.6.5, macOS Sonoma 14.4. A malicious application may be able to access Find My data. 2024-05-14 not yet calculated CVE-2024-23229
product-security@apple.com
product-security@apple.com
product-security@apple.com
Apple--macOS
 		 A correctness issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to read arbitrary files. 2024-05-14 not yet calculated CVE-2024-23236
product-security@apple.com
Apple--macOS
 		 An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5. An attacker may be able to elevate privileges. 2024-05-14 not yet calculated CVE-2024-27798
product-security@apple.com
Apple--macOS
 		 The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges. 2024-05-14 not yet calculated CVE-2024-27813
product-security@apple.com
Apple--macOS
 		 A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges. 2024-05-14 not yet calculated CVE-2024-27822
product-security@apple.com
Apple--macOS
 		 This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.5. An app may be able to elevate privileges. 2024-05-14 not yet calculated CVE-2024-27824
product-security@apple.com
Apple--macOS
 		 A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to bypass certain Privacy preferences. 2024-05-14 not yet calculated CVE-2024-27825
product-security@apple.com
Apple--macOS
 		 This issue was addressed through improved state management. This issue is fixed in macOS Sonoma 14.5. An app may be able to read arbitrary files. 2024-05-14 not yet calculated CVE-2024-27827
product-security@apple.com
Apple--macOS
 		 The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.5. Processing a file may lead to unexpected app termination or arbitrary code execution. 2024-05-14 not yet calculated CVE-2024-27829
product-security@apple.com
Apple--macOS
 		 A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. A local attacker may gain access to Keychain items. 2024-05-14 not yet calculated CVE-2024-27837
product-security@apple.com
Apple--macOS
 		 The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges. 2024-05-14 not yet calculated CVE-2024-27842
product-security@apple.com
Apple--macOS
 		 A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to elevate privileges. 2024-05-14 not yet calculated CVE-2024-27843
product-security@apple.com
CEMI Tomasz Paweek--CemiPark
 		 The access control in CemiPark software does not properly validate user-entered data, which allows the authentication bypass. An attacker who has network access to the login panel can log in with administrator rights to the application.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products. 2024-05-14 not yet calculated CVE-2024-4423
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
CEMI Tomasz Paweek--CemiPark
 		 The access control in CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products. 2024-05-14 not yet calculated CVE-2024-4424
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
CEMI Tomasz Paweek--CemiPark
 		 The access control in CemiPark software stores integration (e.g. FTP or SIP) credentials in plain-text. An attacker who gained unauthorized access to the device can retrieve clear text passwords used by the system.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products. 2024-05-14 not yet calculated CVE-2024-4425
cvd@cert.pl
cvd@cert.pl
cvd@cert.pl
Claris--FileMaker Server
 		 Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the Node.js socket. 2024-05-14 not yet calculated CVE-2023-42955
product-security@apple.com
Claris--FileMaker Server
 		 Claris International has resolved an issue of potentially allowing unauthorized access to records stored in databases hosted on FileMaker Server. This issue has been fixed in FileMaker Server 20.3.2 by validating transactions before replying to client requests. 2024-05-14 not yet calculated CVE-2024-27790
product-security@apple.com
Devolutions--Server
 		 Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user with access to the PAM JIT elevation feature to manipulate the LDAP filter query via a specially crafted request. 2024-05-17 not yet calculated CVE-2024-5072
security@devolutions.net
Digisol--Digisol Router DG-GR1321
 		 This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats. 2024-05-14 not yet calculated CVE-2024-2257
vdisclose@cert-in.org.in
Digisol--Digisol Router DG-GR1321
 		 This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system. 2024-05-14 not yet calculated CVE-2024-4231
vdisclose@cert-in.org.in
Digisol--Digisol Router DG-GR1321
 		 This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext passwords on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system. 2024-05-14 not yet calculated CVE-2024-4232
vdisclose@cert-in.org.in
Google--Chrome
 		 Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) 2024-05-14 not yet calculated CVE-2024-4761
chrome-cve-admin@google.com
chrome-cve-admin@google.com
Google--Chrome
 		 Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) 2024-05-15 not yet calculated CVE-2024-4947
chrome-cve-admin@google.com
chrome-cve-admin@google.com
Google--Chrome
 		 Use after free in Dawn in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2024-05-15 not yet calculated CVE-2024-4948
chrome-cve-admin@google.com
chrome-cve-admin@google.com
Google--Chrome
 		 Use after free in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) 2024-05-15 not yet calculated CVE-2024-4949
chrome-cve-admin@google.com
chrome-cve-admin@google.com
Google--Chrome
 		 Inappropriate implementation in Downloads in Google Chrome prior to 125.0.6422.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) 2024-05-15 not yet calculated CVE-2024-4950
chrome-cve-admin@google.com
chrome-cve-admin@google.com
HP Inc.--Plantronics Hub
 		 A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below. 2024-05-14 not yet calculated CVE-2024-27460
hp-security-alert@hp.com
Ligowave--UNITY
 		 A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary commands with elevated privileges.This issue affects UNITY: through 6.95-2; PRO: through 6.95-1.Rt3883; MIMO: through 6.95-1.Rt2880; APC Propeller: through 2-5.95-4.Rt3352. 2024-05-16 not yet calculated CVE-2024-4999
research@onekey.com
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: disable sending io_uring over sockets File reference cycles have caused lots of problems for io_uring in the past, and it still doesn't work exactly right and races with unix_stream_read_generic(). The safest fix would be to completely disallow sending io_uring files via sockets via SCM_RIGHT, so there are no possible cycles invloving registered files and thus rendering SCM accounting on the io_uring side unnecessary. 2024-05-14 not yet calculated CVE-2023-52654
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: usb: aqc111: check packet for fixup for true limit If a device sends a packet that is inbetween 0 and sizeof(u64) the value passed to skb_trim() as length will wrap around ending up as some very large value. The driver will then proceed to parse the header located at that position, which will either oops or process some random value. The fix is to check against sizeof(u64) rather than 0, which the driver currently does. The issue exists since the introduction of the driver. 2024-05-14 not yet calculated CVE-2023-52655
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: io_uring: drop any code related to SCM_RIGHTS This is dead code after we dropped support for passing io_uring fds over SCM_RIGHTS, get rid of it. 2024-05-14 not yet calculated CVE-2023-52656
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd/pm: resolve reboot exception for si oland" This reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86. This causes hangs on SI when DC is enabled and errors on driver reboot and power off cycles. 2024-05-17 not yet calculated CVE-2023-52657
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" This reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b. The revert is required due to the suspicion it is not good for anything and cause crash. 2024-05-17 not yet calculated CVE-2023-52658
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: x86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type On 64-bit platforms, the pfn_to_kaddr() macro requires that the input value is 64 bits in order to ensure that valid address bits don't get lost when shifting that input by PAGE_SHIFT to calculate the physical address to provide a virtual address for. One such example is in pvalidate_pages() (used by SEV-SNP guests), where the GFN in the struct used for page-state change requests is a 40-bit bit-field, so attempts to pass this GFN field directly into pfn_to_kaddr() ends up causing guest crashes when dealing with addresses above the 1TB range due to the above. Fix this issue with SEV-SNP guests, as well as any similar cases that might cause issues in current/future code, by using an inline function, instead of a macro, so that the input is implicitly cast to the expected 64-bit input type prior to performing the shift operation. While it might be argued that the issue is on the caller side, other archs/macros have taken similar approaches to deal with instances like this, such as ARM explicitly casting the input to phys_addr_t: e48866647b48 ("ARM: 8396/1: use phys_addr_t in pfn_to_kaddr()") A C inline function is even better though. [ mingo: Refined the changelog some more & added __always_inline. ] 2024-05-17 not yet calculated CVE-2023-52659
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: media: rkisp1: Fix IRQ handling due to shared interrupts The driver requests the interrupts as IRQF_SHARED, so the interrupt handlers can be called at any time. If such a call happens while the ISP is powered down, the SoC will hang as the driver tries to access the ISP registers. This can be reproduced even without the platform sharing the IRQ line: Enable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will hang. Fix this by adding a new field, 'irqs_enabled', which is used to bail out from the interrupt handler when the ISP is not operational. 2024-05-17 not yet calculated CVE-2023-52660
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe() If clk_get_sys(..., "pll_d2_out0") fails, the clk_get_sys() call must be undone. Add the missing clk_put and a new 'put_pll_d_out0' label in the error handling path, and use it. 2024-05-17 not yet calculated CVE-2023-52661
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node When ida_alloc_max fails, resources allocated before should be freed, including *res allocated by kmalloc and ttm_resource_init. 2024-05-17 not yet calculated CVE-2023-52662
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: amd: Fix memory leak in amd_sof_acp_probe() Driver uses kasprintf() to initialize fw_{code,data}_bin members of struct acp_dev_data, but kfree() is never called to deallocate the memory, which results in a memory leak. Fix the issue by switching to devm_kasprintf(). Additionally, ensure the allocation was successful by checking the pointer validity. 2024-05-17 not yet calculated CVE-2023-52663
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: atlantic: eliminate double free in error handling logic Driver has a logic leak in ring data allocation/free, where aq_ring_free could be called multiple times on same ring, if system is under stress and got memory allocation error. Ring pointer was used as an indicator of failure, but this is not correct since only ring data is allocated/deallocated. Ring itself is an array member. Changing ring allocation functions to return error code directly. This simplifies error handling and eliminates aq_ring_free on higher layer. 2024-05-17 not yet calculated CVE-2023-52664
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: powerpc/ps3_defconfig: Disable PPC64_BIG_ENDIAN_ELF_ABI_V2 Commit 8c5fa3b5c4df ("powerpc/64: Make ELFv2 the default for big-endian builds"), merged in Linux-6.5-rc1 changes the calling ABI in a way that is incompatible with the current code for the PS3's LV1 hypervisor calls. This change just adds the line '# CONFIG_PPC64_BIG_ENDIAN_ELF_ABI_V2 is not set' to the ps3_defconfig file so that the PPC64_ELF_ABI_V1 is used. Fixes run time errors like these: BUG: Kernel NULL pointer dereference at 0x00000000 Faulting instruction address: 0xc000000000047cf0 Oops: Kernel access of bad area, sig: 11 [#1] Call Trace: [c0000000023039e0] [c00000000100ebfc] ps3_create_spu+0xc4/0x2b0 (unreliable) [c000000002303ab0] [c00000000100d4c4] create_spu+0xcc/0x3c4 [c000000002303b40] [c00000000100eae4] ps3_enumerate_spus+0xa4/0xf8 2024-05-17 not yet calculated CVE-2023-52665
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential circular locking issue in smb2_set_ea() smb2_set_ea() can be called in parent inode lock range. So add get_write argument to smb2_set_ea() not to call nested mnt_want_write(). 2024-05-17 not yet calculated CVE-2023-52666
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a potential double-free in fs_any_create_groups When kcalloc() for ft->g succeeds but kvzalloc() for in fails, fs_any_create_groups() will free ft->g. However, its caller fs_any_create_table() will free ft->g again through calling mlx5e_destroy_flow_table(), which will lead to a double-free. Fix this by setting ft->g to NULL in fs_any_create_groups(). 2024-05-17 not yet calculated CVE-2023-52667
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix lock ordering in btrfs_zone_activate() The btrfs CI reported a lockdep warning as follows by running generic generic/129. WARNING: possible circular locking dependency detected 6.7.0-rc5+ #1 Not tainted ------------------------------------------------------ kworker/u5:5/793427 is trying to acquire lock: ffff88813256d028 (&cache->lock){+.+.}-{2:2}, at: btrfs_zone_finish_one_bg+0x5e/0x130 but task is already holding lock: ffff88810a23a318 (&fs_info->zone_active_bgs_lock){+.+.}-{2:2}, at: btrfs_zone_finish_one_bg+0x34/0x130 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&fs_info->zone_active_bgs_lock){+.+.}-{2:2}: ... -> #0 (&cache->lock){+.+.}-{2:2}: ... This is because we take fs_info->zone_active_bgs_lock after a block_group's lock in btrfs_zone_activate() while doing the opposite in other places. Fix the issue by expanding the fs_info->zone_active_bgs_lock's critical section and taking it before a block_group's lock. 2024-05-17 not yet calculated CVE-2023-52668
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: crypto: s390/aes - Fix buffer overread in CTR mode When processing the last block, the s390 ctr code will always read a whole block, even if there isn't a whole block of data left. Fix this by using the actual length left and copy it into a buffer first for processing. 2024-05-17 not yet calculated CVE-2023-52669
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: rpmsg: virtio: Free driver_override when rpmsg_remove() Free driver_override when rpmsg_remove(), otherwise the following memory leak will occur: unreferenced object 0xffff0000d55d7080 (size 128): comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s) hex dump (first 32 bytes): 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70 [<00000000228a60c3>] kstrndup+0x4c/0x90 [<0000000077158695>] driver_set_override+0xd0/0x164 [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 [<00000000443331cc>] really_probe+0xbc/0x2dc [<00000000391064b1>] __driver_probe_device+0x78/0xe0 [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160 [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140 [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 [<000000003b929a36>] __device_attach+0x9c/0x19c [<00000000a94e0ba8>] device_initial_probe+0x14/0x20 [<000000003c999637>] bus_probe_device+0xa0/0xac 2024-05-17 not yet calculated CVE-2023-52670
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix hang/underflow when transitioning to ODM4:1 [Why] Under some circumstances, disabling an OPTC and attempting to reclaim its OPP(s) for a different OPTC could cause a hang/underflow due to OPPs not being properly disconnected from the disabled OPTC. [How] Ensure that all OPPs are unassigned from an OPTC when it gets disabled. 2024-05-17 not yet calculated CVE-2023-52671
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after setting max_usage Commit c73be61cede5 ("pipe: Add general notification queue support") a regression was introduced that would lock up resized pipes under certain conditions. See the reproducer in [1]. The commit resizing the pipe ring size was moved to a different function, doing that moved the wakeup for pipe->wr_wait before actually raising pipe->max_usage. If a pipe was full before the resize occured it would result in the wakeup never actually triggering pipe_write. Set @max_usage and @nr_accounted before waking writers if this isn't a watch queue. [Christian Brauner <brauner@kernel.org>: rewrite to account for watch queues] 2024-05-17 not yet calculated CVE-2023-52672
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix a debugfs null pointer error [WHY & HOW] Check whether get_subvp_en() callback exists before calling it. 2024-05-17 not yet calculated CVE-2023-52673
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put() Ensure the value passed to scarlett2_mixer_ctl_put() is between 0 and SCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside scarlett2_mixer_values[]. 2024-05-17 not yet calculated CVE-2023-52674
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. 2024-05-17 not yet calculated CVE-2023-52675
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: bpf: Guard stack limits against 32bit overflow This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904 2024-05-17 not yet calculated CVE-2023-52676
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: riscv: Check if the code to patch lies in the exit section Otherwise we fall through to vmalloc_to_page() which panics since the address does not lie in the vmalloc region. 2024-05-17 not yet calculated CVE-2023-52677
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c Before using list_first_entry, make sure to check that list is not empty, if list is empty return -ENODATA. Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1347 kfd_create_indirect_link_prop() warn: can 'gpu_link' even be NULL? drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1428 kfd_add_peer_prop() warn: can 'iolink1' even be NULL? drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1433 kfd_add_peer_prop() warn: can 'iolink2' even be NULL? 2024-05-17 not yet calculated CVE-2023-52678
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: of: Fix double free in of_parse_phandle_with_args_map In of_parse_phandle_with_args_map() the inner loop that iterates through the map entries calls of_node_put(new) to free the reference acquired by the previous iteration of the inner loop. This assumes that the value of "new" is NULL on the first iteration of the inner loop. Make sure that this is true in all iterations of the outer loop by setting "new" to NULL after its value is assigned to "cur". Extend the unittest to detect the double free and add an additional test case that actually triggers this path. 2024-05-17 not yet calculated CVE-2023-52679
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add missing error checks to *_ctl_get() The *_ctl_get() functions which call scarlett2_update_*() were not checking the return value. Fix to check the return value and pass to the caller. 2024-05-17 not yet calculated CVE-2023-52680
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: efivarfs: Free s_fs_info on unmount Now that we allocate a s_fs_info struct on fs context creation, we should ensure that we free it again when the superblock goes away. 2024-05-17 not yet calculated CVE-2023-52681
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to wait on block writeback for post_read case If inode is compressed, but not encrypted, it missed to call f2fs_wait_on_block_writeback() to wait for GCed page writeback in IPU write path. Thread A GC-Thread - f2fs_gc - do_garbage_collect - gc_data_segment - move_data_block - f2fs_submit_page_write migrate normal cluster's block via meta_inode's page cache - f2fs_write_single_data_page - f2fs_do_write_data_page - f2fs_inplace_write_data - f2fs_submit_page_bio IRQ - f2fs_read_end_io IRQ old data overrides new data due to out-of-order GC and common IO. - f2fs_read_end_io 2024-05-17 not yet calculated CVE-2023-52682
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ACPI: LPIT: Avoid u32 multiplication overflow In lpit_update_residency() there is a possibility of overflow in multiplication, if tsc_khz is large enough (> UINT_MAX/1000). Change multiplication to mul_u32_u32(). Found by Linux Verification Center (linuxtesting.org) with SVACE. 2024-05-17 not yet calculated CVE-2023-52683
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: qseecom: fix memory leaks in error paths Fix instances of returning error codes directly instead of jumping to the relevant labels where memory allocated for the SCM calls would be freed. 2024-05-17 not yet calculated CVE-2023-52684
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return 64-bit value since persistent_ram_zone::buffer_size has type size_t which is derived from the 64-bit *unsigned long*, while the ecc_blocks variable this value gets assigned to has (always 32-bit) *int* type. Even if that value fits into *int* type, an overflow is still possible when calculating the size_t typed ecc_total variable further below since there's no cast to any 64-bit type before multiplication. Declaring the ecc_blocks variable as *size_t* should fix this mess... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. 2024-05-17 not yet calculated CVE-2023-52685
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_event_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. 2024-05-17 not yet calculated CVE-2023-52686
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: crypto: safexcel - Add error handling for dma_map_sg() calls Macro dma_map_sg() may return 0 on error. This patch enables checks in case of the macro failure and ensures unmapping of previously mapped buffers with dma_unmap_sg(). Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. 2024-05-17 not yet calculated CVE-2023-52687
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix the error handler of rfkill config When the core rfkill config throws error, it should free the allocated resources. Currently it is not freeing the core pdev create resources. Avoid this issue by calling the core pdev destroy in the error handler of core rfkill config. Found this issue in the code review and it is compile tested only. 2024-05-17 not yet calculated CVE-2023-52688
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add missing mutex lock around get meter levels As scarlett2_meter_ctl_get() uses meter_level_map[], the data_mutex should be locked while accessing it. 2024-05-17 not yet calculated CVE-2023-52689
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check to scom_debug_init_one() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Add a null pointer check, and release 'ent' to avoid memory leaks. 2024-05-17 not yet calculated CVE-2023-52690
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix a double-free in si_dpm_init When the allocation of adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, amdgpu_free_extended_power_table is called to free some fields of adev. However, when the control flow returns to si_dpm_sw_init, it goes to label dpm_failed and calls si_dpm_fini, which calls amdgpu_free_extended_power_table again and free those fields again. Thus a double-free is triggered. 2024-05-17 not yet calculated CVE-2023-52691
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config() scarlett2_usb_set_config() calls scarlett2_usb_get() but was not checking the result. Return the error if it fails rather than continuing with an invalid value. 2024-05-17 not yet calculated CVE-2023-52692
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ACPI: video: check for error while searching for backlight device parent If acpi_get_parent() called in acpi_video_dev_register_backlight() fails, for example, because acpi_ut_acquire_mutex() fails inside acpi_get_parent), this can lead to incorrect (uninitialized) acpi_parent handle being passed to acpi_get_pci_dev() for detecting the parent pci device. Check acpi_get_parent() result and set parent device only in case of success. Found by Linux Verification Center (linuxtesting.org) with SVACE. 2024-05-17 not yet calculated CVE-2023-52693
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function With tpd12s015_remove() marked with __exit this function is discarded when the driver is compiled as a built-in. The result is that when the driver unbinds there is no cleanup done which results in resource leakage or worse. 2024-05-17 not yet calculated CVE-2023-52694
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check writeback connectors in create_validate_stream_for_sink [WHY & HOW] This is to check connector type to avoid unhandled null pointer for writeback connectors. 2024-05-17 not yet calculated CVE-2023-52695
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_powercap_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. 2024-05-17 not yet calculated CVE-2023-52696
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL sof_sdw_rt_sdca_jack_exit() are used by different codecs, and some of them use the same dai name. For example, rt712 and rt713 both use "rt712-sdca-aif1" and sof_sdw_rt_sdca_jack_exit(). As a result, sof_sdw_rt_sdca_jack_exit() will be called twice by mc_dailink_exit_loop(). Set ctx->headset_codec_dev = NULL; after put_device(ctx->headset_codec_dev); to avoid ctx->headset_codec_dev being put twice. 2024-05-17 not yet calculated CVE-2023-52697
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: calipso: fix memory leak in netlbl_calipso_add_pass() If IPv6 support is disabled at boot (ipv6.disable=1), the calipso_init() -> netlbl_calipso_ops_register() function isn't called, and the netlbl_calipso_ops_get() function always returns NULL. In this case, the netlbl_calipso_add_pass() function allocates memory for the doi_def variable but doesn't free it with the calipso_doi_free(). BUG: memory leak unreferenced object 0xffff888011d68180 (size 64): comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s) hex dump (first 32 bytes): 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<...>] kmalloc include/linux/slab.h:552 [inline] [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline] [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111 [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515 [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339 [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934 [<...>] sock_sendmsg_nosec net/socket.c:651 [inline] [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671 [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342 [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396 [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429 [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller [PM: merged via the LSM tree at Jakub Kicinski request] 2024-05-17 not yet calculated CVE-2023-52698
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Add missing skb_mark_for_recycle Notice that skb_mark_for_recycle() is introduced later than fixes tag in commit 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). It is believed that fixes tag were missing a call to page_pool_release_page() between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). Since v6.6 the call page_pool_release_page() were removed (in commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch 'net-page_pool-remove-page_pool_release_page'")). This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch page_pool memory leaks"). 2024-05-14 not yet calculated CVE-2024-27393
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: tcp: Fix Use-After-Free in tcp_ao_connect_init Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal of tcp_ao_connect_init, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. 2024-05-14 not yet calculated CVE-2024-27394
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix Use-After-Free in ovs_ct_exit Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal of ovs_ct_limit_exit, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. 2024-05-14 not yet calculated CVE-2024-27395
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: gtp: Fix Use-After-Free in gtp_dellink Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal of gtp_dellink, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. 2024-05-14 not yet calculated CVE-2024-27396
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. 2024-05-14 not yet calculated CVE-2024-27397
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread | Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait a time) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated--- 2024-05-14 not yet calculated CVE-2024-27398
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2cap_chan_timeout [ 472.075308] Call Trace: [ 472.075308] <TASK> [ 472.075308] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] process_one_work+0x5d2/0xe00 [ 472.075308] worker_thread+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308] </TASK> [ 472.075308] ================================================================== [ 472.094860] Disabling lock debugging due to kernel taint [ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 472.096136] #PF: supervisor write access in kernel mode [ 472.096136] #PF: error_code(0x0002) - not-present page [ 472.096136] PGD 0 P4D 0 [ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Workqueue: events l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Call Trace: [ 472.096136] <TASK> [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0 [ 472.096136] ? do_user_addr_fault+0x1027/0x1340 [ 472.096136] ? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [ 472.096136] ? add_taint+0x42/0xd0 [ 472.096136] ? exc_page_fault+0x6a/0x1b0 [ 472.096136] ? asm_exc_page_fault+0x26/0x30 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] ? mutex_lock+0x88/0xc0 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] l2cap_chan_timeo ---truncated--- 2024-05-14 not yet calculated CVE-2024-27399
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2 This reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap. The basic problem here is that after the move the old location is simply not available any more. Some fixes were suggested, but essentially we should call the move notification before actually moving things because only this way we have the correct order for DMA-buf and VM move notifications as well. Also rework the statistic handling so that we don't update the eviction counter before the move. v2: add missing NULL check 2024-05-14 not yet calculated CVE-2024-27400
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: firewire: nosy: ensure user_length is taken into account when fetching packet contents Ensure that packet_buffer_get respects the user_length provided. If the length of the head packet exceeds the user_length, packet_buffer_get will now return 0 to signify to the user that no data were read and a larger buffer size is required. Helps prevent user space overflows. 2024-05-14 not yet calculated CVE-2024-27401
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: phonet/pep: fix racy skb_queue_empty() use The receive queues are protected by their respective spin-lock, not the socket lock. This could lead to skb_peek() unexpectedly returning NULL or a pointer to an already dequeued socket buffer. 2024-05-17 not yet calculated CVE-2024-27402
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_flow_offload: reset dst in route object after setting up flow dst is transferred to the flow object, route object does not own it anymore. Reset dst in route object, otherwise if flow_offload_add() fails, error path releases dst twice, leading to a refcount underflow. 2024-05-17 not yet calculated CVE-2024-27403
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data races on remote_id Similar to the previous patch, address the data race on remote_id, adding the suitable ONCE annotations. 2024-05-17 not yet calculated CVE-2024-27404
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a proper NTB. When the NTB is parsed, unwrap call looks for any leftover bytes in SKB provided by u_ether and if there are any pending bytes, it treats them as a separate NTB and parses it. But in case the second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that were parsed properly in the first NTB and saved in rx_list are dropped. Adding a few custom traces showed the following: [002] d..1 7828.532866: dwc3_gadget_giveback: ep1out: req 000000003868811a length 1025/16384 zsI ==> 0 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10 [002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames In this case, the giveback is of 1025 bytes and block length is 1024. The rest 1 byte (which is 0x00) won't be parsed resulting in drop of all datagrams in rx_list. Same is case with packets of size 2048: [002] d..1 7828.557948: dwc3_gadget_giveback: ep1out: req 0000000011dfd96e length 2049/16384 zsI ==> 0 [002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800 Lecroy shows one byte coming in extra confirming that the byte is coming in from PC: Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590) - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590) --- Packet 4063861 Data(1024 bytes) Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590) --- Packet 4063863 Data(1 byte) Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722) According to Windows driver, no ZLP is needed if wBlockLength is non-zero, because the non-zero wBlockLength has already told the function side the size of transfer to be expected. However, there are in-market NCM devices that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize. To deal with such devices, it pads an extra 0 at end so the transfer is no longer multiple of wMaxPacketSize. 2024-05-17 not yet calculated CVE-2024-27405
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: lib/Kconfig.debug: TEST_IOV_ITER depends on MMU Trying to run the iov_iter unit test on a nommu system such as the qemu kc705-nommu emulation results in a crash. KTAP version 1 # Subtest: iov_iter # module: kunit_iov_iter 1..9 BUG: failure at mm/nommu.c:318/vmap()! Kernel panic - not syncing: BUG! The test calls vmap() directly, but vmap() is not supported on nommu systems, causing the crash. TEST_IOV_ITER therefore needs to depend on MMU. 2024-05-17 not yet calculated CVE-2024-27406
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr() 2024-05-17 not yet calculated CVE-2024-27407
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup The Linked list element and pointer are not stored in the same memory as the eDMA controller register. If the doorbell register is toggled before the full write of the linked list a race condition error will occur. In remote setup we can only use a readl to the memory to assure the full write has occurred. 2024-05-17 not yet calculated CVE-2024-27408
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-edma: HDMA: Add sync read before starting the DMA transfer in remote setup The Linked list element and pointer are not stored in the same memory as the HDMA controller register. If the doorbell register is toggled before the full write of the linked list a race condition error will occur. In remote setup we can only use a readl to the memory to assure the full write has occurred. 2024-05-17 not yet calculated CVE-2024-27409
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject iftype change with mesh ID change It's currently possible to change the mesh ID when the interface isn't yet in mesh mode, at the same time as changing it into mesh mode. This leads to an overwrite of data in the wdev->u union for the interface type it currently has, causing cfg80211_change_iface() to do wrong things when switching. We could probably allow setting an interface to mesh while setting the mesh ID at the same time by doing a different order of operations here, but realistically there's no userspace that's going to do this, so just disallow changes in iftype when setting mesh ID. 2024-05-17 not yet calculated CVE-2024-27410
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: keep DMA buffers required for suspend/resume Nouveau deallocates a few buffers post GPU init which are required for GPU suspend/resume to function correctly. This is likely not as big an issue on systems where the NVGPU is the only GPU, but on multi-GPU set ups it leads to a regression where the kernel module errors and results in a system-wide rendering freeze. This commit addresses that regression by moving the two buffers required for suspend and resume to be deallocated at driver unload instead of post init. 2024-05-17 not yet calculated CVE-2024-27411
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: power: supply: bq27xxx-i2c: Do not free non existing IRQ The bq27xxx i2c-client may not have an IRQ, in which case client->irq will be 0. bq27xxx_battery_i2c_probe() already has an if (client->irq) check wrapping the request_threaded_irq(). But bq27xxx_battery_i2c_remove() unconditionally calls free_irq(client->irq) leading to: [ 190.310742] ------------[ cut here ]------------ [ 190.310843] Trying to free already-free IRQ 0 [ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310 Followed by a backtrace when unbinding the driver. Add an if (client->irq) to bq27xxx_battery_i2c_remove() mirroring probe() to fix this. 2024-05-17 not yet calculated CVE-2024-27412
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect allocation size gcc-14 notices that the allocation with sizeof(void) on 32-bit architectures is not enough for a 64-bit phys_addr_t: drivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Use the correct type instead here. 2024-05-17 not yet calculated CVE-2024-27413
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic. 2024-05-17 not yet calculated CVE-2024-27414
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs referencing the same nf_conn entry, which will happen for multicast (broadcast) frames on bridges. Example: macvlan0 | br0 / \ ethX ethY ethX (or Y) receives a L2 multicast or broadcast packet containing an IP packet, flow is not yet in conntrack table. 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. -> skb->_nfct now references a unconfirmed entry 2. skb is broad/mcast packet. bridge now passes clones out on each bridge interface. 3. skb gets passed up the stack. 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb and schedules a work queue to send them out on the lower devices. The clone skb->_nfct is not a copy, it is the same entry as the original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. The Macvlan broadcast worker and normal confirm path will race. This race will not happen if step 2 already confirmed a clone. In that case later steps perform skb_clone() with skb->_nfct already confirmed (in hash table). This works fine. But such confirmation won't happen when eb/ip/nftables rules dropped the packets before they reached the nf_confirm step in postrouting. Pablo points out that nf_conntrack_bridge doesn't allow use of stateful nat, so we can safely discard the nf_conn entry and let inet call conntrack again. This doesn't work for bridge netfilter: skb could have a nat transformation. Also bridge nf prevents re-invocation of inet prerouting via 'sabotage_in' hook. Work around this problem by explicit confirmation of the entry at LOCAL_IN time, before upper layer has a chance to clone the unconfirmed entry. The downside is that this disables NAT and conntrack helpers. Alternative fix would be to add locking to all code parts that deal with unconfirmed packets, but even if that could be done in a sane way this opens up other problems, for example: -m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4 -m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5 For multicast case, only one of such conflicting mappings will be created, conntrack only handles 1:1 NAT mappings. Users should set create a setup that explicitly marks such traffic NOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass them, ruleset might have accept rules for untracked traffic already, so user-visible behaviour would change. 2024-05-17 not yet calculated CVE-2024-27415
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST If we received HCI_EV_IO_CAPA_REQUEST while HCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote does support SSP since otherwise this event shouldn't be generated. 2024-05-17 not yet calculated CVE-2024-27416
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() It seems that if userspace provides a correct IFA_TARGET_NETNSID value but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr() returns -EINVAL with an elevated "struct net" refcount. 2024-05-17 not yet calculated CVE-2024-27417
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: mctp: take ownership of skb in mctp_local_output Currently, mctp_local_output only takes ownership of skb on success, and we may leak an skb if mctp_local_output fails in specific states; the skb ownership isn't transferred until the actual output routing occurs. Instead, make mctp_local_output free the skb on all error paths up to the route action, so it always consumes the passed skb. 2024-05-17 not yet calculated CVE-2024-27418
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix data-races around sysctl_net_busy_read We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27419
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_link_fails_count We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27420
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_routing_control We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27421
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27422
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27423
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_transport_busy_delay We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27424
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27425
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27426
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_transport_timeout We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27427
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27428
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser We need to protect the reader reading the sysctl value because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27429
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a data-race around sysctl_netrom_default_path_quality We need to protect the reader reading sysctl_netrom_default_path_quality because the value can be changed concurrently. 2024-05-17 not yet calculated CVE-2024-27430
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: cpumap: Zero-initialise xdp_rxq_info struct before running XDP program When running an XDP program that is attached to a cpumap entry, we don't initialise the xdp_rxq_info data structure being used in the xdp_buff that backs the XDP program invocation. Tobias noticed that this leads to random values being returned as the xdp_md->rx_queue_index value for XDP programs running in a cpumap. This means we're basically returning the contents of the uninitialised memory, which is bad. Fix this by zero-initialising the rxq data structure before running the XDP program. 2024-05-17 not yet calculated CVE-2024-27431
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix PPE hanging issue A patch to resolve an issue was found in MediaTek's GPL-licensed SDK: In the mtk_ppe_stop() function, the PPE scan mode is not disabled before disabling the PPE. This can potentially lead to a hang during the process of disabling the PPE. Without this patch, the PPE may experience a hang during the reboot test. 2024-05-17 not yet calculated CVE-2024-27432
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe() 'clk_data' is allocated with mtk_devm_alloc_clk_data(). So calling mtk_free_clk_data() explicitly in the remove function would lead to a double-free. Remove the redundant call. 2024-05-17 not yet calculated CVE-2024-27433
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't set the MFP flag for the GTK The firmware doesn't need the MFP flag for the GTK, it can even make the firmware crash. in case the AP is configured with: group cipher TKIP and MFPC. We would send the GTK with cipher = TKIP and MFP which is of course not possible. 2024-05-17 not yet calculated CVE-2024-27434
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: nvme: fix reconnection fail due to reserved tag allocation We found a issue on production environment while using NVMe over RDMA, admin_q reconnect failed forever while remote target and network is ok. After dig into it, we found it may caused by a ABBA deadlock due to tag allocation. In my case, the tag was hold by a keep alive request waiting inside admin_q, as we quiesced admin_q while reset ctrl, so the request maked as idle and will not process before reset success. As fabric_q shares tagset with admin_q, while reconnect remote target, we need a tag for connect command, but the only one reserved tag was held by keep alive command which waiting inside admin_q. As a result, we failed to reconnect admin_q forever. In order to fix this issue, I think we should keep two reserved tags for admin queue. 2024-05-17 not yet calculated CVE-2024-27435
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Stop parsing channels bits when all channels are found. If a usb audio device sets more bits than the amount of channels it could write outside of the map array. 2024-05-17 not yet calculated CVE-2024-27436
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock with fiemap and extent locking While working on the patchset to remove extent locking I got a lockdep splat with fiemap and pagefaulting with my new extent lock replacement lock. This deadlock exists with our normal code, we just don't have lockdep annotations with the extent locking so we've never noticed it. Since we're copying the fiemap extent to user space on every iteration we have the chance of pagefaulting. Because we hold the extent lock for the entire range we could mkwrite into a range in the file that we have mmap'ed. This would deadlock with the following stack trace [<0>] lock_extent+0x28d/0x2f0 [<0>] btrfs_page_mkwrite+0x273/0x8a0 [<0>] do_page_mkwrite+0x50/0xb0 [<0>] do_fault+0xc1/0x7b0 [<0>] __handle_mm_fault+0x2fa/0x460 [<0>] handle_mm_fault+0xa4/0x330 [<0>] do_user_addr_fault+0x1f4/0x800 [<0>] exc_page_fault+0x7c/0x1e0 [<0>] asm_exc_page_fault+0x26/0x30 [<0>] rep_movs_alternative+0x33/0x70 [<0>] _copy_to_user+0x49/0x70 [<0>] fiemap_fill_next_extent+0xc8/0x120 [<0>] emit_fiemap_extent+0x4d/0xa0 [<0>] extent_fiemap+0x7f8/0xad0 [<0>] btrfs_fiemap+0x49/0x80 [<0>] __x64_sys_ioctl+0x3e1/0xb50 [<0>] do_syscall_64+0x94/0x1a0 [<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 I wrote an fstest to reproduce this deadlock without my replacement lock and verified that the deadlock exists with our existing locking. To fix this simply don't take the extent lock for the entire duration of the fiemap. This is safe in general because we keep track of where we are when we're searching the tree, so if an ordered extent updates in the middle of our fiemap call we'll still emit the correct extents because we know what offset we were on before. The only place we maintain the lock is searching delalloc. Since the delalloc stuff can change during writeback we want to lock the extent range so we have a consistent view of delalloc at the time we're checking to see if we need to set the delalloc flag. With this patch applied we no longer deadlock with my testcase. 2024-05-17 not yet calculated CVE-2024-35784
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix kernel panic caused by incorrect error handling The error path while failing to register devices on the TEE bus has a bug leading to kernel panic as follows: [ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c [ 15.406913] Mem abort info: [ 15.409722] ESR = 0x0000000096000005 [ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits [ 15.418814] SET = 0, FnV = 0 [ 15.421878] EA = 0, S1PTW = 0 [ 15.425031] FSC = 0x05: level 1 translation fault [ 15.429922] Data abort info: [ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000 [ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000 [ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Commit 7269cba53d90 ("tee: optee: Fix supplicant based device enumeration") lead to the introduction of this bug. So fix it appropriately. 2024-05-17 not yet calculated CVE-2024-35785
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix stale locked mutex in nouveau_gem_ioctl_pushbuf If VM_BIND is enabled on the client the legacy submission ioctl can't be used, however if a client tries to do so regardless it will return an error. In this case the clients mutex remained unlocked leading to a deadlock inside nouveau_drm_postclose or any other nouveau ioctl call. 2024-05-17 not yet calculated CVE-2024-35786
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: fix incorrect usage for sb_index Commit d7038f951828 ("md-bitmap: don't use ->index for pages backing the bitmap file") removed page->index from bitmap code, but left wrong code logic for clustered-md. current code never set slot offset for cluster nodes, will sometimes cause crash in clustered env. Call trace (partly): md_bitmap_file_set_bit+0x110/0x1d8 [md_mod] md_bitmap_startwrite+0x13c/0x240 [md_mod] raid1_make_request+0x6b0/0x1c08 [raid1] md_handle_request+0x1dc/0x368 [md_mod] md_submit_bio+0x80/0xf8 [md_mod] __submit_bio+0x178/0x300 submit_bio_noacct_nocheck+0x11c/0x338 submit_bio_noacct+0x134/0x614 submit_bio+0x28/0xdc submit_bh_wbc+0x130/0x1cc submit_bh+0x1c/0x28 2024-05-17 not yet calculated CVE-2024-35787
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix bounds check for dcn35 DcfClocks [Why] NumFclkLevelsEnabled is used for DcfClocks bounds check instead of designated NumDcfClkLevelsEnabled. That can cause array index out-of-bounds access. [How] Use designated variable for dcn35 DcfClocks bounds check. 2024-05-17 not yet calculated CVE-2024-35788
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx after the VLAN change. 2024-05-17 not yet calculated CVE-2024-35789
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group The DisplayPort driver's sysfs nodes may be present to the userspace before typec_altmode_set_drvdata() completes in dp_altmode_probe. This means that a sysfs read can trigger a NULL pointer error by deferencing dp->hpd in hpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns NULL in those cases. Remove manual sysfs node creation in favor of adding attribute group as default for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is not used here otherwise the path to the sysfs nodes is no longer compliant with the ABI. 2024-05-17 not yet calculated CVE-2024-35790
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory. 2024-05-17 not yet calculated CVE-2024-35791
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: crypto: rk3288 - Fix use after free in unprepare The unprepare call must be carried out before the finalize call as the latter can free the request. 2024-05-17 not yet calculated CVE-2024-35792
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: debugfs: fix wait/cancellation handling during remove Ben Greear further reports deadlocks during concurrent debugfs remove while files are being accessed, even though the code in question now uses debugfs cancellations. Turns out that despite all the review on the locking, we missed completely that the logic is wrong: if the refcount hits zero we can finish (and need not wait for the completion), but if it doesn't we have to trigger all the cancellations. As written, we can _never_ get into the loop triggering the cancellations. Fix this, and explain it better while at it. 2024-05-17 not yet calculated CVE-2024-35793
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: dm-raid: really frozen sync_thread during suspend 1) commit f52f5c71f3d4 ("md: fix stopping sync thread") remove MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that dm-raid relies on __md_stop_writes() to frozen sync_thread indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in md_stop_writes(), and since stop_sync_thread() is only used for dm-raid in this case, also move stop_sync_thread() to md_stop_writes(). 2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen, it only prevent new sync_thread to start, and it can't stop the running sync thread; In order to frozen sync_thread, after seting the flag, stop_sync_thread() should be used. 3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use it as condition for md_stop_writes() in raid_postsuspend() doesn't look correct. Consider that reentrant stop_sync_thread() do nothing, always call md_stop_writes() in raid_postsuspend(). 4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime, and if MD_RECOVERY_FROZEN is cleared while the array is suspended, new sync_thread can start unexpected. Fix this by disallow raid_message() to change sync_thread status during suspend. Note that after commit f52f5c71f3d4 ("md: fix stopping sync thread"), the test shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(), and with previous fixes, the test won't hang there anymore, however, the test will still fail and complain that ext4 is corrupted. And with this patch, the test won't hang due to stop_sync_thread() or fail due to ext4 is corrupted anymore. However, there is still a deadlock related to dm-raid456 that will be fixed in following patches. 2024-05-17 not yet calculated CVE-2024-35794
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix deadlock while reading mqd from debugfs An errant disk backup on my desktop got into debugfs and triggered the following deadlock scenario in the amdgpu debugfs files. The machine also hard-resets immediately after those lines are printed (although I wasn't able to reproduce that part when reading by hand): [ 1318.016074][ T1082] ====================================================== [ 1318.016607][ T1082] WARNING: possible circular locking dependency detected [ 1318.017107][ T1082] 6.8.0-rc7-00015-ge0c8221b72c0 #17 Not tainted [ 1318.017598][ T1082] ------------------------------------------------------ [ 1318.018096][ T1082] tar/1082 is trying to acquire lock: [ 1318.018585][ T1082] ffff98c44175d6a0 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0x40/0x80 [ 1318.019084][ T1082] [ 1318.019084][ T1082] but task is already holding lock: [ 1318.020052][ T1082] ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu] [ 1318.020607][ T1082] [ 1318.020607][ T1082] which lock already depends on the new lock. [ 1318.020607][ T1082] [ 1318.022081][ T1082] [ 1318.022081][ T1082] the existing dependency chain (in reverse order) is: [ 1318.023083][ T1082] [ 1318.023083][ T1082] -> #2 (reservation_ww_class_mutex){+.+.}-{3:3}: [ 1318.024114][ T1082] __ww_mutex_lock.constprop.0+0xe0/0x12f0 [ 1318.024639][ T1082] ww_mutex_lock+0x32/0x90 [ 1318.025161][ T1082] dma_resv_lockdep+0x18a/0x330 [ 1318.025683][ T1082] do_one_initcall+0x6a/0x350 [ 1318.026210][ T1082] kernel_init_freeable+0x1a3/0x310 [ 1318.026728][ T1082] kernel_init+0x15/0x1a0 [ 1318.027242][ T1082] ret_from_fork+0x2c/0x40 [ 1318.027759][ T1082] ret_from_fork_asm+0x11/0x20 [ 1318.028281][ T1082] [ 1318.028281][ T1082] -> #1 (reservation_ww_class_acquire){+.+.}-{0:0}: [ 1318.029297][ T1082] dma_resv_lockdep+0x16c/0x330 [ 1318.029790][ T1082] do_one_initcall+0x6a/0x350 [ 1318.030263][ T1082] kernel_init_freeable+0x1a3/0x310 [ 1318.030722][ T1082] kernel_init+0x15/0x1a0 [ 1318.031168][ T1082] ret_from_fork+0x2c/0x40 [ 1318.031598][ T1082] ret_from_fork_asm+0x11/0x20 [ 1318.032011][ T1082] [ 1318.032011][ T1082] -> #0 (&mm->mmap_lock){++++}-{3:3}: [ 1318.032778][ T1082] __lock_acquire+0x14bf/0x2680 [ 1318.033141][ T1082] lock_acquire+0xcd/0x2c0 [ 1318.033487][ T1082] __might_fault+0x58/0x80 [ 1318.033814][ T1082] amdgpu_debugfs_mqd_read+0x103/0x250 [amdgpu] [ 1318.034181][ T1082] full_proxy_read+0x55/0x80 [ 1318.034487][ T1082] vfs_read+0xa7/0x360 [ 1318.034788][ T1082] ksys_read+0x70/0xf0 [ 1318.035085][ T1082] do_syscall_64+0x94/0x180 [ 1318.035375][ T1082] entry_SYSCALL_64_after_hwframe+0x46/0x4e [ 1318.035664][ T1082] [ 1318.035664][ T1082] other info that might help us debug this: [ 1318.035664][ T1082] [ 1318.036487][ T1082] Chain exists of: [ 1318.036487][ T1082] &mm->mmap_lock --> reservation_ww_class_acquire --> reservation_ww_class_mutex [ 1318.036487][ T1082] [ 1318.037310][ T1082] Possible unsafe locking scenario: [ 1318.037310][ T1082] [ 1318.037838][ T1082] CPU0 CPU1 [ 1318.038101][ T1082] ---- ---- [ 1318.038350][ T1082] lock(reservation_ww_class_mutex); [ 1318.038590][ T1082] lock(reservation_ww_class_acquire); [ 1318.038839][ T1082] lock(reservation_ww_class_mutex); [ 1318.039083][ T1082] rlock(&mm->mmap_lock); [ 1318.039328][ T1082] [ 1318.039328][ T1082] *** DEADLOCK *** [ 1318.039328][ T1082] [ 1318.040029][ T1082] 1 lock held by tar/1082: [ 1318.040259][ T1082] #0: ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu] [ 1318.040560][ T1082] [ 1318.040560][ T1082] stack backtrace: [ ---truncated--- 2024-05-17 not yet calculated CVE-2024-35795
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: ll_temac: platform_get_resource replaced by wrong function The function platform_get_resource was replaced with devm_platform_ioremap_resource_byname and is called using 0 as name. This eventually ends up in platform_get_resource_byname in the call stack, where it causes a null pointer in strcmp. if (type == resource_type(r) && !strcmp(r->name, name)) It should have been replaced with devm_platform_ioremap_resource. 2024-05-17 not yet calculated CVE-2024-35796
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix two shmem bugs When cachestat on shmem races with swapping and invalidation, there are two possible bugs: 1) A swapin error can have resulted in a poisoned swap entry in the shmem inode's xarray. Calling get_shadow_from_swap_cache() on it will result in an out-of-bounds access to swapper_spaces[]. Validate the entry with non_swap_entry() before going further. 2) When we find a valid swap entry in the shmem's inode, the shadow entry in the swapcache might not exist yet: swap IO is still in progress and we're before __remove_mapping; swapin, invalidation, or swapoff have removed the shadow from swapcache after we saw the shmem swap entry. This will send a NULL to workingset_test_recent(). The latter purely operates on pointer bits, so it won't crash - node 0, memcg ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a bogus test. In theory that could result in a false "recently evicted" count. Such a false positive wouldn't be the end of the world. But for code clarity and (future) robustness, be explicit about this case. Bail on get_shadow_from_swap_cache() returning NULL. 2024-05-17 not yet calculated CVE-2024-35797
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race in read_extent_buffer_pages() There are reports from tree-checker that detects corrupted nodes, without any obvious pattern so possibly an overwrite in memory. After some debugging it turns out there's a race when reading an extent buffer the uptodate status can be missed. To prevent concurrent reads for the same extent buffer, read_extent_buffer_pages() performs these checks: /* (1) */ if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags)) return 0; /* (2) */ if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags)) goto done; At this point, it seems safe to start the actual read operation. Once that completes, end_bbio_meta_read() does /* (3) */ set_extent_buffer_uptodate(eb); /* (4) */ clear_bit(EXTENT_BUFFER_READING, &eb->bflags); Normally, this is enough to ensure only one read happens, and all other callers wait for it to finish before returning. Unfortunately, there is a racey interleaving: Thread A | Thread B | Thread C ---------+----------+--------- (1) | | | (1) | (2) | | (3) | | (4) | | | (2) | | | (1) When this happens, thread B kicks of an unnecessary read. Worse, thread C will see UPTODATE set and return immediately, while the read from thread B is still in progress. This race could result in tree-checker errors like this as the extent buffer is concurrently modified: BTRFS critical (device dm-0): corrupted node, root=256 block=8550954455682405139 owner mismatch, have 11858205567642294356 expect [256, 18446744073709551360] Fix it by testing UPTODATE again after setting the READING bit, and if it's been set, skip the unnecessary read. [ minor update of changelog ] 2024-05-17 not yet calculated CVE-2024-35798
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Prevent crash when disable stream [Why] Disabling stream encoder invokes a function that no longer exists. [How] Check if the function declaration is NULL in disable stream encoder. 2024-05-17 not yet calculated CVE-2024-35799
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: efi: fix panic in kdump kernel Check if get_next_variable() is actually valid pointer before calling it. In kdump kernel this method is set to NULL that causes panic during the kexec-ed kernel boot. Tested with QEMU and OVMF firmware. 2024-05-17 not yet calculated CVE-2024-35800
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in order to avoid unnecessary writes to the MSR. On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which wipes out any stale state. But the per CPU cached xfd value is not reset, which brings them out of sync. As a consequence a subsequent xfd_update_state() might fail to update the MSR which in turn can result in XRSTOR raising a #NM in kernel space, which crashes the kernel. To fix this, introduce xfd_set_state() to write xfd_state together with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD. 2024-05-17 not yet calculated CVE-2024-35801
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: x86/sev: Fix position dependent variable references in startup code The early startup code executes from a 1:1 mapping of memory, which differs from the mapping that the code was linked and/or relocated to run at. The latter mapping is not active yet at this point, and so symbol references that rely on it will fault. Given that the core kernel is built without -fPIC, symbol references are typically emitted as absolute, and so any such references occuring in the early startup code will therefore crash the kernel. While an attempt was made to work around this for the early SEV/SME startup code, by forcing RIP-relative addressing for certain global SEV/SME variables via inline assembly (see snp_cpuid_get_table() for example), RIP-relative addressing must be pervasively enforced for SEV/SME global variables when accessed prior to page table fixups. __startup_64() already handles this issue for select non-SEV/SME global variables using fixup_pointer(), which adjusts the pointer relative to a `physaddr` argument. To avoid having to pass around this `physaddr` argument across all functions needing to apply pointer fixups, introduce a macro RIP_RELATIVE_REF() which generates a RIP-relative reference to a given global variable. It is used where necessary to force RIP-relative accesses to global variables. For backporting purposes, this patch makes no attempt at cleaning up other occurrences of this pattern, involving either inline asm or fixup_pointer(). Those will be addressed later. [ bp: Call it "rip_rel_ref" everywhere like other code shortens "rIP-relative reference" and make the asm wrapper __always_inline. ] 2024-05-17 not yet calculated CVE-2024-35802
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: x86/efistub: Call mixed mode boot services on the firmware's stack Normally, the EFI stub calls into the EFI boot services using the stack that was live when the stub was entered. According to the UEFI spec, this stack needs to be at least 128k in size - this might seem large but all asynchronous processing and event handling in EFI runs from the same stack and so quite a lot of space may be used in practice. In mixed mode, the situation is a bit different: the bootloader calls the 32-bit EFI stub entry point, which calls the decompressor's 32-bit entry point, where the boot stack is set up, using a fixed allocation of 16k. This stack is still in use when the EFI stub is started in 64-bit mode, and so all calls back into the EFI firmware will be using the decompressor's limited boot stack. Due to the placement of the boot stack right after the boot heap, any stack overruns have gone unnoticed. However, commit 5c4feadb0011983b ("x86/decompressor: Move global symbol references to C code") moved the definition of the boot heap into C code, and now the boot stack is placed right at the base of BSS, where any overruns will corrupt the end of the .data section. While it would be possible to work around this by increasing the size of the boot stack, doing so would affect all x86 systems, and mixed mode systems are a tiny (and shrinking) fraction of the x86 installed base. So instead, record the firmware stack pointer value when entering from the 32-bit firmware, and switch to this stack every time a EFI boot service call is made. 2024-05-17 not yet calculated CVE-2024-35803
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Mark target gfn of emulated atomic instruction as dirty When emulating an atomic access on behalf of the guest, mark the target gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This fixes a bug where KVM effectively corrupts guest memory during live migration by writing to guest memory without informing userspace that the page is dirty. Marking the page dirty got unintentionally dropped when KVM's emulated CMPXCHG was converted to do a user access. Before that, KVM explicitly mapped the guest page into kernel memory, and marked the page dirty during the unmap phase. Mark the page dirty even if the CMPXCHG fails, as the old data is written back on failure, i.e. the page is still written. The value written is guaranteed to be the same because the operation is atomic, but KVM's ABI is that all writes are dirty logged regardless of the value written. And more importantly, that's what KVM did before the buggy commit. Huge kudos to the folks on the Cc list (and many others), who did all the actual work of triaging and debugging. base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64 2024-05-17 not yet calculated CVE-2024-35804
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: dm snapshot: fix lockup in dm_exception_table_exit There was reported lockup when we exit a snapshot with many exceptions. Fix this by adding "cond_resched" to the loop that frees the exceptions. 2024-05-17 not yet calculated CVE-2024-35805
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: Always disable interrupts when taking cgr_lock smp_call_function_single disables IRQs when executing the callback. To prevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere. This is already done by qman_update_cgr and qman_delete_cgr; fix the other lockers. 2024-05-17 not yet calculated CVE-2024-35806
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group. The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not. 2024-05-17 not yet calculated CVE-2024-35807
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: md/dm-raid: don't call md_reap_sync_thread() directly Currently md_reap_sync_thread() is called from raid_message() directly without holding 'reconfig_mutex', this is definitely unsafe because md_reap_sync_thread() can change many fields that is protected by 'reconfig_mutex'. However, hold 'reconfig_mutex' here is still problematic because this will cause deadlock, for example, commit 130443d60b1b ("md: refactor idle/frozen_sync_thread() to fix deadlock"). Fix this problem by using stop_sync_thread() to unregister sync_thread, like md/raid did. 2024-05-17 not yet calculated CVE-2024-35808
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove() callback in the rtsx_pcr PCI driver leads to a kernel crash due to an unhandled page fault [1]. The problem is that rtsx_pci_runtime_idle() is not expected to be running after pm_runtime_get_sync() has been called, but the latter doesn't really guarantee that. It only guarantees that the suspend and resume callbacks will not be running when it returns. However, if a .runtime_idle() callback is already running when pm_runtime_get_sync() is called, the latter will notice that the runtime PM status of the device is RPM_ACTIVE and it will return right away without waiting for the former to complete. In fact, it cannot wait for .runtime_idle() to complete because it may be called from that callback (it arguably does not make much sense to do that, but it is not strictly prohibited). Thus in general, whoever is providing a .runtime_idle() callback needs to protect it from running in parallel with whatever code runs after pm_runtime_get_sync(). [Note that .runtime_idle() will not start after pm_runtime_get_sync() has returned, but it may continue running then if it has started earlier.] One way to address that race condition is to call pm_runtime_barrier() after pm_runtime_get_sync() (not before it, because a nonzero value of the runtime PM usage counter is necessary to prevent runtime PM callbacks from being invoked) to wait for the .runtime_idle() callback to complete should it be running at that point. A suitable place for doing that is in pci_device_remove() which calls pm_runtime_get_sync() before removing the driver, so it may as well call pm_runtime_barrier() subsequently, which will prevent the race in question from occurring, not just in the rtsx_pcr driver, but in any PCI drivers providing .runtime_idle() callbacks. 2024-05-17 not yet calculated CVE-2024-35809
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix the lifetime of the bo cursor memory The cleanup can be dispatched while the atomic update is still active, which means that the memory acquired in the atomic update needs to not be invalidated by the cleanup. The buffer objects in vmw_plane_state instead of using the builtin map_and_cache were trying to handle the lifetime of the mapped memory themselves, leading to crashes. Use the map_and_cache instead of trying to manage the lifetime of the buffer objects held by the vmw_plane_state. Fixes kernel oops'es in IGT's kms_cursor_legacy forked-bo. 2024-05-17 not yet calculated CVE-2024-35810
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free] 2024-05-17 not yet calculated CVE-2024-35811
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: usb: cdc-wdm: close race between read and workqueue wdm_read() cannot race with itself. However, in service_outstanding_interrupt() it can race with the workqueue, which can be triggered by error handling. Hence we need to make sure that the WDM_RESPONDING flag is not just only set but tested. 2024-05-17 not yet calculated CVE-2024-35812
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid negative index with array access Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") assigns prev_idata = idatas[i - 1], but doesn't check that the iterator i is greater than zero. Let's fix this by adding a check. 2024-05-17 not yet calculated CVE-2024-35813
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: swiotlb: Fix double-allocation of slots due to broken alignment handling Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size(). 2024-05-17 not yet calculated CVE-2024-35814
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion The first kiocb_set_cancel_fn() argument may point at a struct kiocb that is not embedded inside struct aio_kiocb. With the current code, depending on the compiler, the req->ki_ctx read happens either before the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such that it is guaranteed that the IOCB_AIO_RW test happens first. 2024-05-17 not yet calculated CVE-2024-35815
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: prevent leak of left-over IRQ on unbind Commit 5a95f1ded28691e6 ("firewire: ohci: use devres for requested IRQ") also removed the call to free_irq() in pci_remove(), leading to a leftover irq of devm_request_irq() at pci_disable_msi() in pci_remove() when unbinding the driver from the device remove_proc_entry: removing non-empty directory 'irq/136', leaking at least 'firewire_ohci' Call Trace: ? remove_proc_entry+0x19c/0x1c0 ? __warn+0x81/0x130 ? remove_proc_entry+0x19c/0x1c0 ? report_bug+0x171/0x1a0 ? console_unlock+0x78/0x120 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? remove_proc_entry+0x19c/0x1c0 unregister_irq_proc+0xf4/0x120 free_desc+0x3d/0xe0 ? kfree+0x29f/0x2f0 irq_free_descs+0x47/0x70 msi_domain_free_locked.part.0+0x19d/0x1d0 msi_domain_free_irqs_all_locked+0x81/0xc0 pci_free_msi_irqs+0x12/0x40 pci_disable_msi+0x4c/0x60 pci_remove+0x9d/0xc0 [firewire_ohci 01b483699bebf9cb07a3d69df0aa2bee71db1b26] pci_device_remove+0x37/0xa0 device_release_driver_internal+0x19f/0x200 unbind_store+0xa1/0xb0 remove irq with devm_free_irq() before pci_disable_msi() also remove it in fail_msi: of pci_probe() as this would lead to an identical leak 2024-05-17 not yet calculated CVE-2024-35816
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag Otherwise after the GTT bo is released, the GTT and gart space is freed but amdgpu_ttm_backend_unbind will not clear the gart page table entry and leave valid mapping entry pointing to the stale system page. Then if GPU access the gart address mistakely, it will read undefined value instead page fault, harder to debug and reproduce the real issue. 2024-05-17 not yet calculated CVE-2024-35817
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: LoongArch: Define the __io_aw() hook as mmiowb() Commit fb24ea52f78e0d595852e ("drivers: Remove explicit invocations of mmiowb()") remove all mmiowb() in drivers, but it says: "NOTE: mmiowb() has only ever guaranteed ordering in conjunction with spin_unlock(). However, pairing each mmiowb() removal in this patch with the corresponding call to spin_unlock() is not at all trivial, so there is a small chance that this change may regress any drivers incorrectly relying on mmiowb() to order MMIO writes between CPUs using lock-free synchronisation." The mmio in radeon_ring_commit() is protected by a mutex rather than a spinlock, but in the mutex fastpath it behaves similar to spinlock. We can add mmiowb() calls in the radeon driver but the maintainer says he doesn't like such a workaround, and radeon is not the only example of mutex protected mmio. So we should extend the mmiowb tracking system from spinlock to mutex, and maybe other locking primitives. This is not easy and error prone, so we solve it in the architectural code, by simply defining the __io_aw() hook as mmiowb(). And we no longer need to override queued_spin_unlock() so use the generic definition. Without this, we get such an error when run 'glxgears' on weak ordering architectures such as LoongArch: radeon 0000:04:00.0: ring 0 stalled for more than 10324msec radeon 0000:04:00.0: ring 3 stalled for more than 10240msec radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3) radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) 2024-05-17 not yet calculated CVE-2024-35818
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: Use raw spinlock for cgr_lock smp_call_function always runs its callback in hard IRQ context, even on PREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock for cgr_lock to ensure we aren't waiting on a sleeping task. Although this bug has existed for a while, it was not apparent until commit ef2a8d5478b9 ("net: dpaa: Adjust queue depth on rate change") which invokes smp_call_function_single via qman_update_cgr_safe every time a link goes up or down. 2024-05-17 not yet calculated CVE-2024-35819
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: io_uring: fix io_queue_proc modifying req->flags With multiple poll entries __io_queue_proc() might be running in parallel with poll handlers and possibly task_work, we should not be carelessly modifying req->flags there. io_poll_double_prepare() handles a similar case with locking but it's much easier to move it into __io_arm_poll_handler(). 2024-05-17 not yet calculated CVE-2024-35820
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ubifs: Set page uptodate in the correct place Page cache reads are lockless, so setting the freshly allocated page uptodate before we've overwritten it with the data it's supposed to have in it will allow a simultaneous reader to see old data. Move the call to SetPageUptodate into ubifs_write_end(), which is after we copied the new data into the page. 2024-05-17 not yet calculated CVE-2024-35821
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: usb: udc: remove warning when queue disabled ep It is possible trigger below warning message from mass storage function, WARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104 pc : usb_ep_queue+0x7c/0x104 lr : fsg_main_thread+0x494/0x1b3c Root cause is mass storage function try to queue request from main thread, but other thread may already disable ep when function disable. As there is no function failure in the driver, in order to avoid effort to fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug(). 2024-05-17 not yet calculated CVE-2024-35822
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: vt: fix unicode buffer corruption when deleting characters This is the same issue that was fixed for the VGA text buffer in commit 39cdb68c64d8 ("vt: fix memory overlapping when deleting chars in the buffer"). The cure is also the same i.e. replace memcpy() with memmove() due to the overlaping buffers. 2024-05-17 not yet calculated CVE-2024-35823
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: misc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume When not configured for wakeup lis3lv02d_i2c_suspend() will call lis3lv02d_poweroff() even if the device has already been turned off by the runtime-suspend handler and if configured for wakeup and the device is runtime-suspended at this point then it is not turned back on to serve as a wakeup source. Before commit b1b9f7a49440 ("misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback"), lis3lv02d_poweroff() failed to disable the regulators which as a side effect made calling poweroff() twice ok. Now that poweroff() correctly disables the regulators, doing this twice triggers a WARN() in the regulator core: unbalanced disables for regulator-dummy WARNING: CPU: 1 PID: 92 at drivers/regulator/core.c:2999 _regulator_disable ... Fix lis3lv02d_i2c_suspend() to not call poweroff() a second time if already runtime-suspended and add a poweron() call when necessary to make wakeup work. lis3lv02d_i2c_resume() has similar issues, with an added weirness that it always powers on the device if it is runtime suspended, after which the first runtime-resume will call poweron() again, causing the enabled count for the regulator to increase by 1 every suspend/resume. These unbalanced regulator_enable() calls cause the regulator to never be turned off and trigger the following WARN() on driver unbind: WARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put Fix this by making lis3lv02d_i2c_resume() mirror the new suspend(). 2024-05-17 not yet calculated CVE-2024-35824
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Fix handling of zero block length packets While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX set to 65536, it has been observed that we receive short packets, which come at interval of 5-10 seconds sometimes and have block length zero but still contain 1-2 valid datagrams present. According to the NCM spec: "If wBlockLength = 0x0000, the block is terminated by a short packet. In this case, the USB transfer must still be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If exactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent, and the size is a multiple of wMaxPacketSize for the given pipe, then no ZLP shall be sent. wBlockLength= 0x0000 must be used with extreme care, because of the possibility that the host and device may get out of sync, and because of test issues. wBlockLength = 0x0000 allows the sender to reduce latency by starting to send a very large NTB, and then shortening it when the sender discovers that there's not sufficient data to justify sending a large NTB" However, there is a potential issue with the current implementation, as it checks for the occurrence of multiple NTBs in a single giveback by verifying if the leftover bytes to be processed is zero or not. If the block length reads zero, we would process the same NTB infintely because the leftover bytes is never zero and it leads to a crash. Fix this by bailing out if block length reads zero. 2024-05-17 not yet calculated CVE-2024-35825
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: block: Fix page refcounts for unaligned buffers in __bio_release_pages() Fix an incorrect number of pages being released for buffers that do not start at the beginning of a page. 2024-05-17 not yet calculated CVE-2024-35826
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix overflow check in io_recvmsg_mshot_prep() The "controllen" variable is type size_t (unsigned long). Casting it to int could lead to an integer underflow. The check_add_overflow() function considers the type of the destination which is type int. If we add two positive values and the result cannot fit in an integer then that's counted as an overflow. However, if we cast "controllen" to an int and it turns negative, then negative values *can* fit into an int type so there is no overflow. Good: 100 + (unsigned long)-4 = 96 <-- overflow Bad: 100 + (int)-4 = 96 <-- no overflow I deleted the cast of the sizeof() as well. That's not a bug but the cast is unnecessary. 2024-05-17 not yet calculated CVE-2024-35827
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() In the for statement of lbs_allocate_cmd_buffer(), if the allocation of cmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to be freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer(). 2024-05-17 not yet calculated CVE-2024-35828
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: drm/lima: fix a memleak in lima_heap_alloc When lima_vm_map_bo fails, the resources need to be deallocated, or there will be memleaks. 2024-05-17 not yet calculated CVE-2024-35829
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: media: tc358743: register v4l2 async device only after successful setup Ensure the device has been setup correctly before registering the v4l2 async device, thus allowing userspace to access. 2024-05-17 not yet calculated CVE-2024-35830
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix release of pinned pages when __io_uaddr_map fails Looking at the error path of __io_uaddr_map, if we fail after pinning the pages for any reasons, ret will be set to -EINVAL and the error handler won't properly release the pinned pages. I didn't manage to trigger it without forcing a failure, but it can happen in real life when memory is heavily fragmented. 2024-05-17 not yet calculated CVE-2024-35831
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: bcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit bch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut. It should be freed by kvfree not kfree. Or umount will triger: [ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008 [ 406.830676 ] #PF: supervisor read access in kernel mode [ 406.831643 ] #PF: error_code(0x0000) - not-present page [ 406.832487 ] PGD 0 P4D 0 [ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI [ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90 [ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [ 406.835796 ] RIP: 0010:kfree+0x62/0x140 [ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6 [ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286 [ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4 [ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000 [ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001 [ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80 [ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000 [ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000 [ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0 [ 406.841464 ] Call Trace: [ 406.841583 ] <TASK> [ 406.841682 ] ? __die+0x1f/0x70 [ 406.841828 ] ? page_fault_oops+0x159/0x470 [ 406.842014 ] ? fixup_exception+0x22/0x310 [ 406.842198 ] ? exc_page_fault+0x1ed/0x200 [ 406.842382 ] ? asm_exc_page_fault+0x22/0x30 [ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs] [ 406.842842 ] ? kfree+0x62/0x140 [ 406.842988 ] ? kfree+0x104/0x140 [ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs] [ 406.843390 ] kobject_put+0xb7/0x170 [ 406.843552 ] deactivate_locked_super+0x2f/0xa0 [ 406.843756 ] cleanup_mnt+0xba/0x150 [ 406.843917 ] task_work_run+0x59/0xa0 [ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0 [ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40 [ 406.844510 ] do_syscall_64+0x4e/0xf0 [ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 406.844907 ] RIP: 0033:0x7f0a2664e4fb 2024-05-17 not yet calculated CVE-2024-35832
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA This dma_alloc_coherent() is undone neither in the remove function, nor in the error handling path of fsl_qdma_probe(). Switch to the managed version to fix both issues. 2024-05-17 not yet calculated CVE-2024-35833
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: xsk: recycle buffer in case Rx queue was full Add missing xsk_buff_free() call when __xsk_rcv_zc() failed to produce descriptor to XSK Rx queue. 2024-05-17 not yet calculated CVE-2024-35834
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a double-free in arfs_create_groups When `in` allocated by kvzalloc fails, arfs_create_groups will free ft->g and return an error. However, arfs_create_table, the only caller of arfs_create_groups, will hold this error and call to mlx5e_destroy_flow_table, in which the ft->g will be freed again. 2024-05-17 not yet calculated CVE-2024-35835
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: dpll: fix pin dump crash for rebound module When a kernel module is unbound but the pin resources were not entirely freed (other kernel module instance of the same PCI device have had kept the reference to that pin), and kernel module is again bound, the pin properties would not be updated (the properties are only assigned when memory for the pin is allocated), prop pointer still points to the kernel module memory of the kernel module which was deallocated on the unbind. If the pin dump is invoked in this state, the result is a kernel crash. Prevent the crash by storing persistent pin properties in dpll subsystem, copy the content from the kernel module when pin is allocated, instead of using memory of the kernel module. 2024-05-17 not yet calculated CVE-2024-35836
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: clear BM pool before initialization Register value persist after booting the kernel using kexec which results in kernel panic. Thus clear the BM pool registers before initialisation to fix the issue. 2024-05-17 not yet calculated CVE-2024-35837
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential sta-link leak When a station is allocated, links are added but not set to valid yet (e.g. during connection to an AP MLD), we might remove the station without ever marking links valid, and leak them. Fix that. 2024-05-17 not yet calculated CVE-2024-35838
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: replace physindev with physinif in nf_bridge_info An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb. 2024-05-17 not yet calculated CVE-2024-35839
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option() 2024-05-17 not yet calculated CVE-2024-35840
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: tls, fix WARNIING in __sk_msg_free A splice with MSG_SPLICE_PAGES will cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user provided pages from the msg into the msg_pl. This will loop over the msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer. If the user adds more pages to the msg than can fit in the msg_pl scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways. What actually happens though is we abort the msg to msg_pl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msg_data_left(msg) has more bytes to send and then attempts to fit them in the already full msg_pl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report. To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag. 2024-05-17 not yet calculated CVE-2024-35841
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: sof-common: Add NULL check for normal_link string It's not granted that all entries of struct sof_conn_stream declare a `normal_link` (a non-SOF, direct link) string, and this is the case for SoCs that support only SOF paths (hence do not support both direct and SOF usecases). For example, in the case of MT8188 there is no normal_link string in any of the sof_conn_stream entries and there will be more drivers doing that in the future. To avoid possible NULL pointer KPs, add a NULL check for `normal_link`. 2024-05-17 not yet calculated CVE-2024-35842
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Use device rbtree in iopf reporting path The existing I/O page fault handler currently locates the PCI device by calling pci_get_domain_bus_and_slot(). This function searches the list of all PCI devices until the desired device is found. To improve lookup efficiency, replace it with device_rbtree_find() to search the device within the probed device rbtree. The I/O page fault is initiated by the device, which does not have any synchronization mechanism with the software to ensure that the device stays in the probed device tree. Theoretically, a device could be released by the IOMMU subsystem after device_rbtree_find() and before iopf_get_dev_fault_param(), which would cause a use-after-free problem. Add a mutex to synchronize the I/O page fault reporting path and the IOMMU release device path. This lock doesn't introduce any performance overhead, as the conflict between I/O page fault reporting and device releasing is very rare. 2024-05-17 not yet calculated CVE-2024-35843
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix reserve_cblocks counting error when out of space When a file only needs one direct_node, performing the following operations will cause the file to be unrepairable: unisoc # ./f2fs_io compress test.apk unisoc #df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.2M 100% /data unisoc # ./f2fs_io release_cblocks test.apk 924 unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 4.8M 100% /data unisoc # dd if=/dev/random of=file4 bs=1M count=3 3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.8M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device adb reboot unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 11M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk 0 This is because the file has only one direct_node. After returning to -ENOSPC, reserved_blocks += ret will not be executed. As a result, the reserved_blocks at this time is still 0, which is not the real number of reserved blocks. Therefore, fsck cannot be set to repair the file. After this patch, the fsck flag will be set to fix this problem. unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.8M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device adb reboot then fsck will be executed unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 11M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk 924 2024-05-17 not yet calculated CVE-2024-35844
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dbg-tlv: ensure NUL termination The iwl_fw_ini_debug_info_tlv is used as a string, so we must ensure the string is terminated correctly before using it. 2024-05-17 not yet calculated CVE-2024-35845
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix shrinker NULL crash with cgroup_disable=memory Christian reports a NULL deref in zswap that he bisected down to the zswap shrinker. The issue also cropped up in the bug trackers of libguestfs [1] and the Red Hat bugzilla [2]. The problem is that when memcg is disabled with the boot time flag, the zswap shrinker might get called with sc->memcg == NULL. This is okay in many places, like the lruvec operations. But it crashes in memcg_page_state() - which is only used due to the non-node accounting of cgroup's the zswap memory to begin with. Nhat spotted that the memcg can be NULL in the memcg-disabled case, and I was then able to reproduce the crash locally as well. [1] https://github.com/libguestfs/libguestfs/issues/139 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2275252 2024-05-17 not yet calculated CVE-2024-35846
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Prevent double free on error The error handling path in its_vpe_irq_domain_alloc() causes a double free when its_vpe_init() fails after successfully allocating at least one interrupt. This happens because its_vpe_irq_domain_free() frees the interrupts along with the area bitmap and the vprop_page and its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the vprop_page again. Fix this by unconditionally invoking its_vpe_irq_domain_free() which handles all cases correctly and by removing the bitmap/vprop_page freeing from its_vpe_irq_domain_alloc(). [ tglx: Massaged change log ] 2024-05-17 not yet calculated CVE-2024-35847
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device. 2024-05-17 not yet calculated CVE-2024-35848
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation. 2024-05-17 not yet calculated CVE-2024-35849
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix NULL-deref on non-serdev setup Qualcomm ROME controllers can be registered from the Bluetooth line discipline and in this case the HCI UART serdev pointer is NULL. Add the missing sanity check to prevent a NULL-pointer dereference when setup() is called for a non-serdev controller. 2024-05-17 not yet calculated CVE-2024-35850
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix NULL-deref on non-serdev suspend Qualcomm ROME controllers can be registered from the Bluetooth line discipline and in this case the HCI UART serdev pointer is NULL. Add the missing sanity check to prevent a NULL-pointer dereference when wakeup() is called for a non-serdev controller during suspend. Just return true for now to restore the original behaviour and address the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657 ("Bluetooth: hci_qca: only assign wakeup with serial port support") that causes the crash to happen already at setup() time. 2024-05-17 not yet calculated CVE-2024-35851
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work The rehash delayed work is rescheduled with a delay if the number of credits at end of the work is not negative as supposedly it means that the migration ended. Otherwise, it is rescheduled immediately. After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash" the above is no longer accurate as a non-negative number of credits is no longer indicative of the migration being done. It can also happen if the work encountered an error in which case the migration will resume the next time the work is scheduled. The significance of the above is that it is possible for the work to be pending and associated with hints that were allocated when the migration started. This leads to the hints being leaked [1] when the work is canceled while pending as part of ACL region dismantle. Fix by freeing the hints if hints are associated with a work that was canceled while pending. Blame the original commit since the reliance on not having a pending work associated with hints is fragile. [1] unreferenced object 0xffff88810e7c3000 (size 256): comm "kworker/0:16", pid 176, jiffies 4295460353 hex dump (first 32 bytes): 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a....... 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@........... backtrace (crc 2544ddb9): [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0 [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390 [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400 [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160 [<00000000e81fd734>] process_one_work+0x59c/0xf20 [<00000000ceee9e81>] worker_thread+0x799/0x12c0 [<00000000bda6fe39>] kthread+0x246/0x300 [<0000000070056d23>] ret_from_fork+0x34/0x70 [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30 2024-05-17 not yet calculated CVE-2024-35852
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters. If the migration fails, the code tries to migrate the filters back to the old region. However, the rollback itself can also fail in which case another migration will be erroneously performed. Besides the fact that this ping pong is not a very good idea, it also creates a problem. Each virtual chunk references two chunks: The currently used one ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the first holds the chunk we want to migrate filters to and the second holds the chunk we are migrating filters from. The code currently assumes - but does not verify - that the backup chunk does not exist (NULL) if the currently used chunk does not reference the target region. This assumption breaks when we are trying to rollback a rollback, resulting in the backup chunk being overwritten and leaked [1]. Fix by not rolling back a failed rollback and add a warning to avoid future cases. [1] WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20 Modules linked in: CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:parman_destroy+0x17/0x20 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_region_fini+0x19/0x60 mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> 2024-05-17 not yet calculated CVE-2024-35853
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 2024-05-17 not yet calculated CVE-2024-35854
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device. As part of this task it accesses the entry pointed by 'ventry->entry', but this entry can be changed concurrently by the rehash delayed work, leading to a use-after-free [1]. Fix by closing the race and perform the activity query under the 'vregion->lock' mutex. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181 CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 mlxsw_sp_acl_rule_activity_update_work+0x219/0x400 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 2024-05-17 not yet calculated CVE-2024-35855
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Fix double free of skb in coredump hci_devcd_append() would free the skb on error so the caller don't have to free it again otherwise it would cause the double free of skb. Reported-by : Dan Carpenter <dan.carpenter@linaro.org> 2024-05-17 not yet calculated CVE-2024-35856
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: icmp: prevent possible NULL dereferences from icmp_build_probe() First problem is a double call to __in_dev_get_rcu(), because the second one could return NULL. if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list) Second problem is a read from dev->ip6_ptr with no NULL check: if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list)) Use the correct RCU API to fix these. v2: add missing include <net/addrconf.h> 2024-05-17 not yet calculated CVE-2024-35857
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: net: bcmasp: fix memory leak when bringing down interface When bringing down the TX rings we flush the rings but forget to reclaimed the flushed packets. This leads to a memory leak since we do not free the dma mapped buffers. This also leads to tx control block corruption when bringing down the interface for power management. 2024-05-17 not yet calculated CVE-2024-35858
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux--Linux
 		 In the Linux kernel, the following vulnerability has been resolved: block: fix module reference leakage from bdev_open_by_dev error path At the time bdev_may_open() is called, module reference is grabbed already, hence module reference should be released if bdev_may_open() failed. This problem is found by code review. 2024-05-17 not yet calculated CVE-2024-35859
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Mozilla--Firefox
 		 A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. 2024-05-14 not yet calculated CVE-2024-4367
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 Multiple WebRTC threads could have claimed a newly connected audio input leading to use-after-free. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4764
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 Web application manifests were stored by using an insecure MD5 hash which allowed for a hash collision to overwrite another application's manifest. This could have been exploited to run arbitrary code in another application's context. *This issue only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4765
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 Different techniques existed to obscure the fullscreen notification in Firefox for Android. These could have lead to potential user confusion and spoofing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4766
security@mozilla.org
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. 2024-05-14 not yet calculated CVE-2024-4767
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. 2024-05-14 not yet calculated CVE-2024-4768
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. 2024-05-14 not yet calculated CVE-2024-4769
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. 2024-05-14 not yet calculated CVE-2024-4770
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 A memory allocation check was missing which would lead to a use-after-free if the allocation failed. This could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4771
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 An HTTP digest authentication nonce value was generated using `rand()` which could lead to predictable values. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4772
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 When a network error occurred during page load, the prior content could have remained in view with a blank URL bar. This could have been used to obfuscate a spoofed web site. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4773
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 The `ShmemCharMapHashEntry()` code was susceptible to potentially undefined behavior by bypassing the move semantics for one of its data members. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4774
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 An iterator stop condition was missing when handling WASM code in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4775
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 A file dialog shown while in full-screen mode could have resulted in the window remaining disabled. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4776
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. 2024-05-14 not yet calculated CVE-2024-4777
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
Mozilla--Firefox
 		 Memory safety bugs present in Firefox 125. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126. 2024-05-14 not yet calculated CVE-2024-4778
security@mozilla.org
security@mozilla.org
Mozilla--Focus for iOS
 		 The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This vulnerability affects Focus for iOS < 126. 2024-05-17 not yet calculated CVE-2024-5022
security@mozilla.org
security@mozilla.org
NEC Platforms, Ltd--ITK-6DGS-1(BK) TEL
 		 NEC Platforms DT900 and DT900S Series 5.0.0.0 - v5.3.4.4, v5.4.0.0 - v5.6.0.20 allows an attacker to access a non-documented the system settings to change settings via local network with unauthenticated user. 2024-05-14 not yet calculated CVE-2024-3016
psirt-info@cyber.jp.nec.com
Netflix--ConsoleMe
 		 Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0. 2024-05-16 not yet calculated CVE-2024-5023
security-report@netflix.com
OpenSSL--OpenSSL
 		 Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. 2024-05-16 not yet calculated CVE-2024-4603
openssl-security@openssl.org
openssl-security@openssl.org
openssl-security@openssl.org
openssl-security@openssl.org
openssl-security@openssl.org
Puneeth Reddy--Online Shopping System Advanced
 		 Open-source project Online Shopping System Advanced is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser.  2024-05-14 not yet calculated CVE-2024-3579
cvd@cert.pl
cvd@cert.pl
Rockwell Automation--FactoryTalk Remote Access
 		 An unquoted executable path exists in the Rockwell Automation FactoryTalk® Remote Accessâ„¢ possibly resulting in remote code execution if exploited. While running the FTRA installer package, the executable path is not properly quoted, which could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this vulnerability. 2024-05-16 not yet calculated CVE-2024-3640
PSIRT@rockwellautomation.com
Rockwell Automation--FactoryTalk View SE
 		 A vulnerability exists in the Rockwell Automation FactoryTalk® View SE Datalog function that could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. If exploited, the attack could result in information exposure, revealing sensitive information. Additionally, a threat actor could potentially modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime. 2024-05-16 not yet calculated CVE-2024-4609
PSIRT@rockwellautomation.com
The Document Foundation--LibreOffice
 		 Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted. 2024-05-14 not yet calculated CVE-2024-3044
security@documentfoundation.org
Unknown--Add Custom CSS and JS
 		 The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack 2024-05-14 not yet calculated CVE-2024-3903
contact@wpscan.com
Unknown--Base64 Encoder/Decoder
 		 The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 2024-05-15 not yet calculated CVE-2024-3822
contact@wpscan.com
Unknown--Base64 Encoder/Decoder
 		 The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack 2024-05-15 not yet calculated CVE-2024-3823
contact@wpscan.com
Unknown--Base64 Encoder/Decoder
 		 The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack 2024-05-15 not yet calculated CVE-2024-3824
contact@wpscan.com
Unknown--HL Twitter
 		 The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack 2024-05-15 not yet calculated CVE-2024-3629
contact@wpscan.com
Unknown--HL Twitter
 		 The HL Twitter WordPress plugin through 2014.1.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2024-05-15 not yet calculated CVE-2024-3630
contact@wpscan.com
Unknown--HL Twitter
 		 The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check when unlinking twitter accounts, which could allow attackers to make logged in admins perform such actions via a CSRF attack 2024-05-15 not yet calculated CVE-2024-3631
contact@wpscan.com
Unknown--LetterPress 
 		 The LetterPress WordPress plugin through 1.2.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers 2024-05-14 not yet calculated CVE-2024-3590
contact@wpscan.com
Unknown--Newsletter Popup
 		 The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins 2024-05-16 not yet calculated CVE-2024-3641
contact@wpscan.com
Unknown--Newsletter Popup
 		 The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack 2024-05-16 not yet calculated CVE-2024-3642
contact@wpscan.com
Unknown--Newsletter Popup
 		 The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack 2024-05-16 not yet calculated CVE-2024-3643
contact@wpscan.com
Unknown--Newsletter Popup
 		 The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2024-05-16 not yet calculated CVE-2024-3644
contact@wpscan.com
Unknown--NextGEN Gallery 
 		 The NextGEN Gallery WordPress plugin before 3.59.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed 2024-05-17 not yet calculated CVE-2024-2744
contact@wpscan.com
Unknown--Popup4Phone
 		 The Popup4Phone WordPress plugin through 1.3.2 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins. 2024-05-17 not yet calculated CVE-2024-3231
contact@wpscan.com
Unknown--Popup4Phone
 		 The Popup4Phone WordPress plugin through 1.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2024-05-17 not yet calculated CVE-2024-3580
contact@wpscan.com
Unknown--Post Grid Gutenberg Blocks and WordPress Blog Plugin 
 		 The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.0.2 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 2024-05-14 not yet calculated CVE-2024-3239
contact@wpscan.com
Unknown--SP Project & Document Manager
 		 The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user 2024-05-15 not yet calculated CVE-2024-3748
contact@wpscan.com
Unknown--SP Project & Document Manager
 		 The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user 2024-05-15 not yet calculated CVE-2024-3749
contact@wpscan.com
Unknown--Save as PDF Plugin by Pdfcrowd
 		 The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2024-05-14 not yet calculated CVE-2023-5971
contact@wpscan.com
Unknown--Ultimate Blocks 
 		 The Ultimate Blocks WordPress plugin before 3.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 2024-05-14 not yet calculated CVE-2024-3241
contact@wpscan.com
Unknown--UnGallery
 		 The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack 2024-05-14 not yet calculated CVE-2024-3582
contact@wpscan.com
Unknown--VikBooking Hotel Booking Engine & PMS
 		 The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's they shouldn't be allowed to. 2024-05-14 not yet calculated CVE-2024-2441
contact@wpscan.com
Unknown--VikBooking Hotel Booking Engine & PMS
 		 The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting (categories for example) despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 configurations. 2024-05-14 not yet calculated CVE-2024-2749
contact@wpscan.com
Unknown--WP Prayer
 		 The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack 2024-05-15 not yet calculated CVE-2024-3405
contact@wpscan.com
Unknown--WP Prayer
 		 The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack 2024-05-15 not yet calculated CVE-2024-3406
contact@wpscan.com
Unknown--WP Prayer
 		 The WP Prayer WordPress plugin through 2.0.9 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks 2024-05-15 not yet calculated CVE-2024-3407
contact@wpscan.com
Unknown--WP Shortcodes Plugin Shortcodes Ultimate
 		 The WP Shortcodes Plugin - Shortcodes Ultimate WordPress plugin before 7.1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 2024-05-15 not yet calculated CVE-2024-3548
contact@wpscan.com
Unknown--month name translation benaceur
 		 The month name translation benaceur WordPress plugin before 2.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2024-05-15 not yet calculated CVE-2024-3634
contact@wpscan.com
Unknown--reCAPTCHA Jetpack
 		 The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack 2024-05-14 not yet calculated CVE-2024-3940
contact@wpscan.com
Unknown--reCAPTCHA Jetpack
 		 The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. 2024-05-14 not yet calculated CVE-2024-3941
contact@wpscan.com
Unknown--socialdriver-framework
 		 The socialdriver-framework WordPress plugin before 2024.0.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 2024-05-17 not yet calculated CVE-2024-2697
contact@wpscan.com
Veeam--Service Provider Console
 		 Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine. 2024-05-14 not yet calculated CVE-2024-29212
support@hackerone.com
Xen--Xen
 		 Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. 2024-05-16 not yet calculated CVE-2023-46842
security@xen.org
Xen--Xen
 		 Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html 2024-05-16 not yet calculated CVE-2024-31142
security@xen.org
Xpdf--Xpdf
 		 Out-of-bounds array write in Xpdf 4.05 and earlier, due to missing object type check in AcroForm field reference. 2024-05-15 not yet calculated CVE-2024-4976
xpdf@xpdfreader.com
alpitronic--Hypercharger EV Charger
 		 If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface protected by authentication. If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator. 2024-05-15 not yet calculated CVE-2024-4622
ics-cert@hq.dhs.gov
berriai--berriai/litellm
 		 A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`. 2024-05-18 not yet calculated CVE-2024-4264
security@huntr.dev
gaizhenbiao--gaizhenbiao/chuanhuchatgpt
 		 A Local File Inclusion (LFI) vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker can exploit this vulnerability by intercepting requests and manipulating the 'name' parameter to specify arbitrary file paths. This allows the attacker to read sensitive files on the server, leading to information leakage, including API keys and private information. The issue affects version 20240310 of the application. 2024-05-16 not yet calculated CVE-2024-4321
security@huntr.dev
imartinez--imartinez/privategpt
 		 imartinez/privategpt version 0.2.0 is vulnerable to a local file inclusion vulnerability that allows attackers to read arbitrary files from the filesystem. By manipulating file upload functionality to ingest arbitrary local files, attackers can exploit the 'Search in Docs' feature or query the AI to retrieve or disclose the contents of any file on the system. This vulnerability could lead to various impacts, including but not limited to remote code execution by obtaining private SSH keys, unauthorized access to private files, source code disclosure facilitating further attacks, and exposure of configuration files. 2024-05-16 not yet calculated CVE-2024-3403
security@huntr.dev
imartinez--imartinez/privategpt
 		 A stored Cross-Site Scripting (XSS) vulnerability exists in the 'imartinez/privategpt' repository due to improper validation of file uploads. Attackers can exploit this vulnerability by uploading malicious HTML files, such as those containing JavaScript payloads, which are then executed in the context of the victim's session when accessed. This could lead to the execution of arbitrary JavaScript code in the context of the user's browser session, potentially resulting in phishing attacks or other malicious actions. The vulnerability affects the latest version of the repository. 2024-05-16 not yet calculated CVE-2024-3851
security@huntr.dev
mlflow--mlflow/mlflow
 		 A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal. 2024-05-16 not yet calculated CVE-2024-3848
security@huntr.dev
security@huntr.dev
mlflow--mlflow/mlflow
 		 A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them. 2024-05-16 not yet calculated CVE-2024-4263
security@huntr.dev
security@huntr.dev
n/a--n/a
 		 Extreme Networks EXOS before v.22.7 and before v.30.2 was discovered to contain an issue in its Web GUI which fails to restrict URL access, allowing attackers to access sensitive information or escalate privileges. 2024-05-14 not yet calculated CVE-2020-18305
cve@mitre.org
n/a--n/a
 		 The T-Soft E-Commerce 4 web application is susceptible to SQL injection (SQLi) attacks when authenticated as an admin or privileged user. This vulnerability allows attackers to access and manipulate the database through crafted requests. By exploiting this flaw, attackers can bypass authentication mechanisms, view sensitive information stored in the database, and potentially exfiltrate data. 2024-05-14 not yet calculated CVE-2022-28132
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. There is a buffer overflow over the encrypted token parsing logic in the HTTP service that allows remote code execution. This affects Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. 2024-05-14 not yet calculated CVE-2022-32502
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to this JTAG port may be able to connect to the device and bypass both hardware and software security protections. This affects Nuki Keypad before 1.9.2 and Nuki Fob before 1.8.1. 2024-05-14 not yet calculated CVE-2022-32503
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. The code used to parse the JSON objects received from the WebSocket service provided by the device leads to a stack buffer overflow. An attacker would be able to exploit this to gain arbitrary code execution on a KeyTurner device. This affects Nuki Smart Lock 3.0 before 3.3.5 and 2.0 before 2.12.4, as well as Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. 2024-05-14 not yet calculated CVE-2022-32504
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. It is possible to send multiple BLE malformed packets to block some of the functionality and reboot the device. This affects Nuki Smart Lock 3.0 before 3.3.5 and Nuki Smart Lock 2.0 before 2.12.4. 2024-05-14 not yet calculated CVE-2022-32505
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to the circuit board could use the SWD debug features to control the execution of code on the processor and debug the firmware, as well as read or alter the content of the internal and external flash memory. This affects Nuki Smart Lock 3.0 before 3.3.5, Nuki Smart Lock 2.0 before 2.12.4, as well as Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. 2024-05-14 not yet calculated CVE-2022-32506
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. Some BLE commands, which should have been designed to be only called from privileged accounts, could also be called from unprivileged accounts. This demonstrates that no access controls were implemented for the different BLE commands across the different accounts. This affects Nuki Smart Lock 3.0 before 3.3.5 and Nuki Smart Lock 2.0 before 2.12.4. 2024-05-14 not yet calculated CVE-2022-32507
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. By sending a malformed HTTP verb, it is possible to force a reboot of the device. This affects Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. 2024-05-14 not yet calculated CVE-2022-32508
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. Lack of certificate validation on HTTP communications allows attackers to intercept and tamper data. This affects Nuki Smart Lock 3.0 before 3.3.5, Nuki Bridge v1 before 1.22.0 and Nuki Bridge v2 before 2.13.2. 2024-05-14 not yet calculated CVE-2022-32509
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered on certain Nuki Home Solutions devices. The HTTP API exposed by a Bridge used an unencrypted channel to provide an administrative interface. A token can be easily eavesdropped by a malicious actor to impersonate a legitimate user and gain access to the full set of API endpoints. This affects Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. 2024-05-14 not yet calculated CVE-2022-32510
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query parameter(s). 2024-05-14 not yet calculated CVE-2023-24203
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 SQL injection vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitrary code via the name parameter in get-quote.php. 2024-05-14 not yet calculated CVE-2023-24204
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Sangoma FreePBX 1805 through 2203 on Linux contains hardcoded credentials for the Asterisk REST Interface (ARI), which allows remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sent to the API. 2024-05-14 not yet calculated CVE-2023-26566
cve@mitre.org
n/a--n/a
 		 phpok 6.4.003 is vulnerable to SQL injection in the function index_f() in phpok64/framework/api/call_control.php. 2024-05-14 not yet calculated CVE-2023-29881
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Stakater Forecastle 1.0.139 and before allows %5C../ directory traversal in the website component. 2024-05-15 not yet calculated CVE-2023-40297
cve@mitre.org
n/a--n/a
 		 extcap/nrf_sniffer_ble.py, extcap/nrf_sniffer_ble.sh, extcap/SnifferAPI/*.py in Nordic Semiconductor nRF Sniffer for Bluetooth LE 3.0.0, 3.1.0, 4.0.0, 4.1.0, and 4.1.1 have set incorrect file permission, which allows attackers to do code execution via modified bash and python scripts. 2024-05-14 not yet calculated CVE-2023-46870
cve@mitre.org
n/a--n/a
 		 Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an authorization request with a username that has pre-authorization directives configured. However, it is possible to inject additional commands into these checks because strings from TACACS+ packets are used as command-line arguments. If the installation lacks a a pre-shared secret (there is no pre-shared secret by default), then the injection can be triggered without authentication. (The attacker needs to know a username configured to use a pre-authorization command.) NOTE: this is related to CVE-2023-45239 but the issue is in the original Shrubbery product, not Meta's fork. 2024-05-16 not yet calculated CVE-2023-48643
cve@mitre.org
n/a--n/a
 		 The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSID Confusion" issue. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and because there is not a protected exchange of an SSID during a 4-way handshake. 2024-05-17 not yet calculated CVE-2023-52424
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue in Panoramic Corporation Digital Imaging Software v.9.1.2.7600 allows a local attacker to escalate privileges via the ccsservice.exe component. 2024-05-14 not yet calculated CVE-2024-22774
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Cross Site Scripting (XSS) vulnerability in CrushFTP v.10.6.0 and v.10.5.5 allows an attacker to execute arbitrary code via a crafted payload. 2024-05-14 not yet calculated CVE-2024-22910
cve@mitre.org
n/a--n/a
 		 Gnuboard g6 / https://github.com/gnuboard/g6 commit c2cc1f5069e00491ea48618d957332d90f6d40e4 is vulnerable to Cross Site Scripting (XSS) via board.py. 2024-05-14 not yet calculated CVE-2024-24157
cve@mitre.org
n/a--n/a
 		 A memory corruption vulnerability in StorageSecurityCommandDxe in Insyde InsydeH2O before kernel 5.2: IB19130163 in 05.29.07, kernel 5.3: IB19130163 in 05.38.07, kernel 5.4: IB19130163 in 05.46.07, kernel 5.5: IB19130163 in 05.54.07, and kernel 5.6: IB19130163 in 05.61.07 could lead to escalating privileges in SMM. 2024-05-15 not yet calculated CVE-2024-25078
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 A memory corruption vulnerability in HddPassword in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM. 2024-05-15 not yet calculated CVE-2024-25079
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Cross-Site Scripting (XSS) for malicious URLs. 2024-05-14 not yet calculated CVE-2024-25662
cve@mitre.org
n/a--n/a
 		 In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES. 2024-05-17 not yet calculated CVE-2024-25742
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES. 2024-05-15 not yet calculated CVE-2024-25743
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. 2024-05-14 not yet calculated CVE-2024-26306
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Cross Site Scripting vulnerability in Evertz microsystems MViP-II Firmware 8.6.5, XPS-EDGE-* Build 1467, evEDGE-EO-* Build 0029, MMA10G-* Build 0498, 570IPG-X19-10G Build 0691 allows a remote attacker to execute arbitrary code via a crafted payload to the login parameters. 2024-05-14 not yet calculated CVE-2024-26367
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 SQL Injection vulnerability in School Task Manager v.1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the delete-task.php component. 2024-05-14 not yet calculated CVE-2024-26517
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2. 2024-05-14 not yet calculated CVE-2024-27280
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1. 2024-05-14 not yet calculated CVE-2024-27281
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1. 2024-05-14 not yet calculated CVE-2024-27282
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 A memory corruption vulnerability in SdHost and SdMmcDevice in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM. 2024-05-15 not yet calculated CVE-2024-27353
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 A stored cross-site scripting (XSS) vulnerability in the Filter function of Eramba Version 3.22.3 Community Edition allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the filter name field. This vulnerability has been fixed in version 3.23.0. 2024-05-15 not yet calculated CVE-2024-27593
cve@mitre.org
n/a--n/a
 		 Kiteworks Totemomail through 7.0.0 allows /responsiveUI/EnvelopeOpenServlet envelopeRecipient reflected XSS. 2024-05-18 not yet calculated CVE-2024-28063
cve@mitre.org
n/a--n/a
 		 Kiteworks Totemomail 7.x and 8.x before 8.3.0 allows /responsiveUI/EnvelopeOpenServlet messageId directory traversal for unauthenticated file read and delete operations (with displayLoginChunkedImages) and write operations (with storeLoginChunkedImages). 2024-05-18 not yet calculated CVE-2024-28064
cve@mitre.org
n/a--n/a
 		 In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable. 2024-05-15 not yet calculated CVE-2024-28087
cve@mitre.org
n/a--n/a
 		 Sourcecodester School Task Manager 1.0 is vulnerable to Cross Site Scripting (XSS) via add-task.php?task_name=. 2024-05-14 not yet calculated CVE-2024-28276
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 In Sourcecodester School Task Manager v1.0, a vulnerability was identified within the subject_name= parameter, enabling Stored Cross-Site Scripting (XSS) attacks. This vulnerability allows attackers to manipulate the subject's name, potentially leading to the execution of malicious JavaScript payloads. 2024-05-14 not yet calculated CVE-2024-28277
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection via book.php?bookisbn=. 2024-05-14 not yet calculated CVE-2024-28279
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 A Fault Injection vulnerability in the SymmetricDecrypt function in cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to co-reside in the same system with a victim process to disclose information and escalate privileges. 2024-05-14 not yet calculated CVE-2024-28285
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29157
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a stack buffer overflow in H5FL_arr_malloc, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29158
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29159
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a heap buffer overflow in H5HG__cache_heap_deserialize, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29160
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a heap buffer overflow in H5A__attr_release_table, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29161
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow in H5HG_read, resulting in denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29162
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a heap buffer overflow in H5T__bit_find, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29163
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a stack buffer overflow in H5R__decode_heap, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29164
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_fletcher32, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29165
cve@mitre.org
n/a--n/a
 		 HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. 2024-05-14 not yet calculated CVE-2024-29166
cve@mitre.org
n/a--n/a
 		 An issue in briscKernelDriver.sys in BlueRiSC WindowsSCOPE Cyber Forensics before 3.3 allows a local attacker to execute arbitrary code within the driver and create a local denial-of-service condition due to an improper DACL being applied to the device the driver creates. 2024-05-14 not yet calculated CVE-2024-29513
cve@mitre.org
n/a--n/a
 		 An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters. 2024-05-14 not yet calculated CVE-2024-29857
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. 2024-05-14 not yet calculated CVE-2024-30171
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key. 2024-05-14 not yet calculated CVE-2024-30172
cve@mitre.org
n/a--n/a
 		 SQL Injection vulnerability in Cloud based customer service management platform v.1.0.0 allows a local attacker to execute arbitrary code via a crafted payload to Login.asp component. 2024-05-14 not yet calculated CVE-2024-30801
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component. 2024-05-14 not yet calculated CVE-2024-30802
cve@mitre.org
n/a--n/a
 		 An issue in Reportico Web before v.8.1.0 allows a local attacker to execute arbitrary code and obtain sensitive information via the sessionid function. 2024-05-14 not yet calculated CVE-2024-31556
cve@mitre.org
n/a--n/a
 		 Insecure Permission vulnerability in TotalAV v.6.0.740 allows a local attacker to escalate privileges via a crafted file 2024-05-14 not yet calculated CVE-2024-31771
cve@mitre.org
n/a--n/a
 		 Buffer Overflow vulnerability in emp-ot v.0.2.4 allows a remote attacker to execute arbitrary code via the FerretCOT<T>::read_pre_data128_from_file function. 2024-05-14 not yet calculated CVE-2024-31803
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a hardcoded password for root at /etc/shadow.sample. 2024-05-14 not yet calculated CVE-2024-31810
cve@mitre.org
n/a--n/a
 		 The com.solarized.firedown (aka Solarized FireDown Browser & Downloader) application 1.0.76 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. com.solarized.firedown.IntentActivity uses a WebView component to display web content and doesn't adequately sanitize the URI or any extra data passed in the intent by any installed application (with no permissions). 2024-05-17 not yet calculated CVE-2024-31974
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "mtu" parameters in the "cstecgi.cgi" binary. 2024-05-14 not yet calculated CVE-2024-32349
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "ipsecPsk" parameter in the "cstecgi.cgi" binary. 2024-05-14 not yet calculated CVE-2024-32350
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "mru" parameter in the "cstecgi.cgi" binary. 2024-05-14 not yet calculated CVE-2024-32351
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "ipsecL2tpEnable" parameter in the "cstecgi.cgi" binary. 2024-05-14 not yet calculated CVE-2024-32352
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'port' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi. 2024-05-14 not yet calculated CVE-2024-32353
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'timeout' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi. 2024-05-14 not yet calculated CVE-2024-32354
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'password' parameter in the setSSServer function. 2024-05-14 not yet calculated CVE-2024-32355
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a heap-based buffer over-read in H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in H5Dcompact.c). 2024-05-14 not yet calculated CVE-2024-32605
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from h5tools_dump_simple_data in tools/lib/h5tools_dump.c). 2024-05-14 not yet calculated CVE-2024-32606
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, resulting in the corruption of the instruction pointer. 2024-05-14 not yet calculated CVE-2024-32607
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 allows stack consumption in the function H5E_printf_stack in H5Eint.c. 2024-05-14 not yet calculated CVE-2024-32609
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, resulting in a corrupted instruction pointer. 2024-05-14 not yet calculated CVE-2024-32610
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c. 2024-05-14 not yet calculated CVE-2024-32611
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption of the instruction pointer, a different vulnerability than CVE-2024-32613. 2024-05-14 not yet calculated CVE-2024-32612
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer over-read in the function H5HL__fl_deserialize in H5HLcache.c, a different vulnerability than CVE-2024-32612. 2024-05-14 not yet calculated CVE-2024-32613
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c. 2024-05-14 not yet calculated CVE-2024-32614
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier use of an initialized pointer. 2024-05-14 not yet calculated CVE-2024-32615
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5O__dtype_encode_helper in H5Odtype.c. 2024-05-14 not yet calculated CVE-2024-32616
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer over-read caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called from H5G__ent_to_link in H5Glink.c). 2024-05-14 not yet calculated CVE-2024-32617
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__get_native_type in H5Tnative.c, resulting in the corruption of the instruction pointer. 2024-05-14 not yet calculated CVE-2024-32618
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer. 2024-05-14 not yet calculated CVE-2024-32619
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of the instruction pointer. 2024-05-14 not yet calculated CVE-2024-32620
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5HG_read in H5HG.c (called from H5VL__native_blob_get in H5VLnative_blob.c), resulting in the corruption of the instruction pointer. 2024-05-14 not yet calculated CVE-2024-32621
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a out-of-bounds read operation in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in H5S.c). 2024-05-14 not yet calculated CVE-2024-32622
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5VM_array_fill in H5VM.c (called from H5S_select_elements in H5Spoint.c). 2024-05-14 not yet calculated CVE-2024-32623
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in H5Tconv.c), resulting in the corruption of the instruction pointer. 2024-05-14 not yet calculated CVE-2024-32624
cve@mitre.org
n/a--n/a
 		 An issue in Open-Source Technology Committee SRS real-time video server RS/4.0.268(Leo) and SRS/4.0.195(Leo) allows a remote attacker to execute arbitrary code via a crafted request. 2024-05-14 not yet calculated CVE-2024-33250
cve@mitre.org
n/a--n/a
 		 QuickJS commit 3b45d15 was discovered to contain an Assertion Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c. 2024-05-14 not yet calculated CVE-2024-33263
cve@mitre.org
n/a--n/a
 		 Cross Site Scripting vulnerability in TOTOLINK X2000R before v1.0.0-B20231213.1013 allows a remote attacker to execute arbitrary code via the Guest Access Control parameter in the Wireless Page. 2024-05-14 not yet calculated CVE-2024-33433
cve@mitre.org
n/a--n/a
 		 Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the Bluetooth stack component. 2024-05-14 not yet calculated CVE-2024-33454
cve@mitre.org
n/a--n/a
 		 SQL Injection vulnerability in CASAP Automated Enrollment System using PHP/MySQLi with Source Code V1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the login.php component 2024-05-14 not yet calculated CVE-2024-33485
cve@mitre.org
n/a--n/a
 		 A buffer overflow vulnerability in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 via goform/formWPS, allows remote authenticated users to trigger a denial of service (DoS) through the parameter "webpage." 2024-05-14 not yet calculated CVE-2024-33771
cve@mitre.org
n/a--n/a
 		 A buffer overflow vulnerability in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 via formTcpipSetup allows remote authenticated users to trigger a denial of service (DoS) through the parameter "curTime." 2024-05-14 not yet calculated CVE-2024-33772
cve@mitre.org
n/a--n/a
 		 A buffer overflow vulnerability in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 via formWlanGuestSetup allows remote authenticated users to trigger a denial of service (DoS) through the parameter "webpage." 2024-05-14 not yet calculated CVE-2024-33773
cve@mitre.org
n/a--n/a
 		 A buffer overflow vulnerability in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 via formWlanSetup_Wizard allows remote authenticated users to trigger a denial of service (DoS) through the parameter "webpage." 2024-05-14 not yet calculated CVE-2024-33774
cve@mitre.org
n/a--n/a
 		 Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter. 2024-05-14 not yet calculated CVE-2024-33818
cve@mitre.org
n/a--n/a
 		 Globitel KSA SpeechLog v8.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Save Query function. 2024-05-14 not yet calculated CVE-2024-33819
cve@mitre.org
n/a--n/a
 		 An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/Cdn/GetFile local file inclusion. 2024-05-14 not yet calculated CVE-2024-33863
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in linqi before 1.4.0.1 on Windows. There is SSRF via Document template generation; i.e., via remote images in process creation, file inclusion, and PDF document generation via malicious JavaScript. 2024-05-14 not yet calculated CVE-2024-33864
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in linqi before 1.4.0.1 on Windows. There is an NTLM hash leak via the /api/Cdn/GetFile and /api/DocumentTemplate/{GUID] endpoints. 2024-05-14 not yet calculated CVE-2024-33865
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/DocumentTemplate/{GUID] XSS. 2024-05-14 not yet calculated CVE-2024-33866
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in linqi before 1.4.0.1 on Windows. There is a hardcoded password salt. 2024-05-14 not yet calculated CVE-2024-33867
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 An issue was discovered in linqi before 1.4.0.1 on Windows. There is LDAP injection. 2024-05-14 not yet calculated CVE-2024-33868
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5D__scatter_mem in H5Dscatgath.c. 2024-05-14 not yet calculated CVE-2024-33873
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a heap buffer overflow in H5O__mtime_new_encode in H5Omtime.c. 2024-05-14 not yet calculated CVE-2024-33874
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5O__layout_encode in H5Olayout.c, resulting in the corruption of the instruction pointer. 2024-05-14 not yet calculated CVE-2024-33875
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a heap buffer overflow in H5S__point_deserialize in H5Spoint.c. 2024-05-14 not yet calculated CVE-2024-33876
cve@mitre.org
n/a--n/a
 		 HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5T__conv_struct_opt in H5Tconv.c. 2024-05-14 not yet calculated CVE-2024-33877
cve@mitre.org
n/a--n/a
 		 The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message). 2024-05-17 not yet calculated CVE-2024-34058
cve@mitre.org
n/a--n/a
 		 htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.php. This vulnerability allows attackers to delete arbitrary files via a crafted request. 2024-05-14 not yet calculated CVE-2024-34191
cve@mitre.org
n/a--n/a
 		 Totolink AC1200 Wireless Dual Band Gigabit Router A3002RU_V3 Firmware V3.0.0-B20230809.1615 is vulnerable to Buffer Overflow. The "boa" program allows attackers to modify the value of the "vwlan_idx" field via "formMultiAP". This can lead to a stack overflow through the "formWlEncrypt" CGI function by constructing malicious HTTP requests and passing a WLAN SSID value exceeding the expected length, potentially resulting in command execution or denial of service attacks. 2024-05-14 not yet calculated CVE-2024-34196
cve@mitre.org
n/a--n/a
 		 TinyWeb 1.94 and below allows unauthenticated remote attackers to cause a denial of service (Buffer Overflow) when sending excessively large elements in the request line. 2024-05-14 not yet calculated CVE-2024-34199
cve@mitre.org
n/a--n/a
 		 TOTOLINK CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the setIpQosRules function. 2024-05-14 not yet calculated CVE-2024-34200
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the getSaveConfig function. 2024-05-14 not yet calculated CVE-2024-34201
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the setMacFilterRules function. 2024-05-14 not yet calculated CVE-2024-34202
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the setLanguageCfg function. 2024-05-14 not yet calculated CVE-2024-34203
cve@mitre.org
n/a--n/a
 		 TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the setUpgradeFW function via the FileName parameter. 2024-05-14 not yet calculated CVE-2024-34204
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the download_firmware function. 2024-05-14 not yet calculated CVE-2024-34205
cve@mitre.org
n/a--n/a
 		 TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. 2024-05-14 not yet calculated CVE-2024-34206
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the setStaticDhcpConfig function. 2024-05-14 not yet calculated CVE-2024-34207
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the setIpPortFilterRules function. 2024-05-14 not yet calculated CVE-2024-34209
cve@mitre.org
n/a--n/a
 		 TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the CloudACMunualUpdate function via the FileName parameter. 2024-05-14 not yet calculated CVE-2024-34210
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root. 2024-05-14 not yet calculated CVE-2024-34211
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the CloudACMunualUpdate function. 2024-05-14 not yet calculated CVE-2024-34212
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the SetPortForwardRules function. 2024-05-14 not yet calculated CVE-2024-34213
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the setUrlFilterRules function. 2024-05-14 not yet calculated CVE-2024-34215
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a stack buffer overflow vulnerability in the addWlProfileClientMode function. 2024-05-14 not yet calculated CVE-2024-34217
cve@mitre.org
n/a--n/a
 		 TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. 2024-05-14 not yet calculated CVE-2024-34218
cve@mitre.org
n/a--n/a
 		 TOTOLINK CP450 V4.1.0cu.747_B20191224 was discovered to contain a vulnerability in the SetTelnetCfg function, which allows attackers to log in through telnet. 2024-05-14 not yet calculated CVE-2024-34219
cve@mitre.org
n/a--n/a
 		 Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the 'leave' parameter. 2024-05-14 not yet calculated CVE-2024-34220
cve@mitre.org
n/a--n/a
 		 Sourcecodester Human Resource Management System 1.0 is vulnerable to Insecure Permissions resulting in privilege escalation. 2024-05-14 not yet calculated CVE-2024-34221
cve@mitre.org
n/a--n/a
 		 Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the searccountry parameter. 2024-05-14 not yet calculated CVE-2024-34222
cve@mitre.org
n/a--n/a
 		 Insecure permission vulnerability in /hrm/leaverequest.php in SourceCodester Human Resource Management System 1.0 allow attackers to approve or reject leave ticket. 2024-05-14 not yet calculated CVE-2024-34223
cve@mitre.org
n/a--n/a
 		 Cross Site Scripting vulnerability in /php-lms/classes/Users.php?f=save in Computer Laboratory Management System using PHP and MySQL 1.0 allow remote attackers to inject arbitrary web script or HTML via the firstname, middlename, lastname parameters. 2024-05-14 not yet calculated CVE-2024-34224
cve@mitre.org
n/a--n/a
 		 Cross Site Scripting vulnerability in php-lms/admin/?page=system_info in Computer Laboratory Management System using PHP and MySQL 1.0 allow remote attackers to inject arbitrary web script or HTML via the name, shortname parameters. 2024-05-14 not yet calculated CVE-2024-34225
cve@mitre.org
n/a--n/a
 		 SQL injection vulnerability in /php-sqlite-vms/?page=manage_visitor&id=1 in SourceCodester Visitor Management System 1.0 allow attackers to execute arbitrary SQL commands via the id parameters. 2024-05-14 not yet calculated CVE-2024-34226
cve@mitre.org
n/a--n/a
 		 A cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the System Information parameter. 2024-05-14 not yet calculated CVE-2024-34230
cve@mitre.org
n/a--n/a
 		 A cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the System Short Name parameter. 2024-05-14 not yet calculated CVE-2024-34231
cve@mitre.org
n/a--n/a
 		 A cross-site scripting (XSS) vulnerability in Rocketsoft Rocket LMS 1.9 allows an administrator to store a JavaScript payload using the admin web interface when creating new courses and new course notifications. 2024-05-17 not yet calculated CVE-2024-34241
cve@mitre.org
n/a--n/a
 		 Konga v0.14.9 is vulnerable to Cross Site Scripting (XSS) via the username parameter. 2024-05-14 not yet calculated CVE-2024-34243
cve@mitre.org
n/a--n/a
 		 An arbitrary file read vulnerability in DedeCMS v5.7.114 allows authenticated attackers to read arbitrary files by specifying any path in makehtml_js_action.php. 2024-05-14 not yet calculated CVE-2024-34245
cve@mitre.org
n/a--n/a
 		 OFCMS V1.1.2 is vulnerable to SQL Injection via the new table function. 2024-05-14 not yet calculated CVE-2024-34256
cve@mitre.org
n/a--n/a
 		 njwt up to v0.4.0 was discovered to contain a prototype pollution in the Parser.prototype.parse method. 2024-05-16 not yet calculated CVE-2024-34273
cve@mitre.org
n/a--n/a
 		 TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the password parameter in the function urldecode. 2024-05-14 not yet calculated CVE-2024-34308
cve@mitre.org
n/a--n/a
 		 Jin Fang Times Content Management System v3.2.3 was discovered to contain a SQL injection vulnerability via the id parameter. 2024-05-14 not yet calculated CVE-2024-34310
cve@mitre.org
n/a--n/a
 		 A Blind command injection vulnerability in Tenda O3V2 V1.0.0.12 and earlier allows remote attackers to execute operating system commands via dest parameter in /goform/getTraceroute 2024-05-14 not yet calculated CVE-2024-34338
cve@mitre.org
n/a--n/a
 		 An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. 2024-05-14 not yet calculated CVE-2024-34459
cve@mitre.org
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Sunhillo SureLine through 8.10.0 on RICI 5000 devices allows cgi/usrPasswd.cgi userid_change XSS within the Forgot Password feature. 2024-05-16 not yet calculated CVE-2024-34582
cve@mitre.org
n/a--n/a
 		 WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). 2024-05-14 not yet calculated CVE-2024-34899
cve@mitre.org
n/a--n/a
 		 FlyFish v3.0.0 was discovered to contain a buffer overflow via the password parameter on the login page. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2024-05-16 not yet calculated CVE-2024-34905
cve@mitre.org
n/a--n/a
 		 An arbitrary file upload vulnerability in dootask v0.30.13 allows attackers to execute arbitrary code via uploading a crafted PDF file. 2024-05-15 not yet calculated CVE-2024-34906
cve@mitre.org
n/a--n/a
 		 An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file. 2024-05-15 not yet calculated CVE-2024-34909
cve@mitre.org
n/a--n/a
 		 An arbitrary file upload vulnerability in r-pan-scaffolding v5.0 and below allows attackers to execute arbitrary code via uploading a crafted PDF file. 2024-05-15 not yet calculated CVE-2024-34913
cve@mitre.org
n/a--n/a
 		 php-censor v2.1.4 and fixed in v.2.1.5 was discovered to utilize a weak hashing algorithm for its remember_key value. This allows attackers to bruteforce to bruteforce the remember_key value to gain access to accounts that have checked "remember me" when logging in. 2024-05-14 not yet calculated CVE-2024-34914
cve@mitre.org
n/a--n/a
 		 An arbitrary file upload vulnerability in the component \modstudent\controller.php of Pisay Online E-Learning System using PHP/MySQL v1.0 allows attackers to execute arbitrary code via uploading a crafted file. 2024-05-17 not yet calculated CVE-2024-34919
cve@mitre.org
n/a--n/a
 		 TOTOLINK X5000R v9.1.0cu.2350_B20230313 was discovered to contain a command injection via the disconnectVPN function. 2024-05-14 not yet calculated CVE-2024-34921
cve@mitre.org
n/a--n/a
 		 Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the funcpara1 parameter at ip/goform/exeCommand. 2024-05-14 not yet calculated CVE-2024-34942
cve@mitre.org
n/a--n/a
 		 Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/NatStaticSetting. 2024-05-14 not yet calculated CVE-2024-34943
cve@mitre.org
n/a--n/a
 		 Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the list1 parameter at ip/goform/DhcpListClient. 2024-05-14 not yet calculated CVE-2024-34944
cve@mitre.org
n/a--n/a
 		 Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPW parameter at ip/goform/WizardHandle. 2024-05-14 not yet calculated CVE-2024-34945
cve@mitre.org
n/a--n/a
 		 Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/DhcpListClient. 2024-05-14 not yet calculated CVE-2024-34946
cve@mitre.org
n/a--n/a
 		 D-Link DIR-822+ v1.0.5 was discovered to contain a stack-based buffer overflow vulnerability in the SetNetworkTomographySettings module. 2024-05-14 not yet calculated CVE-2024-34950
cve@mitre.org
n/a--n/a
 		 Code-projects Budget Management 1.0 is vulnerable to Cross Site Scripting (XSS) via the budget parameter. 2024-05-15 not yet calculated CVE-2024-34954
cve@mitre.org
n/a--n/a
 		 Code-projects Budget Management 1.0 is vulnerable to SQL Injection via the delete parameter. 2024-05-15 not yet calculated CVE-2024-34955
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/sysImages_deal.php?mudi=infoSet. 2024-05-16 not yet calculated CVE-2024-34957
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/banner_deal.php?mudi=add 2024-05-16 not yet calculated CVE-2024-34958
cve@mitre.org
n/a--n/a
 		 DedeCMS V5.7.113 is vulnerable to Cross Site Scripting (XSS) via sys_data_replace.php. 2024-05-17 not yet calculated CVE-2024-34959
cve@mitre.org
n/a--n/a
 		 Tenda AC18 v15.03.05.19 is vulnerable to Buffer Overflow in the formSetPPTPServer function via the endIp parameter. 2024-05-14 not yet calculated CVE-2024-34974
cve@mitre.org
n/a--n/a
 		 An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file. 2024-05-17 not yet calculated CVE-2024-34982
cve@mitre.org
n/a--n/a
 		 joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). 2024-05-17 not yet calculated CVE-2024-34997
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/share_switch.php?mudi=switch&dataType=&fieldName=state&fieldName2=state&tabName=banner&dataID=6. 2024-05-14 not yet calculated CVE-2024-35009
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/banner_deal.php?mudi=del&dataType=&dataTypeCN=%E5%9B%BE%E7%89%87%E5%B9%BF%E5%91%8A&theme=cs&dataID=6. 2024-05-14 not yet calculated CVE-2024-35010
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/infoType_deal.php?mudi=rev&nohrefStr=close. 2024-05-14 not yet calculated CVE-2024-35011
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/infoType_deal.php?mudi=add&nohrefStr=close. 2024-05-14 not yet calculated CVE-2024-35012
cve@mitre.org
n/a--n/a
 		 idccms V1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/tplSys_deal.php?mudi=area. 2024-05-16 not yet calculated CVE-2024-35039
cve@mitre.org
n/a--n/a
 		 An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password. 2024-05-14 not yet calculated CVE-2024-35048
cve@mitre.org
n/a--n/a
 		 SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590. 2024-05-14 not yet calculated CVE-2024-35049
cve@mitre.org
n/a--n/a
 		 An issue in SurveyKing v1.3.1 allows attackers to escalate privileges via re-using the session ID of a user that was deleted by an Admin. 2024-05-14 not yet calculated CVE-2024-35050
cve@mitre.org
n/a--n/a
 		 TOTOLINK LR350 V9.3.5u.6698_B20230810 was discovered to contain a stack overflow via the password parameter in the function loginAuth. 2024-05-14 not yet calculated CVE-2024-35099
cve@mitre.org
n/a--n/a
 		 Insecure Permissions vulnerability in VITEC AvediaServer (Model avsrv-m8105) 8.6.2-1 allows a remote attacker to escalate privileges via a crafted script. 2024-05-15 not yet calculated CVE-2024-35102
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/homePro_deal.php?mudi=del&dataType=&dataTypeCN. 2024-05-15 not yet calculated CVE-2024-35108
cve@mitre.org
n/a--n/a
 		 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /homePro_deal.php?mudi=add&nohrefStr=close. 2024-05-15 not yet calculated CVE-2024-35109
cve@mitre.org
n/a--n/a
 		 A reflected XSS vulnerability has been found in YzmCMS 7.1. The vulnerability exists in yzmphp/core/class/application.class.php: when logged-in users access a malicious link, their cookies can be captured by an attacker. 2024-05-17 not yet calculated CVE-2024-35110
cve@mitre.org
n/a--n/a
 		 Veritas System Recovery before 23.2_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks. 2024-05-14 not yet calculated CVE-2024-35204
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 The WPS Office (aka cn.wps.moffice_eng) application before 17.0.0 for Android fails to properly sanitize file names before processing them through external application interactions, leading to a form of path traversal. This potentially enables any application to dispatch a crafted library file, aiming to overwrite an existing native library utilized by WPS Office. Successful exploitation could result in the execution of arbitrary commands under the guise of WPS Office's application ID. 2024-05-14 not yet calculated CVE-2024-35205
cve@mitre.org
n/a--n/a
 		 In Tor Arti before 1.2.3, STUB circuits incorrectly have a length of 2 (with lite vanguards), aka TROVE-2024-003. 2024-05-17 not yet calculated CVE-2024-35312
cve@mitre.org
n/a--n/a
 		 In Tor Arti before 1.2.3, circuits sometimes incorrectly have a length of 3 (with full vanguards), aka TROVE-2024-004. 2024-05-17 not yet calculated CVE-2024-35313
cve@mitre.org
n/a--n/a
 		 question_image.ts in SurveyJS Form Library before 1.10.4 allows contentMode=youtube XSS via the imageLink property. 2024-05-18 not yet calculated CVE-2024-36043
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. 2024-05-18 not yet calculated CVE-2024-36048
cve@mitre.org
cve@mitre.org
n/a--n/a
 		 Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request. 2024-05-18 not yet calculated CVE-2024-36050
cve@mitre.org
cve@mitre.org
parisneo--parisneo/lollms-webui
 		 A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application. 2024-05-14 not yet calculated CVE-2024-2299
security@huntr.dev
parisneo--parisneo/lollms-webui
 		 A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the 'extensions' parameter. Attackers can exploit this by crafting a payload that includes relative path traversal sequences ('../../../'), enabling them to navigate to arbitrary directories. This flaw subsequently allows the server to load and execute a malicious '__init__.py' file, leading to remote code execution. The issue affects the latest version of parisneo/lollms-webui. 2024-05-16 not yet calculated CVE-2024-2358
security@huntr.dev
parisneo--parisneo/lollms-webui
 		 A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the `path` and `variant_name` parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server. This vulnerability affects the latest version of parisneo/lollms-webui. 2024-05-16 not yet calculated CVE-2024-2361
security@huntr.dev
parisneo--parisneo/lollms-webui
 		 A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate to arbitrary directories. By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server. 2024-05-16 not yet calculated CVE-2024-2366
security@huntr.dev
parisneo--parisneo/lollms-webui
 		 A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed with a Python f-string, without adequately sanitizing the 'xtts_base_url' input. This flaw allows attackers to execute arbitrary commands remotely by manipulating the 'xtts_base_url' parameter. The vulnerability affects versions up to and including the latest version before 9.5. Successful exploitation could lead to arbitrary remote code execution (RCE) on the system where the application is deployed. 2024-05-16 not yet calculated CVE-2024-3126
security@huntr.dev
security@huntr.dev
parisneo--parisneo/lollms-webui
 		 A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an attacker to manipulate the application's configuration by sending specially crafted JSON payloads. This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities. 2024-05-16 not yet calculated CVE-2024-3435
security@huntr.dev
security@huntr.dev
parisneo--parisneo/lollms-webui
 		 A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By manipulating the `category` parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version of the application. The vulnerability is due to improper handling of user-supplied input in the `list_personalities` function, where the `category` parameter can be controlled to specify arbitrary directories for listing. Successful exploitation of this vulnerability could allow an attacker to list all folders in the drive on the system, potentially leading to information disclosure. 2024-05-16 not yet calculated CVE-2024-4322
security@huntr.dev
parisneo--parisneo/lollms-webui
 		 A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the `/apply_settings` endpoint. Subsequently, arbitrary commands can be executed remotely via the `/execute_code` endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5. 2024-05-16 not yet calculated CVE-2024-4326
security@huntr.dev
security@huntr.dev
parisneo--parisneo/lollms
 		 A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed. 2024-05-16 not yet calculated CVE-2024-4078
security@huntr.dev
security@huntr.dev
run-llama--run-llama/llama_index
 		 A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines. 2024-05-16 not yet calculated CVE-2024-4181
security@huntr.dev
security@huntr.dev
wandb--wandb/wandb
 		 A Server-Side Request Forgery (SSRF) vulnerability exists in the wandb/wandb repository due to improper handling of HTTP 302 redirects. This issue allows team members with access to the 'User settings -> Webhooks' function to exploit this vulnerability to access internal HTTP(s) servers. In severe cases, such as on AWS instances, this could potentially be abused to achieve remote code execution on the victim's machine. The vulnerability is present in the latest version of the repository. 2024-05-16 not yet calculated CVE-2024-4642
security@huntr.dev

Back to top

CISA Adds Two Known Exploited Vulnerabilities to Catalog

✇US-CERT Current Activity
CISA

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-4947 Google Chromium V8 Type Confusion Vulnerability
  • CVE-2023-43208 NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Siemens Solid Edge

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.8
  • ATTENTION: Low Attack Complexity
  • Vendor: Siemens
  • Equipment: Solid Edge
  • Vulnerabilities: Heap-based Buffer Overflow, Out-of-bounds Read, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

  • Solid Edge: All versions prior to V224.0 Update 5 (CVE-2024-33489, CVE-2024-33490, CVE-2024-33491, CVE-2024-33492, CVE-2024-33493)
  • Solid Edge: All versions prior to V224.0 Update 2 (CVE-2024-34771, CVE-2024-34773)
  • Solid Edge: All versions prior to V224.0 Update 4 (CVE-2024-34772)

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33489 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33490 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33491 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33492 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33493 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-34771 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-34772 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.8 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack overflow vulnerability while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-34773 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Solid Edge: Do not open untrusted PAR files in Solid Edge
  • For CVE-2024-33489, CVE-2024-33490, CVE-2024-33491, CVE-2024-33492, CVE-2024-33493: Update to V224.0 Update 5 or later version.
  • For CVE-2024-34771, CVE-2024-34773: Update to V224.0 Update 2 or later version.
  • For CVE-2024-34772: Update to V224.0 Update 4 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-589937 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: Cerberus PRO UL and Desigo Fire Safety UL
  • Vulnerabilities: Classic Buffer Overflow, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of the vulnerabilities could allow an unauthenticated attacker, who gained access to the fire protection system network, to execute arbitrary code on the affected products (CVE-2024-22039) or create a denial-of-service condition (CVE-2024-22040, CVE-2024-22041).

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

  • Siemens Cerberus PRO UL Compact Panel FC922/924: All versions prior to MP4
  • Siemens Cerberus PRO UL Engineering Tool: All versions prior to MP4
  • Siemens Cerberus PRO UL X300 Cloud Distribution: All versions prior to V4.3.0001
  • Siemens Desigo Fire Safety UL Compact Panel FC2025/2050: All versions prior to MP4
  • Siemens Desigo Fire Safety UL Engineering Tool: All versions prior to MP4
  • Siemens Desigo Fire Safety UL X300 Cloud Distribution: All versions prior to V4.3.0001

3.2 Vulnerability Overview

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120

The network communication library in affected systems does not validate the length of certain X.509 certificate attributes which might result in a stack-based buffer overflow. This could allow an unauthenticated remote attacker to execute code on the underlying operating system with root privileges. For Cerberus PRO UL Engineering Tool and Desigo Fire Safety UL Engineering Tool, successful exploitation requires an on-path attacker that intercepts the communication of the engineering tool in the fire system network; code execution might be possible on the underlying operating system with the privileges of the engineering tool user account.

CVE-2024-22039 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-22039. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The network communication library in affected systems insufficiently validates HMAC values which might result in a buffer overread. This could allow an unauthenticated remote attacker to crash the network service. For Cerberus PRO UL Engineering Tool and Desigo Fire Safety UL Engineering Tool, successful exploitation requires an on-path attacker that intercepts the communication of the engineering tool in the fire system network; possible impact is limited to the tool, not the underlying operating system.

CVE-2024-22040 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2024-22040. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/V:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The network communication library in affected systems improperly handles memory buffers when parsing X.509 certificates. This could allow an unauthenticated remote attacker to crash the network service. For Cerberus PRO UL Engineering Tool and Desigo Fire Safety UL Engineering Tool, successful exploitation requires an on-path attacker that intercepts the communication of the engineering tool in the fire system network; possible impact is limited to the tool, not the underlying operating system.

CVE-2024-22041 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2024-22041. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Emergency Services
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Cerberus PRO UL Compact Panel FC922/924, Cerberus PRO UL Engineering Tool, Desigo Fire Safety UL Compact Panel FC2025/2050, Desigo Fire Safety UL Engineering Tool: Update to MP4 or later version
  • Cerberus PRO UL X300 Cloud Distribution, Desigo Fire Safety UL X300 Cloud Distribution: Update to V4.3.0001 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-953710 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

CISA Releases Seventeen Industrial Control Systems Advisories

✇US-CERT Current Activity
CISA

CISA released seventeen Industrial Control Systems (ICS) advisories on May 16, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Siemens Parasolid

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.3
  • ATTENTION: Low Attack Complexity
  • Vendor: Siemens
  • Equipment: Parasolid
  • Vulnerabilities: Out-of-bounds Read, NULL Pointer Dereference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process and crash the application causing a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Parasolid, a design and simulation product, are affected:

  • Siemens Parasolid V35.1: Versions prior to V35.1.256
  • Siemens Parasolid V36.0: Versions prior to V36.0.208
  • Siemens Parasolid V36.1: Versions prior to V36.1.173

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the unmapped memory region while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32635 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32635. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32636 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32636. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 NULL POINTER DEREFERENCE CWE-476

The affected applications contain a null pointer dereference vulnerability while parsing specially crafted X_T files. An attacker could leverage this vulnerability to crash the application causing a denial-of-service condition.

CVE-2024-32637 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-32637. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users to update to the latest version:

  • Parasolid V35.1: Update to V35.1.256 or later version
  • Parasolid V36.0: Update to V36.0.208 or later version
  • Parasolid V36.1: Update to V36.1.173 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • All affected products: Do not open untrusted X_T files in Parasolid

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-046364 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

Siemens Polarion ALM

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.1
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: Polarion ALM
  • Vulnerability: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to query items beyond the user's allowed projects.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Polarion ALM, an application lifecycle management software, are affected:

  • Polarion ALM: All versions prior to V2404.0

3.2 Vulnerability Overview

3.2.1 IMPROPER ACCESS CONTROL CWE-284

The Apache Lucene based query engine in the affected application lacks proper access controls. This could allow an authenticated user to query items beyond the user's allowed projects.

CVE-2024-33647 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-33647. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Luis Manuel Alvarez Tapia from BorgWarner Luxembourg Automotive Systems SARL reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-925850 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

Siemens SIMATIC RTLS Locating Manager

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SIMATIC RTLS Locating Manager
  • Vulnerabilities: Improper Input Validation, Improper Check for Unusual or Exceptional Conditions, Uncontrolled Resource Consumption, Excessive Iteration, Allocation of Resources Without Limits or Throttling, Heap-based Buffer Overflow, External Control of File Name or Path, Missing Encryption of Sensitive Data, Download of Code Without Integrity Check, Use of Hard-coded Cryptographic Key, Incorrect Permission Assignment for Critical Resource, Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, Insufficiently Protected Credentials, Hidden Functionality

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, extract sensitive information from memory, trick a user in to installing malicious code, compromise confidentiality, integrity, and availability of communications, extract credentials to escalate access rights, and escalate privileges from the Administrators group.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SIMATIC RTLS Locating Manager, a configuration, operation, and maintenance tool, are affected:

  • Siemens SIMATIC RTLS Locating Manager (6GT2780-0DA00): Versions prior to V3.0.1.1
  • Siemens SIMATIC RTLS Locating Manager (6GT2780-0DA10): Versions prior to V3.0.1.1
  • Siemens SIMATIC RTLS Locating Manager (6GT2780-0DA20): Versions prior to V3.0.1.1
  • Siemens SIMATIC RTLS Locating Manager (6GT2780-0DA30): Versions prior to V3.0.1.1
  • Siemens SIMATIC RTLS Locating Manager (6GT2780-1EA10): Versions prior to V3.0.1.1
  • Siemens SIMATIC RTLS Locating Manager (6GT2780-1EA20): Versions prior to V3.0.1.1
  • Siemens SIMATIC RTLS Locating Manager (6GT2780-1EA30): Versions prior to V3.0.1.1

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000

CVE-2023-4807 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

A bug has been identified in the processing of key and initialization vector (IV) lengths. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore, it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. OpenSSL 3.1 and 3.0 are vulnerable to this issue.

CVE-2023-5363 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a denial of service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks and is vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a denial-of-service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application.

CVE-2023-5678 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.4 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

CVE-2023-29409 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.5 EXCESSIVE ITERATION CWE-834

PC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases. Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser. The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with a parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK variants have an encoding quirk whereby an infinite number of 0's can be added at the start of an integer. gRPC's hpack parser needed to read all of them before concluding a parse. - gRPC's metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering.

CVE-2023-33953 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.6 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

CVE-2023-38039 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.7 HEAP-BASED BUFFER OVERFLOW CWE-122

This flaw makes curl overflow a heap-based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.

CVE-2023-38545 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.8 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates an easy handle called curl_easy_duphandle. If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

CVE-2023-38546 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example, a cookie could be set with domain=co.UK when the URL used a lower-case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

CVE-2023-46218 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.2.10 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

CVE-2023-46219 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.11 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494

Affected SIMATIC RTLS Locating Manager Clients do not properly check the integrity of update files. This could allow an unauthenticated remote attacker to alter update files in transit and trick an authorized user into installing malicious code. A successful exploit requires the attacker to be able to modify the communication between server and client on the network.

CVE-2024-30206 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-30206. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.12 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

The affected systems use symmetric cryptography with a hard-coded key to protect the communication between client and server. This could allow an unauthenticated remote attacker to compromise confidentiality and integrity of the communication and, subsequently, availability of the system. A successful exploit requires the attacker to gain knowledge of the hard-coded key and to be able to intercept the communication between client and server on the network.

CVE-2024-30207 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-30207. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.13 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The "DBTest" tool of SIMATIC RTLS Locating Manager does not properly enforce access restriction. This could allow an authenticated local attacker to extract sensitive information from memory.

CVE-2024-30208 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-30208. A base score of 5.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H).

3.2.14 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Affected systems transmit client-side resources without proper cryptographic protection. This could allow an attacker to eavesdrop on and modify resources in transit. A successful exploit requires an attacker to be in the network path between the RTLS Locating Manager server and a client (MitM).

CVE-2024-30209 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-30209. A base score of 9.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.15 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

Affected components do not properly authenticate heartbeat messages. This could allow an unauthenticated remote attacker to affected the availability of secondary RTLS systems configured using a TeeRevProxy service and potentially cause loss of data generated during the time the attack is ongoing.

CVE-2024-33494 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-33494. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.16 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

The affected application does not properly limit the size of specific logs. This could allow an unauthenticated remote attacker to exhaust system resources by creating a great number of log entries which could potentially lead to a denial-of-service condition. A successful exploitation requires the attacker to have access to specific SIMATIC RTLS Locating Manager Clients in the deployment.

CVE-2024-33495 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-33495. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.17 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Affected SIMATIC RTLS Locating Manager Report Clients do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the System administrator role.

CVE-2024-33496 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-33496. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L).

3.2.18 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Affected SIMATIC RTLS Locating Manager Track Viewer Client do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the System administrator role.

CVE-2024-33497 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-33497. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L).

3.2.19 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Affected applications do not properly release memory that is allocated when handling specifically crafted incoming packets. This could allow an unauthenticated remote attacker to cause a denial-of-service condition by crashing the service when it runs out of memory. The service is restarted automatically after a short time.

CVE-2024-33498 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-33498. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.20 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected application assigns incorrect permissions to a user management component. This could allow a privileged attacker to escalate their privileges from the Administrators group to the System administrator group.

CVE-2024-33499 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-33499. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.21 HIDDEN FUNCTIONALITY CWE-912

Affected application contains a hidden configuration item to enable debug functionality. This could allow an authenticated local attacker to gain insight into the internal configuration of the deployment.

CVE-2024-33583 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-33583. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends updating affected products to V3.0.1.1 or later version. Update is available from Siemens Online Software Delivery (OSD).

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Install required RTLS Locating Manager components on a single host computer where possible and ensure only trusted persons have access to the system
  • Secure the Windows Server, where the RTLS Locating Manager is installed on, with a firewall and make sure no ports are accessible from untrusted networks
  • Apply security hardening of the Windows Server, where the RTLS Locating Manager is installed on, in accordance with your corporate security policies or up-to-date hardening guidelines

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-093430 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

Siemens RUGGEDCOM CROSSBOW

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: RUGGEDCOM CROSSBOW
  • Vulnerabilities: Missing Authorization, Improper Neutralization of Special Elements used in an SQL Command, Missing Authentication for Critical Function, External Control of File Name or Path, Improper Limitation of a Pathname to a Restricted Directory, Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary database queries or upload of arbitrary files to the application's file system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

  • RUGGEDCOM CROSSBOW: Versions prior to V5.5

3.2 Vulnerability Overview

3.2.1 MISSING AUTHORIZATION CWE-862

The affected systems allow the upload of arbitrary files of any unauthenticated user. An attacker could leverage this vulnerability and achieve arbitrary code execution with system privileges.

CVE-2024-27939 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89

The affected systems allow any authenticated user to send arbitrary SQL commands to the SQL server. An attacker could use this vulnerability to compromise the whole database.

CVE-2024-27940 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89

The affected client systems do not properly sanitize input data before sending it to the SQL server. An attacker could use this vulnerability to compromise the whole database.

CVE-2024-27941 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected systems allow any unauthenticated client to disconnect any active user from the server. An attacker could use this vulnerability to prevent any user to perform actions in the system, causing a denial of service situation.

CVE-2024-27942 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.5 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

The affected systems allow a privileged user to upload generic files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution.

CVE-2024-27943 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.6 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

The affected systems allow a privileged user to upload firmware files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution.

CVE-2024-27944 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.7 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

The bulk import feature of the affected systems allow a privileged user to upload files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution.

CVE-2024-27945 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

Downloading files overwrites files with the same name in the installation directory of the affected systems. The filename for the target file can be specified, thus arbitrary files can be overwritten by an attacker with the required privileges.

CVE-2024-27946 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

3.2.9 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

The affected systems could allow log messages to be forwarded to a specific client under certain circumstances. An attacker could leverage this vulnerability to forward log messages to a specific compromised client.

CVE-2024-27947 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-916916 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

Siemens Industrial Products

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.2
  • ATTENTION: Low Attack Complexity
  • Vendor: Siemens
  • Equipment: S7-PCT, SCT, SIMATIC, SINAMICS, SINUMERIK, and TIA Portal Products
  • Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a Blue Screen of Death (BSOD) crash of the underlying Windows kernel, leading to denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens are affected:

  • Siemens S7-PCT: All versions
  • Siemens Security Configuration Tool (SCT): All versions
  • Siemens SIMATIC Automation Tool: All versions
  • Siemens SIMATIC BATCH V9.1: All versions prior to V9.1.2.5
  • Siemens SIMATIC NET PC Software: All versions
  • Siemens SIMATIC PCS 7 V9.1: All versions
  • Siemens SIMATIC PDM V9.2: All versions prior to V9.2 SP2 Upd3
  • Siemens SIMATIC Route Control V9.1: All versions prior to V9.1.2.5
  • Siemens SIMATIC STEP 7 V5: All versions
  • Siemens SIMATIC WinCC OA V3.17: All versions
  • Siemens SIMATIC WinCC OA V3.18: All versions prior to V3.18 P025
  • Siemens SIMATIC WinCC OA V3.19: All versions prior to V3.19 P010
  • Siemens SIMATIC WinCC Runtime Advanced: All versions
  • Siemens SIMATIC WinCC Runtime Professional V16: All versions
  • Siemens SIMATIC WinCC Runtime Professional V17: All versions
  • Siemens SIMATIC WinCC Runtime Professional V18: All versions
  • Siemens SIMATIC WinCC Runtime Professional V19: All versions
  • Siemens SIMATIC WinCC Unified PC Runtime: All versions
  • Siemens SIMATIC WinCC V7.4: All versions
  • Siemens SIMATIC WinCC V7.5: All versions
  • Siemens SIMATIC WinCC V8.0: All versions
  • Siemens SINAMICS Startdrive: All versions prior to V19 SP1
  • Siemens SINUMERIK ONE virtual: All versions prior to V6.23
  • Siemens SINUMERIK PLC Programming Tool: All versions
  • Siemens TIA Portal Cloud Connector: All versions prior to V2.0
  • Siemens Totally Integrated Automation Portal (TIA Portal) V15.1: All versions
  • Siemens Totally Integrated Automation Portal (TIA Portal) V16: All versions
  • Siemens Totally Integrated Automation Portal (TIA Portal) V17: All versions
  • Siemens Totally Integrated Automation Portal (TIA Portal) V18: All versions
  • Siemens Totally Integrated Automation Portal (TIA Portal) V19: All versions prior to V19 Update 2

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read vulnerability. This could allow an attacker to cause a Blue Screen of Death (BSOD) crash of the underlying Windows kernel.

CVE-2023-46280 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2023-46280. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Jongseong Kim, Byunghyun Kang, Sangjun Park, Yunjin Park, Kwon Yul, and Seungchan Kim from Team today-0day reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SIMATIC BATCH V9.1: Update to V9.1.2.5 or later version
  • SIMATIC PDM V9.2: Update to V9.2 SP2 Upd3 or later version
  • SIMATIC Route Control V9.1: Update to V9.1.2.5 or later version
  • SIMATIC WinCC OA V3.18: Update to V3.18 P025 or later version
  • SIMATIC WinCC OA V3.19: Update to V3.19 P010 or later version
  • SINAMICS Startdrive: Update to V19 SP1 or later version
  • SINUMERIK ONE virtual: Update to V6.23 or later version
  • TIA Portal Cloud Connector: Update to V2.0 or later version
  • Totally Integrated Automation Portal (TIA Portal) V19: Update to V19 Update 2 or later version
  • Security Configuration Tool (SCT), SIMATIC WinCC OA V3.17, SIMATIC WinCC V7.4, Totally Integrated Automation Portal (TIA Portal) V15.1, Totally Integrated Automation Portal (TIA Portal) V16: Currently no fix is planned
  • S7-PCT, SIMATIC Automation Tool, SIMATIC NET PC Software, SIMATIC PCS 7 V9.1, SIMATIC STEP 7 V5, SIMATIC WinCC Runtime Advanced, SIMATIC WinCC Runtime Professional V16, SIMATIC WinCC Runtime Professional V17, SIMATIC WinCC Runtime Professional V18, SIMATIC WinCC Runtime Professional V19, SIMATIC WinCC Unified PC Runtime, SIMATIC WinCC V7.5, SIMATIC WinCC V8.0, SINUMERIK PLC Programming Tool, Totally Integrated Automation Portal (TIA Portal) V17, Totally Integrated Automation Portal (TIA Portal) V18: Currently no fix is available

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-962515 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

CISA Adds Three Known Exploited Vulnerabilities to Catalog

✇US-CERT Current Activity
CISA

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2014-100005 D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability
  • CVE-2021-40655 D-Link DIR-605 Router Information Disclosure Vulnerability
  • CVE-2024-4761 Google Chromium V8 Out-of-Bounds Memory Write Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Siemens SICAM Products

✇US-CERT Current Activity
CISA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.6
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: CPC80 Central Processing/Communication, CPCI85 Central Processing/Communication, OPUPI0 AMQP/MQTT, SICORE Base system
  • Vulnerabilities: Improper Null Termination, Command Injection, Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process, allow an authenticated privileged remote attacker to execute arbitrary code with root privileges, or lead to a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of multiple Siemens SICAM products are affected:

  • CPC80 Central Processing/Communication: All versions prior to V16.41
  • CPCI85 Central Processing/Communication: All versions prior to V5.30
  • OPUPI0 AMQP/MQTT: All versions prior to V5.30
  • SICORE Base system: All versions prior to V1.3.0

3.2 Vulnerability Overview

3.2.1 IMPROPER NULL TERMINATION CWE-170

The affected device firmwares contain an improper null termination vulnerability while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to denial-of-service condition

CVE-2024-31484 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-31484. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77

The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges.

CVE-2024-31485 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-31485. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

The affected devices store MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss.

CVE-2024-31486 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-31486. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Steffen Robertz, Gerhard Hechenberger, and Thomas Weber from SEC Consult Vulnerability Lab reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • CPC80 Central Processing/Communication: Update to V16.41 or later version. The firmware CPC80 V16.41 is present within "CP-8000/CP-8021/CP-8022 Package" V16.41
  • CPCI85 Central Processing/Communication: Update to V5.30 or later version. The firmware CPCI85 V5.30 is present within "CP-8031/CP-8050 Package" V5.30
  • OPUPI0 AMQP/MQTT: Update to V5.30 or later version. The firmware OPUPI0 V5.30 is present within "CP-8031/CP-8050 Package" V5.30
  • SICORE Base system: Update to V1.3.0 or later version. The firmware SICORE V1.3.0 is present within "SICAM 8 Software Solution Package" V5.30

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-871704 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 16, 2024: Initial Publication

Adobe Releases Security Updates for Multiple Products

✇US-CERT Current Activity
CISA

Adobe has released security updates to address vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

Users and administrators are encouraged to review the following Adobe Security Bulletins and apply necessary updates: 

CISA Adds Two Known Exploited Vulnerabilities to Catalog

✇US-CERT Current Activity
CISA

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-30051 Microsoft DWM Core Library Privilege Escalation Vulnerability
  • CVE-2024-30040 Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Johnson Controls Software House C-CURE 9000

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.7
  • ATTENTION: Low attack complexity
  • Vendor: Johnson Controls
  • Equipment: Software House C●CURE 9000
  • Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to access credentials used for access to the application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Software House C●CURE 9000, a security management system, are affected:

  • Software House C●CURE 9000: v3.00.2

3.2 Vulnerability Overview

3.2.1 Insertion of Sensitive Information into Log File CWE-532

Under certain circumstances the Microsoft Internet Information Server (IIS) used to host the C●CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C●CURE 9000 or prior versions.

CVE-2024-0912 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-0912. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Johnson Controls, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends the following:

  • Update Software House C●CURE 9000 to version 3.00.2 CU02 or 3.00.3
  • Change the password for the impacted windows accounts.
  • Delete the api.log log file (or remove instances of passwords from the log file with a text editor) located at "C:\Program Files (x86)\Tyco\victorWebServices\victorWebsite\Logs\archives"

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-04 v1

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • May 14, 2024: Initial Publication

Apple Releases Security Updates for Multiple Products

✇US-CERT Current Activity
CISA

Apple has released security updates to address vulnerabilities in Safari, iOS, iPadOS, macOS, watchOS, and tvOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

Users and administrators are encouraged to review the following advisories and apply necessary updates: 

Rockwell Automation FactoryTalk Remote Access

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.0
  • ATTENTION: Low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: Factory Talk Remote Access
  • Vulnerability: Unquoted Search Path or Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to enter a malicious executable and run it as a system user, resulting in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation's FactoryTalk Remote Access are affected:

  • FactoryTalk Remote Access: v13.5.0.174 and prior

3.2 Vulnerability Overview

3.2.1 UNQUOTED SEARCH PATH OR ELEMENT CWE-428

An unquoted executable path exists in the affected products, possibly resulting in remote code execution if exploited. While running the FTRA installer package, the executable path is not properly quoted, which could allow a threat actor to enter a malicious executable and run it as a system user. A threat actor needs admin privileges to exploit this vulnerability.

CVE-2024-3640 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3640. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends user to upgrade to v13.6.

For additional information, refer to Rockwell Automation's security bulletin.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • May 14, 2024: Initial Publication

Mitsubishi Electric Multiple FA Engineering Software Products

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 6.0
  • ATTENTION: Low attack complexity
  • Vendor: Mitsubishi Electric
  • Equipment: Multiple FA Engineering Software Products
  • Vulnerabilities: Improper Privilege Management, Uncontrolled Resource Consumption, Out-of-bounds Write, Improper Privilege Management

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected:

  • CPU Module Logging Configuration Tool: All versions
  • CSGL (GX Works2 connection configuration): All versions
  • CW Configurator: All versions
  • Data Transfer: All versions
  • Data Transfer Classic: All versions
  • EZSocket (communication middleware product for Mitsubishi Electric partner companies): All versions
  • FR Configurator SW3: All versions
  • FR Configurator2: All versions
  • GENESIS64: All versions
  • GT Designer3 Version1 (GOT1000): All versions
  • GT Designer3 Version1 (GOT2000): All versions
  • GT SoftGOT1000 Version3: All versions
  • GT SoftGOT2000 Version1: All versions
  • GX Developer: All versions
  • GX LogViewer: All versions
  • GX Works2: All versions
  • GX Works3: All versions
  • iQ Works (MELSOFT Navigator): All versions
  • MI Configurator: All versions
  • Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224): All versions
  • MR Configurator (SETUP221): All versions
  • MR Configurator2: All versions
  • MRZJW3-MC2-UTL: All versions
  • MX Component: All versions
  • MX OPC Server DA/UA (Software packaged with MC Works64): All versions
  • PX Developer/Monitor Tool: All versions
  • RT ToolBox3: All versions
  • RT VisualBox: All versions
  • Setting/monitoring tools for the C Controller module (SW4PVC-CCPU): All versions
  • SW0DNC-MNETH-B: All versions
  • SW1DNC-CCBD2-B: All versions
  • SW1DNC-CCIEF-J: All versions
  • SW1DNC-CCIEF-B: All versions
  • SW1DNC-MNETG-B: All versions
  • SW1DNC-QSCCF-B: All versions
  • SW1DND-EMSDK-B All versions

3.2 Vulnerability Overview

3.2.1 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2023-51776 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2023-51776. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2023-51777 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-51777. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 Out-of-bounds Write CWE-787

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2023-51778 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-51778. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22102 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22102. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 Out-of-bounds Write CWE-787

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22103 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22103. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22104 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22104. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.7 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22105 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22105. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.8 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.

CVE-2024-22106 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22106. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2024-25086 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-25086. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.10 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-25087 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-25087. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.11 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2024-25088 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-25088. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.12 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2024-26314 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-26314. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Jongseong Kim, Byunghyun Kang, Sangjun Park, Yunjin Park, Kwon Yul, and Seungchan Kim reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:

  • Restrict physical access to the computer using the product.
  • Install an antivirus software in your computer using the affected product.
  • Don't open untrusted files or click untrusted links.

For additional information see Mitsubishi Electric advisory 2024-001.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

  • May 14, 2024: Initial Publication

SUBNET PowerSYSTEM Center

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.6
  • ATTENTION: Low attack complexity
  • Vendor: Subnet Solutions Inc.
  • Equipment: PowerSYSTEM Center
  • Vulnerabilities: Reliance on Insufficiently Trustworthy Component

2. RISK EVALUATION

Successful exploitation of the vulnerabilities in components used by PowerSYSTEM Center could allow privilege escalation, denial-of-service, or arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

SUBNET Solutions reports that the following products use components with vulnerabilities:

  • PowerSYSTEM Center: Update 19 and prior

3.2 Vulnerability Overview

3.2.1 RELIANCE ON INSUFFICIENTLY TRUSTWORTHY COMPONENT CWE-1357

SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM Center.

CVE-2024-28042 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-28042. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

SUBNET Solutions reported these vulnerabilities to CISA.

4. MITIGATIONS

Subnet Solutions has fixed these issues by identifying and replacing out of date libraries used in previous versions of PowerSYSTEM Center. Users are advised to update to version 5.20.x.x or newer. To obtain this software, contact Subnet Solution's Customer Service.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • May 14, 2024: Initial Publication

CISA Releases Four Industrial Control Systems Advisories

✇US-CERT Current Activity
CISA

CISA released four Industrial Control Systems (ICS) advisories on May 14, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA and Partners Release Guidance for Civil Society Organizations on Mitigating Cyber Threats with Limited Resources

✇US-CERT Current Activity
CISA

CISA, in partnership with the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and international partners, released Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society. The joint guidance provides civil society organizations and individuals with recommended actions and mitigations to reduce the risk of cyber intrusions. Additionally, the guide encourages software manufactures to actively implement and publicly commit to Secure by Design practices that are necessary to help protect vulnerable and high-risk communities.

Civil society, comprised of organizations and individuals—such as nonprofit, advocacy, cultural, faith-based, academic, think tanks, journalist, dissident, and diaspora organizations, communities involved in defending human rights and advancing democracy—are considered high-risk communities. Often these organizations and their employees are targeted by state-sponsored threat actors who seek to undermine democratic values and interests.  

CISA and partners encourage civil society organizations and software manufacturers to review and implement the mitigations and practices in the joint guide to mitigate the threat posed by malicious cyber actors to civil society organizations. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. For more on protecting civil society, visit CISA’s Cybersecurity Resources for High-Risk Communities webpage. 

CISA Adds One Known Exploited Vulnerability to Catalog

✇US-CERT Current Activity
CISA

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-4671 Google Chromium in Visuals Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

#StopRansomware: Black Basta

✇US-CERT Current Activity
CISA

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information).

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

AA24-131A STIX XML (XML, 237.45 KB )
AA24-131A STIX JSON (JSON, 180.78 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Initial Access

Black Basta affiliates primarily use spearphishing [T1566] to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.[1]

Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190]. In some instances, affiliates have been observed abusing valid credentials [T1078].

Discovery and Execution

Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C:\ [T1036].[1]

Lateral Movement

Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.

Privilege Escalation and Lateral Movement

Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068].[1],[2]

Exfiltration and Encryption

Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001] to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling [T1562.001].[3] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486]. A .basta or otherwise random file extension is added to file names and a ransom note titled readme.txt is left on the compromised system.[4] To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490].[5]

Leveraged Tools

See Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Used by Black Basta Affiliates
Tool Name Description
BITSAdmin A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers.
Cobalt Strike A penetration testing tool used by security professions to test the security of networks and systems. Black Basta affiliates have used it to assist with lateral movement and file execution.
Mimikatz A tool that allows users to view and save authentication credentials such as Kerberos tickets. Black Basta affiliates have used it to aid in privilege escalation.
PSExec A tool designed to run programs and execute commands on remote systems.
PowerShell A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
RClone A command line program used to sync files with cloud storage services such as Mega.
SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters. 
ScreenConnect Remote support, access, and meeting software that allows users to control devices remotely over the internet.
Splashtop Remote desktop software that allows remote access to devices for support, access, and collaboration.
WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates have used it to transfer data from a compromised network to actor-controlled accounts.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2–6 for all referenced threat actor tactics and techniques in this advisory.

Table 2: Black Basta ATT&CK Techniques for Initial Access
Technique Title ID Use
Phishing T1566 Black Basta affiliates have used spearphishing emails to obtain initial access.
Exploit Public-Facing Application T1190 Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access.
Table 3: Black Basta ATT&CK Techniques for Privilege Escalation
Technique Title ID Use
Exploitation for Privilege Escalation T1068 Black Basta affiliates have used credential scraping tools like Mimikatz, Zerologon, NoPac and PrintNightmare for privilege escalation.
Table 4: Black Basta ATT&CK Techniques for Defense Evasion
Technique Title ID Use
Masquerading T1036 Black Basta affiliates have conducted reconnaissance using utilities with innocuous file names, such as Intel or Dell, to evade detection.
Impair Defenses: Disable or Modify Tools T1562.001

Black Basta affiliates have deployed a tool called Backstab to disable endpoint detection and response (EDR) tooling.

Black Basta affiliates have used PowerShell to disable antivirus products.
Table 5: Black Basta ATT&CK Techniques for Execution
Technique Title ID Use
Command and Scripting Interpreter: PowerShell T1059.001 Black Basta affiliates have used PowerShell to disable antivirus products.
Table 6: Black Basta ATT&CK Techniques for Impact
Technique Title ID Use
Inhibit System Recovery T1490 Black Basta affiliates have used the vssadmin.exe program to delete shadow copies. 
Data Encrypted for Impact T1486 Black Basta affiliates have used a public key to fully encrypt files. 

 

INDICATORS OF COMPROMISE

See Table 7 for IOCs obtained from FBI investigations.

Table 7: Malicious Files Associated with Black Basta Ransomware
Hash Description
0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298 rclone.exe
d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e Winscp.exe
88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc DLL
58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd DLL
39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead DLL
5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221 DLL
51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e DLL
d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1 DLL
5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43 DLL
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431 DLL
a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6 DLL
86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737 DLL
07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799 DLL
96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be ELF
1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779 ELF
360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98 ELF
0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a EXE
9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc EXE
62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 EXE
7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59 EXE
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd EXE
90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7 EXE
fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08 EXE
acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f EXE
d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d EXE
f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4 EXE
723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224 EXE
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e EXE
fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f EXE
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415 EXE
462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7 EXE
3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a EXE
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa EXE
37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004 EXE
3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35 EXE
17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20 EXE
42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78 EXE
882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 EXE
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757 EXE
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e EXE
69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944 EXE
3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a EXE
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 EXE
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9 EXE

See Tables 8–11 for IOCs obtained from trusted third-party reporting.

Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains.

Table 8: Network Indicators
IP Address Description
66.249.66[.]18 0gpw.588027fa.dns.realbumblebee[.]net, dns.trailshop[.]net, dns.artspathgroupe[.]net
66.249.66[.]18 my.2a91c002002.588027fa.dns.realbumblebee[.]net
66.249.66[.]18 fy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee[.]net
95.181.173[.]227 adslsdfdsfmo[.]world
  fy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee[.]net
207.126.152[.]242 xkpal.d6597fa.dns.blocktoday.net
nuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday[.]net
72.14.196[.]50 .rasapool[.]net, dns.trailshop[.]net
72.14.196[.]192 .rasapool[.]net
72.14.196[.]2 .rasapool[.]net
72.14.196[.]226 .rasapool[.]net
46.161.27[.]151  
207.126.152[.]242 nuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills[.]com
185.219.221[.]136  
64.176.219[.]106  
5.78.115[.]67 your-server[.]de
207.126.152[.]242 xkpal.1a4a64b6.dns.blocktoday[.]net
46.8.16[.]77  
185.7.214[.]79 VPN Server
185.220.100[.]240 Tor exit
107.189.30[.]69 Tor exit
5.183.130[.]92  
185.220.101[.]149 Tor exit
188.130.218[.]39  
188.130.137[.]181  
46.8.10[.]134  
155.138.246[.]122  
80.239.207[.]200 winklen[.]ch
183.181.86[.]147 Xserver[.]jp
34.149.120[.]3  
104.21.40[.]72  
34.250.161[.]149  
88.198.198[.]90 your-server[.]de; literoved[.]ru
151.101.130[.]159  
35.244.153[.]44  
35.212.86[.]55  
34.251.163[.]236  
34.160.81[.]203  
34.149.36[.]179  
104.21.26[.]145  
83.243.40[.]10  
35.227.194[.]51  
35.190.31[.]54  
34.120.190[.]48  
116.203.186[.]178  
34.160.17[.]71  
Table 9: File Indicators
Filename Hash
C:\Users\Public\Audio\Jun.exe b6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24
C:\Users\Public\Audio\esx.zip  
C:\Users\Public\Audio\7zG.exe f21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061
C:\Users\Public\Audio\7z.dll  
C:\Users\Public\db_Usr.sql 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6
C:\Users\Public\Audio\db_Usr.sql  
C:\Users\Public\Audio\hv2.ps1  
C:\Users\Public\7zG.exe  
C:\Users\Public\7z.dll  
C:\Users\Public\BitLogic.dll  
C:\Users\Public\NetApp.exe 4c897334e6391e7a2fa3cbcbf773d5a4
C:\Users\Public\DataSoft.exe 2642ec377c0cee3235571832cb472870
C:\Users\Public\BitData.exe b3fe23dd4701ed00d79c03043b0b952e
C:\Users\Public\DigitalText.dll  
C:\Users\Public\GeniusMesh.exe  
\Device\Mup\{redacted}\C$\Users\Public\Music\PROCEXP.sys  
\Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse86.exe  
\Device\Mup\{redacted}\C$\Users\Public\Music\POSTDump.exe  
\Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse.exe  
C:\Users\Public\socksps.ps1  
C:\Users\Public\Thief.exe 034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79

C:\Users\All Users\{redacted}\GWT.ps1

C:\Program Files\MonitorIT\GWT.ps1

 8C68B2A794BA3D148CAE91BDF9C8D357289752A94118B5558418A36D95A5A45F

Winx86.exe 

Comment: alias for cmd.exe

  
C:\Users\Public\eucr.exe 3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407
C:\Windows\DS_c1.dll 808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9
C:\Windows\DS_c1.dll 3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6
C:\Windows\DS_c1.dll 4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a
C:\Windows\DS_c1.dll 819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a
C:\Windows\DS_c1.dll c26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0
C:\Windows\DS_c1.dll d503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f
*\instructions_read_me.txt  
Table 10: Known Black Basta Cobalt Strike Domains
Domain Date/Time (UTC)/Time (UTC)
trailshop[.]net 5/8/2024 6:37
realbumblebee[.]net 5/8/2024 6:37
recentbee[.]net 5/8/2024 6:37
investrealtydom[.]net 5/8/2024 6:37
webnubee[.]com 5/8/2024 6:37
artspathgroup[.]net 5/8/2024 6:37
buyblocknow[.]com 5/8/2024 6:37
currentbee[.]net 5/8/2024 6:37
modernbeem[.]net 5/8/2024 6:37
startupbusiness24[.]net 5/8/2024 6:37
magentoengineers[.]com 5/8/2024 6:37
childrensdolls[.]com 5/8/2024 6:37
myfinancialexperts[.]com 5/8/2024 6:37
limitedtoday[.]com 5/8/2024 6:37
kekeoamigo[.]com 5/8/2024 6:37
nebraska-lawyers[.]com 5/8/2024 6:37
tomlawcenter[.]com 5/8/2024 6:37
thesmartcloudusa[.]com 5/8/2024 6:37
rasapool[.]net 5/8/2024 6:37
artspathgroupe[.]net 5/8/2024 6:37
specialdrills[.]com 5/8/2024 6:37
thetrailbig[.]net 5/8/2024 6:37
consulheartinc[.]com 3/22/2024 15:35
otxcosmeticscare[.]com 3/15/2024 10:14
otxcarecosmetics[.]com 3/15/2024 10:14
artstrailman[.]com 3/15/2024 10:14
ontexcare[.]com 3/15/2024 10:14
trackgroup[.]net 3/15/2024 10:14
businessprofessionalllc[.]com 3/15/2024 10:14
securecloudmanage[.]com 3/7/2024 10:42
oneblackwood[.]com 3/7/2024 10:42
buygreenstudio[.]com 3/7/2024 10:42
startupbuss[.]com 3/7/2024 10:42
onedogsclub[.]com 3/4/2024 18:26
wipresolutions[.]com 3/4/2024 18:26
recentbeelive[.]com 3/4/2024 18:26
trailcocompany[.]com 3/4/2024 18:26
trailcosolutions[.]com 3/4/2024 18:26
artstrailreviews[.]com 3/4/2024 18:26
usaglobalnews[.]com 2/15/2024 5:56
topglobaltv[.]com 2/15/2024 5:56
startupmartec[.]net 2/15/2024 5:56
technologgies[.]com 1/2/2024 18:16
jenshol[.]com 1/2/2024 18:16
simorten[.]com 1/2/2024 18:16
investmentgblog[.]net 1/2/2024 18:16
protectionek[.]com 1/2/2024 18:16
Table 11: Suspected Black Basta Domains
airbusco[.]net
allcompanycenter[.]com
animalsfast[.]net
audsystemecll[.]net
auuditoe[.]com
bluenetworking[.]net
brendonline[.]com
businesforhome[.]com
caspercan[.]com
clearsystemwo[.]net
cloudworldst[.]net
constrtionfirst[.]com
erihudeg[.]com
garbagemoval[.]com
gartenlofti[.]com
getfnewsolutions[.]com
getfnewssolutions[.]com
investmendvisor[.]net
investmentrealtyhp[.]net
ionoslaba[.]com
jessvisser[.]com
karmafisker[.]com
kolinileas[.]com
maluisepaul[.]com
masterunix[.]net
monitor-websystem[.]net
monitorsystem[.]net
mytrailinvest[.]net
prettyanimals[.]net
reelsysmoona[.]net
seohomee[.]com
septcntr[.]com
softradar[.]net
startupbizaud[.]net
startuptechnologyw[.]net
steamteamdev[.]net
stockinvestlab[.]net
taskthebox[.]net
trailgroupl[.]net
treeauwin[.]net
unitedfrom[.]com
unougn[.]com
wardeli[.]com
welausystem[.]net
wellsystemte[.]net
withclier[.]com

MITIGATIONS

The authoring organizations recommend all critical infrastructure organizations implement the mitigations below to improve your organization’s cybersecurity posture based on Black Basta’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

The authoring organizations also recommend network defenders of HPH Sector and other critical infrastructure organizations to reference CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector and HHS’s HPH Cybersecurity Performance Goals, which provide best practices to combat pervasive cyber threats against organizations. Recommendations include the following:

  • Asset Management and Security: Cybersecurity professionals should identify and understand all relationships or interdependencies, functionality of each asset, what it exposes, and what software is running to ensure critical data and systems are protected appropriately. HPH Sector organizations should ensure electronic PHI (ePHI) is protected and compliant with the Health Insurance Portability and Accountability Act (HIPAA). Organizations can complete asset inventories using active scans, passive processes, or a combination of both techniques.
  • Email Security and Phishing Prevention: Organizations should install modern anti-malware software and automatically update signatures where possible. For additional guidance, see CISA’s Enhance Email and Web Security Guide.
    • Check for embedded or spoofed hyperlinks: Validate the URL of the link matches the text of the link itself. This can be achieved by hovering your cursor over the link to view the URL of the website to be accessed.
  • Access Management: Phishing-resistant MFA completes the same process but removes ‘people’ from the equation to help thwart social engineering scams and targeted phishing attacks that may have been successful using traditional MFA. The two main forms of phishing-resistant MFA are FIDO/Web Authentication (WebAuthn) authentication and Public Key Infrastructure (PKI)-based authentication. Prioritize phishing-resistant MFA on accounts with the highest risk, such as privileged administrative accounts on key assets. For additional information on phishing-resistant MFA, see CISA’s Implementing Phishing-Resistant MFA Guide.
  • Vulnerability Management and Assessment: Once vulnerabilities are identified across your environment, evaluate and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy. To assist with prioritization, it is essential to:
    • Map your assets to business-critical functions. For vulnerability remediation, prioritize assets that are most critical for ongoing operations or which, if affected, could impact your organization’s business continuity, sensitive PII (or PHI) security, reputation, or financial position.
    • Use threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat actors. To assist, leverage CISA’s KEV Catalog and other threat intelligence feeds.
    • Leverage prioritization methodologies, ratings, and scores. The Common Vulnerability Scoring System (CVSS) assesses the technical severity of vulnerabilities. The Exploit Prediction Scoring System (EPSS) measures the likelihood of exploitation and can help with deciding which vulnerabilities to prioritize. CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) methodology leverages decision trees to prioritize relevant vulnerabilities into four decisions, Track, Track*, Attend, and Act based on exploitation status, technical impact, mission prevalence, and impacts to safety and public-wellbeing.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 2-6).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

  1. SentinelOne: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
  2. Trend Micro: Ransomware Spotlight - Black Basta
  3. Kroll: Black Basta - Technical Analysis
  4. Who Is Black Basta? (blackberry.com)
  5. Palo Alto Networks: Threat Assessment - Black Basta Ransomware

REPORTING

Your organization has no obligation to respond or provide information back to FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

FBI, CISA, and HHS do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or by calling 1-844-Say-CISA [1-844-729-2472]).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, HHS, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, HHS, and MS-ISAC.

VERSION HISTORY

May 10, 2024: Initial version.

CISA and Partners Release Advisory on Black Basta Ransomware

✇US-CERT Current Activity
CISA

Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint Cybersecurity Advisory (CSA) #StopRansomware: Black Basta to provide cybersecurity defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by known Black Basta ransomware affiliates and identified through FBI investigations and third-party reporting.

Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.

CISA and partners encourage organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Black Basta and other ransomware incidents. For more information, see StopRansomware.gov and the #StopRansomware Guide.

Delta Electronics InfraSuite Device Master

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Delta Electronics
  • Equipment: InfraSuite Device Master
  • Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

  • InfraSuite Device Master: Versions 1.0.10 and prior

3.2 Vulnerability Overview

3.2.1 Deserialization of Untrusted Data CWE-502

Delta Electronics InfraSuite Device Master contains a deserialization of untrusted data vulnerability because it runs a version of Apache ActiveMQ (5.15.2) which is vulnerable to CVE-2023-46604.

CVE-2023-46604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-46604. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

An anonymous researcher working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics states that this issue was fixed by version 1.0.11 released in December 2023. Delta recommends updating to version 1.0.11 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 09, 2024: Initial Publication

Rockwell Automation FactoryTalk Historian SE

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: FactoryTalk Historian SE
  • Vulnerabilities: Missing Release of Resource after Effective Lifetime, Improper Check or Handling of Exceptional Conditions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation FactoryTalk Historian SE, a data management application, are affected:

  • FactoryTalk Historian SE: Versions v9.0 and prior

3.2 Vulnerability Overview

3.2.1 MISSING RELEASE OF RESOURCE AFTER EFFECTIVE LIFETIME CWE-772

FactoryTalk Historian SE utilizes the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to cause a partial denial-of-service condition in the PI Message Subsystem of a PI Server by consuming available memory. This vulnerability exists in FactoryTalk Historian SE versions 9.0 and earlier. Exploitation of this vulnerability could cause FactoryTalk Historian SE to become unavailable, requiring a power cycle to recover it.

CVE-2023-31274 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-31274. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H).

3.2.2 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703

FactoryTalk Historian SE uses the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition. This vulnerability exists in FactoryTalk Historian SE versions 9.0 and earlier. Exploitation of this vulnerability could cause FactoryTalk Historian SE to become unavailable, requiring a power cycle to recover it.

CVE-2023-34348 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-34348. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation has released product updates addressing this vulnerability:

  • FactoryTalk Historian SE: Users using the affected software are encouraged to install FactoryTalk Historian SE version 9.01 or higher as soon as feasible.

For more information, see Rockwell Automation's article.(Login Required)

For more information about the AVEVA PI and AVEVA Edge products, see AVEVA-2024-001 and AVEVA-2024-002

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 09, 2024: Initial Publication

CISA Releases Four Industrial Control Systems Advisories

✇US-CERT Current Activity
CISA

CISA released four Industrial Control Systems (ICS) advisories on May 09, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

alpitronic Hypercharger EV Charger

✇US-CERT Current Activity
CISA

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: alpitronic
  • Equipment: Hypercharger EV charger
  • Vulnerability: Use of Default Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker disabling the device, bypassing payment, or accessing payment data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hypercharger EV charger, a high power charging station, are affected:

  • Hypercharger EV charger: all versions

3.2 Vulnerability Overview

3.2.1 USE OF DEFAULT CREDENTIALS CWE-1392

If misconfigured, the charging devices can expose a web interface protected by authentication. If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator.

CVE-2024-4622 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2024-4622. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Hanno Böck reported these vulnerabilities to CISA.

4. MITIGATIONS

alpitronic recommends users change the default credentials for all charging devices.

alpitronic advises that the interface should be connected only to internal segregated and access-controlled networks and not exposed to the public internet/web.

When informed of these vulnerabilities, alpitronic, in conjunction with and/or on behalf of affected clients, disabled the interface on any exposed devices and all clients were contacted directly and reminded that the interface is not intended to be visible on the public Internet and that default passwords should be changed.

alpitronic are also applying mitigations to all devices in the field and to new devices in production. New devices will come with unique passwords. Devices using the default password will be automatically assigned new unique passwords, or at first access if the device has not yet been installed. Devices with the default passwords already changed will not be affected. New passwords can be obtained by scanning the QR-Code inside the charger or in DMS portal hyperdoc. Contact Hypercharger support with any questions about newly assigned passwords.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 9, 2024: Initial Publication
❌