Vulnerability Summary for the Week of March 11, 2024

Released
Mar 18, 2024
Document ID
SB24-078

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


 

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
academylms -- academy_lms_-_elearning_and_online_course_solution_for_wordpress
 
The Academy LMS - eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saved_user_info() function. This makes it possible for authenticated attackers, with minimal permissions such as students, to elevate their user role to that of an administrator.2024-03-138.8CVE-2024-1505
security@wordfence.com
security@wordfence.com
andrei_ivasiuc -- fontific_|_google_fonts
 
Cross-Site Request Forgery (CSRF) vulnerability in Andrei Ivasiuc Fontific | Google Fonts allows Stored XSS.This issue affects Fontific | Google Fonts: from n/a through 0.1.6.2024-03-167.1CVE-2024-27194
audit@patchstack.com
apache_software_foundation -- apache_pulsar
 
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials. This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0. The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed. 2.10 Pulsar Proxy users should upgrade to at least 2.10.6. 2.11 Pulsar Proxy users should upgrade to at least 2.11.3. 3.0 Pulsar Proxy users should upgrade to at least 3.0.2. 3.1 Pulsar Proxy users should upgrade to at least 3.1.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.2024-03-128.2CVE-2022-34321
security@apache.org
security@apache.org
apache_software_foundation -- apache_pulsar
 
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.2024-03-128.5CVE-2024-27135
security@apache.org
security@apache.org
apache_software_foundation -- apache_pulsar
 
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.2024-03-128.4CVE-2024-27317
security@apache.org
security@apache.org
apache_software_foundation -- apache_pulsar
 
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.2024-03-128.5CVE-2024-27894
security@apache.org
security@apache.org
arcserve -- unified_data_protection
 
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.2024-03-139.8CVE-2024-0799
vulnreport@tenable.com
arcserve -- unified_data_protection
 
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.2024-03-138.8CVE-2024-0800
vulnreport@tenable.com
arcserve -- unified_data_protection
 
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.2024-03-137.5CVE-2024-0801
vulnreport@tenable.com
argoproj -- argo-cd
 
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.2024-03-139CVE-2024-28175
security-advisories@github.com
security-advisories@github.com
autopolisbg -- bulgarisation_for_woocommerce
 
The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and including, 3.0.14. This makes it possible for unauthenticated and authenticated attackers, with subscriber-level access and above, to generate and delete labels.2024-03-137.3CVE-2024-0683
security@wordfence.com
security@wordfence.com
autopolisbg -- bulgarisation_for_woocommerce
 
The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to generate and delete labels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-127.3CVE-2024-2395
security@wordfence.com
security@wordfence.com
aweber -- aweber_-_free_sign_up_form_and_landing_page_builder_plugin_for_lead_generation_and_email_newsletter_growth
 
The AWeber - Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 7.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.2024-03-137.2CVE-2024-1793
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
badger_meter -- monitool
 
SQL injection vulnerability in Badger Meter Monitool affecting versions 4.6.3 and earlier. A remote attacker could send a specially crafted SQL query to the server via the j_username parameter and retrieve the information stored in the database.2024-03-129.8CVE-2024-1301
cve-coordination@incibe.es
badger_meter -- monitool
 
Information exposure vulnerability in Badger Meter Monitool affecting versions up to 4.6.3 and earlier. A local attacker could change the application's file parameter to a log file obtaining all sensitive information such as database credentials.2024-03-127.3CVE-2024-1302
cve-coordination@incibe.es
bee -- beepress
 
Cross-Site Request Forgery (CSRF) vulnerability in Bee BeePress allows Stored XSS.This issue affects BeePress: from n/a through 6.9.8.2024-03-167.1CVE-2024-27197
audit@patchstack.com
boldgrid -- weforms_-_easy_drag_&_drop_contact_form_builder_for_wordpress
 
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-127.2CVE-2024-0386
security@wordfence.com
security@wordfence.com
canon_inc. -- color_imageclass_mf740c_series
 
Buffer overflow in identifier field of WSD probe request process of Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*:Satera MF740C Series/Satera MF640C Series/Satera LBP660C Series/Satera LBP620C Series firmware v12.07 and earlier, and Satera MF750C Series/Satera LBP670C Series firmware v03.09 and earlier sold in Japan.Color imageCLASS MF740C Series/Color imageCLASS MF640C Series/Color imageCLASS X MF1127C/Color imageCLASS LBP664Cdw/Color imageCLASS LBP622Cdw/Color imageCLASS X LBP1127C firmware v12.07 and earlier, and Color imageCLASS MF750C Series/Color imageCLASS X MF1333C/Color imageCLASS LBP674Cdw/Color imageCLASS X LBP1333C firmware v03.09 and earlier sold in US.i-SENSYS MF740C Series/i-SENSYS MF640C Series/C1127i Series/i-SENSYS LBP660C Series/i-SENSYS LBP620C Series/C1127P firmware v12.07 and earlier, and i-SENSYS MF750C Series/C1333i Series/i-SENSYS LBP673Cdw/C1333P firmware v03.09 and earlier sold in Europe.   
chatgptnextweb -- nextchat
 
NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also write access using HTTP POST, PUT, and other methods. Attackers can also use this vulnerability to mask their source IP by forwarding malicious traffic intended for other Internet targets through these open proxies. As of time of publication, no patch is available, but other mitigation strategies are available. Users may avoid exposing the application to the public internet or, if exposing the application to the internet, ensure it is an isolated network with no access to any other internal resources.2024-03-129.1CVE-2023-49785
security-advisories@github.com
security-advisories@github.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the Layer 2 Ethernet services of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the line card network processor to reset, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of specific Ethernet frames that are received on line cards that have the Layer 2 services feature enabled. An attacker could exploit this vulnerability by sending specific Ethernet frames through an affected device. A successful exploit could allow the attacker to cause the ingress interface network processor to reset, resulting in a loss of traffic over the interfaces that are supported by the network processor. Multiple resets of the network processor would cause the line card to reset, resulting in a DoS condition.2024-03-137.4CVE-2024-20318
ykramarz@cisco.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the SSH client feature of Cisco IOS XR Software for Cisco 8000 Series Routers and Cisco Network Convergence System (NCS) 540 Series and 5700 Series Routers could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of arguments that are included with the SSH client CLI command. An attacker with low-privileged access to an affected device could exploit this vulnerability by issuing a crafted SSH client command to the CLI. A successful exploit could allow the attacker to elevate privileges to root on the affected device.2024-03-137.8CVE-2024-20320
ykramarz@cisco.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the PPP over Ethernet (PPPoE) termination feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to crash the ppp_ma process, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of malformed PPPoE packets that are received on a router that is running Broadband Network Gateway (BNG) functionality with PPPoE termination on a Lightspeed-based or Lightspeed-Plus-based line card. An attacker could exploit this vulnerability by sending a crafted PPPoE packet to an affected line card interface that does not terminate PPPoE. A successful exploit could allow the attacker to crash the ppp_ma process, resulting in a DoS condition for PPPoE traffic across the router.2024-03-137.4CVE-2024-20327
ykramarz@cisco.com
cms_made_simple -- cms_made_simple
 
Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.2024-03-129.8CVE-2024-1527
cve-coordination@incibe.es
cms_made_simple -- cms_made_simple
 
CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.2024-03-127.4CVE-2024-1528
cve-coordination@incibe.es
cms_made_simple -- cms_made_simple
 
Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session.2024-03-127.4CVE-2024-1529
cve-coordination@incibe.es
codepeople -- calculated_fields_form
 
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher.2024-03-137.2CVE-2024-2020
security@wordfence.com
security@wordfence.com
concerted_action -- action_network
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Concerted Action Action Network allows Reflected XSS.This issue affects Action Network: from n/a through 1.4.2.2024-03-157.1CVE-2024-25921
audit@patchstack.com
corewcf -- corewcf
 
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. If you have a NetFraming based CoreWCF service, extra system resources could be consumed by connections being left established instead of closing or aborting them. There are two scenarios when this can happen. When a client established a connection to the service and sends no data, the service will wait indefinitely for the client to initiate the NetFraming session handshake. Additionally, once a client has established a session, if the client doesn't send any requests for the period of time configured in the binding ReceiveTimeout, the connection is not properly closed as part of the session being aborted. The bindings affected by this behavior are NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding. Only NetTcpBinding has the ability to accept non local connections. The currently supported versions of CoreWCF are v1.4.x and v1.5.x. The fix can be found in v1.4.2 and v1.5.3 of the CoreWCF packages. Users are advised to upgrade. There are no workarounds for this issue.2024-03-157.5CVE-2024-28252
security-advisories@github.com
security-advisories@github.com
cyberlord92 -- web_application_firewall_-_website_security
 
The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.2024-03-139.8CVE-2024-2172
security@wordfence.com
security@wordfence.com
security@wordfence.com
dell -- poweredge_platform
 
Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. A local low privileged attacker could potentially exploit this vulnerability leading to arbitrary writes to SMRAM.2024-03-137.2CVE-2024-0161
security_alert@emc.com
etoile_web_design -- ultimate_reviews
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Etoile Web Design Ultimate Reviews allows Stored XSS.This issue affects Ultimate Reviews: from n/a through 3.2.8.2024-03-157.1CVE-2024-25597
audit@patchstack.com
faronics -- deep_freeze_server_standard
 
A search path or unquoted item vulnerability in Faronics Deep Freeze Server Standard, which affects versions 8.30.020.4627 and earlier. This vulnerability affects the DFServ.exe file. An attacker with local user privileges could exploit this vulnerability to replace the legitimate DFServ.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. Thus, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system or stop the service from running.2024-03-127.8CVE-2024-1618
cve-coordination@incibe.es
fortinet -- forticlient_endpoint_management_serverA improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets.2024-03-128.8CVE-2023-47534
psirt@fortinet.com
fortinet -- forticlient_enterprise_management_serverA improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.2024-03-129.8CVE-2023-48788
psirt@fortinet.com
fortinet -- fortimanagerA improper access control in Fortinet FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13, 6.2 all versions allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.2024-03-129.8CVE-2023-36554
psirt@fortinet.com
fortinet -- fortios
 
An improper authentication vulnerability [CWE-287] in FortiOS versions 7.4.1 and below, versions 7.2.6 and below, and versions 7.0.12 and below when configured with FortiAuthenticator in HA may allow a readonly user to gain read-write access via successive login attempts.2024-03-127.5CVE-2023-46717
psirt@fortinet.com
fortinet -- fortiproxyA out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.2024-03-129.8CVE-2023-42789
psirt@fortinet.com
fortinet -- fortiproxyA stack-based buffer overflow in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.2024-03-128.1CVE-2023-42790
psirt@fortinet.com
fortra -- filecatalyst
 
A directory traversal within the 'ftpservlet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal's DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.2024-03-139.8CVE-2024-25153
df4dee71-de3a-4139-9588-11b62fe6c0ff
df4dee71-de3a-4139-9588-11b62fe6c0ff
freescout-helpdesk -- freescout
 
FreeScout is an open source help desk and shared inbox built with PHP. A vulnerability has been identified in the Free Scout Application, which exposes SMTP server credentials used by an organization in the application to users of the application. This issue arises from the application storing complete stack traces of exceptions in its database. The sensitive information is then inadvertently disclosed to users via the `/conversation/ajax-html/send_log?folder_id=&thread_id={id}` endpoint. The stack trace reveals value of parameters, including the username and password, passed to the `Swift_Transport_Esmtp_Auth_LoginAuthenticator->authenticate()` function. Exploiting this vulnerability allows an attacker to gain unauthorized access to SMTP server credentials. With this sensitive information in hand, the attacker can potentially send unauthorized emails from the compromised SMTP server, posing a severe threat to the confidentiality and integrity of email communications. This could lead to targeted attacks on both the application users and the organization itself, compromising the security of email exchange servers. This issue has been addressed in version 1.8.124. Users are advised to upgrade. Users unable to upgrade should adopt the following measures: 1. Avoid Storing Complete Stack Traces, 2. Implement redaction mechanisms to filter and exclude sensitive information, and 3. Review and enhance the application's logging practices.2024-03-127.1CVE-2024-28186
security-advisories@github.com
security-advisories@github.com
givewp -- give
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP Give allows Reflected XSS.This issue affects Give: from n/a through 3.3.1.2024-03-157.1CVE-2024-27987
audit@patchstack.com
go-vela -- worker
 
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and - by using common substitution string manipulation - can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a responsibility on the end-user to understand how values injected into a plugin are used. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather, the greater risk is that users who restrict a secret to the "no commands" option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can potentially expose them, especially in `parameters` that are not intended to be used for sensitive values, ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process, make use of the build approval setting, restricting builds from untrusted users, and limit use of shared secrets, as they are less restrictive to access by nature.2024-03-127.7CVE-2024-28236
security-advisories@github.com
security-advisories@github.com
hammadh -- play.ht_-_make_your_blog_posts_accessible_with_text_to_speech_audio
 
The Play.ht - Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.2024-03-138.8CVE-2024-1772
security@wordfence.com
security@wordfence.com
hopsoft -- turbo_boost-commands
 
turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. This issue has been addressed in versions 0.1.3, and 0.2.2. Users are advised to upgrade. Users unable to upgrade should see the repository GHSA for workaround advice.2024-03-148.1CVE-2024-28181
security-advisories@github.com
security-advisories@github.com
ibm -- i
 
Db2 for IBM i 7.2, 7.3, 7.4, and 7.5 infrastructure could allow a local user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. IBM X-Force ID: 280203.2024-03-148.4CVE-2024-22346
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- maximo_asset_management
 
IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.2024-03-148.2CVE-2024-27266
psirt@us.ibm.com
psirt@us.ibm.com
intumit -- smartrobot
 
Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.2024-03-139.8CVE-2024-2413
twcert@cert.org.tw
inunosinsi -- soycms
 
SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-117.2CVE-2024-28187
security-advisories@github.com
security-advisories@github.com
jfrog -- artifactory
 
JFrog Artifactory versions below 7.77.7, 7.82.1, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism.2024-03-138.8CVE-2024-2247
reefs@jfrog.com
joel_starnes -- postmash_-_custom_post_order
 
Cross Site Scripting (XSS) vulnerability in Joel Starnes postMash - custom post order allows Reflected XSS.This issue affects postMash - custom post order: from n/a through 1.2.0.2024-03-157.1CVE-2024-27196
audit@patchstack.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability classified as critical was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256951. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-157.3CVE-2024-2514
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
manageengine_ -- manageengine_desktop_central
 
Unrestricted file upload vulnerability in ManageEngine Desktop Central affecting version 9, build 90055. This vulnerability could allow a remote attacker to upload a malicious file to the system without any credentials provided.2024-03-119.8CVE-2024-2370
cve-coordination@incibe.es
mattermost -- mattermost
 
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.2024-03-158.8CVE-2024-2450
responsibledisclosure@mattermost.com
microsoft -- azure_data_studio
 
Azure Data Studio Elevation of Privilege Vulnerability2024-03-127.3CVE-2024-26203
secure@microsoft.com
microsoft -- azure_kubernetes_service
 
Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability2024-03-129CVE-2024-21400
secure@microsoft.com
microsoft -- azure_sdk
 
Azure SDK Spoofing Vulnerability2024-03-127.5CVE-2024-21421
secure@microsoft.com
microsoft -- microsoft_365_apps_for_enterprise
 
Microsoft Office Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-26199
secure@microsoft.com
microsoft -- microsoft_authenticator
 
Microsoft Authenticator Elevation of Privilege Vulnerability2024-03-127.1CVE-2024-21390
secure@microsoft.com
microsoft -- microsoft_dynamics_365_(on-premises)_version_9.1

 

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability2024-03-127.6CVE-2024-21419
secure@microsoft.com
microsoft -- microsoft_exchange_server_2019_cumulative_update_14
 
Microsoft Exchange Server Remote Code Execution Vulnerability2024-03-128.8CVE-2024-26198
secure@microsoft.com
microsoft -- microsoft_outlook_for_android
 
Outlook for Android Information Disclosure Vulnerability2024-03-127.5CVE-2024-26204
secure@microsoft.com
microsoft -- microsoft_sharepoint_enterprise_server_2016
 
Microsoft SharePoint Server Remote Code Execution Vulnerability2024-03-127.8CVE-2024-21426
secure@microsoft.com
microsoft -- microsoft_visual_studio_2022_version_17.9
 
.NET and Visual Studio Denial of Service Vulnerability2024-03-127.5CVE-2024-21392
secure@microsoft.com
microsoft -- microsoft_visual_studio_2022_version_17.9
 
Microsoft QUIC Denial of Service Vulnerability2024-03-127.5CVE-2024-26190
secure@microsoft.com
microsoft -- skype_for_consumer
 
Skype for Consumer Remote Code Execution Vulnerability2024-03-128.8CVE-2024-21411
secure@microsoft.com
microsoft -- software_for_open_networking_in_the_cloud_(sonic)
 
Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-21418
secure@microsoft.com
microsoft -- sql_server_backend_for_django
 
Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability2024-03-128.8CVE-2024-26164
secure@microsoft.com
microsoft -- system_center_operations_manager_(scom)_2019
 
Open Management Infrastructure (OMI) Remote Code Execution Vulnerability2024-03-129.8CVE-2024-21334
secure@microsoft.com
microsoft -- system_center_operations_manager_(scom)_2019
 
Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-21330
secure@microsoft.com
microsoft -- visual_studio_code
 
Visual Studio Code Elevation of Privilege Vulnerability2024-03-128.8CVE-2024-26165
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Hyper-V Remote Code Execution Vulnerability2024-03-128.1CVE-2024-21407
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft ODBC Driver Remote Code Execution Vulnerability2024-03-128.8CVE-2024-21440
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability2024-03-128.8CVE-2024-21441
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability2024-03-128.8CVE-2024-21444
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability2024-03-128.8CVE-2024-21450
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft ODBC Driver Remote Code Execution Vulnerability2024-03-128.8CVE-2024-21451
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft ODBC Driver Remote Code Execution Vulnerability2024-03-128.8CVE-2024-26159
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability2024-03-128.8CVE-2024-26161
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft ODBC Driver Remote Code Execution Vulnerability2024-03-128.8CVE-2024-26162
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability2024-03-128.8CVE-2024-26166
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kerberos Security Feature Bypass Vulnerability2024-03-127.5CVE-2024-21427
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Update Stack Elevation of Privilege Vulnerability2024-03-127CVE-2024-21432
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Print Spooler Elevation of Privilege Vulnerability2024-03-127CVE-2024-21433
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-21434
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Installer Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-21436
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Graphics Component Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-21437
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Microsoft AllJoyn API Denial of Service Vulnerability2024-03-127.5CVE-2024-21438
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Telephony Server Elevation of Privilege Vulnerability2024-03-127CVE-2024-21439
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Elevation of Privilege Vulnerability2024-03-127.3CVE-2024-21443
secure@microsoft.com
microsoft -- windows_10_version_1809
 
NTFS Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-21446
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Error Reporting Service Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-26169
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-26173
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-26176
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-26178
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-26182
secure@microsoft.com
microsoft -- windows_11_version_22h2
 
Windows OLE Remote Code Execution Vulnerability2024-03-128.8CVE-2024-21435
secure@microsoft.com
microsoft -- windows_server_2022
 
Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability2024-03-127.8CVE-2024-21431
secure@microsoft.com
microsoft -- windows_server_2022
 
Windows USB Print Driver Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-21442
secure@microsoft.com
microsoft -- windows_server_2022
 
Windows USB Print Driver Elevation of Privilege Vulnerability2024-03-127CVE-2024-21445
secure@microsoft.com
microsoft -- windows_server_2022
 
Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability2024-03-127.8CVE-2024-26170
secure@microsoft.com
mitsubishi_electric_corporation -- melsec-q_series_q03udecpu
 
Incorrect Pointer Scaling vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to read arbitrary information from a target product or execute malicious code on a target product by sending a specially crafted packet.2024-03-159.8CVE-2024-0802
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation -- melsec-q_series_q03udecpu
 
Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.2024-03-159.8CVE-2024-0803
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation -- melsec-q_series_q03udecpu
 
Incorrect Pointer Scaling vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.2024-03-159.8CVE-2024-1915
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation -- melsec-q_series_q03udecpu
 
Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.2024-03-159.8CVE-2024-1916
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation -- melsec-q_series_q03udecpu
 
Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.2024-03-159.8CVE-2024-1917
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mndpsingh287 -- file_manager
 
The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.2024-03-139.9CVE-2023-6825
security@wordfence.com
security@wordfence.com
security@wordfence.com
mostafas1990 -- wp_statistics
 
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-137.2CVE-2024-2194
security@wordfence.com
security@wordfence.com
movistar_ -- router_movistar_4g
 
The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the 'adb' service open on port 5555 and provides access to a shell with root privileges.2024-03-138.8CVE-2024-2414
cve-coordination@incibe.es
movistar_ -- router_movistar_4g
 
Command injection vulnerability in Movistar 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an authenticated user to execute commands inside the router by making a POST request to the URL '/cgi-bin/gui.cgi'.2024-03-137.8CVE-2024-2415
cve-coordination@incibe.es
n/a -- 4th_generation_intel(r)_xeon(r)_processors_when_using_intel(r)_sgx_or_intel(r)_tdx
 
On-chip debug and test interface with improper access control in some 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.2024-03-147.2CVE-2023-32666
secure@intel.com
n/a -- intel(r)_processors
 
Race condition in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.2024-03-147.2CVE-2023-32282
secure@intel.com
ni -- labview
 
An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.2024-03-117.8CVE-2024-23608
security@ni.com
ni -- labview
 
An improper error handling vulnerability in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.2024-03-117.8CVE-2024-23609
security@ni.com
ni -- labview
 
An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.2024-03-117.8CVE-2024-23610
security@ni.com
ni -- labview
 
An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.2024-03-117.8CVE-2024-23611
security@ni.com
ni -- labview
 
An improper error handling vulnerability in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.2024-03-117.8CVE-2024-23612
security@ni.com
open-metadata -- openmetadata
 
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-159.4CVE-2024-28253
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
open-metadata -- openmetadata
 
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.2024-03-159.8CVE-2024-28255
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
open-metadata -- openmetadata
 
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `?AlertUtil::validateExpression` method evaluates an SpEL expression using `getValue` which by default uses the `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/events/subscriptions/validation/condition/<expression>` endpoint passes user-controlled data `AlertUtil::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and, therefore, any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-235`. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-158.8CVE-2024-28254
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
open-metadata -- openmetadata
 
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Similarly to the GHSL-2023-250 issue, `AlertUtil::validateExpression` is also called from `EventSubscriptionRepository.prepare()`, which can lead to Remote Code Execution. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that, even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and, therefore, after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/events/subscriptions` which gets handled by `EventSubscriptionResource.createOrUpdateEventSubscription()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-251`.2024-03-158.8CVE-2024-28847
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
open-metadata -- openmetadata
 
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `?CompiledRule::validateExpression` method evaluates an SpEL expression using an `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/policies/validation/condition/<expression>` endpoint passes user-controlled data `CompiledRule::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and therefore any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-236`. This issue may lead to Remote Code Execution and has been resolved in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-158.8CVE-2024-28848
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
opentext -- netiq_privileged_account_manager
 
Allocation of Resources Without Limits or Throttling vulnerability in OpenText NetIQ Privileged Account Manager on Linux, Windows, 64 bit allows Flooding.This issue affects NetIQ Privileged Account Manager: before 3.7.0.2.2024-03-138.6CVE-2020-11862
security@opentext.com
opentextâ„¢ -- exceed_turbo_x
 
Improper authentication vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.0 and 12.5.1. The vulnerability could allow disclosure of restricted information in unauthenticated RPC. 2024-03-138.6CVE-2023-38534
security@opentext.com
papercut -- papercut_ng,_papercut_mf
 
This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut NG/MF API calls.2024-03-148.6CVE-2024-1222
eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut -- papercut_ng,_papercut_mf
 
This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. An attacker must already have authenticated admin access and knowledge of both an internal system identifier and details of another valid user to exploit this.2024-03-147.2CVE-2024-1654
eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut -- papercut_ng,_papercut_mf
 
This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server.2024-03-147.2CVE-2024-1882
eb41dac7-0af8-4f84-9f6d-0272772514f4
payu -- payu_india
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU PayU India allows Reflected XSS.This issue affects PayU India: from n/a through 3.8.2.2024-03-157.1CVE-2024-27193
audit@patchstack.com
peering-manager -- peering-manager
 
Peering Manager is a BGP session management tool. There is a Server Side Template Injection vulnerability that leads to Remote Code Execution in Peering Manager <=1.8.2. As a result arbitrary commands can be executed on the operating system that is running Peering Manager. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-128.1CVE-2024-28114
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
pegasystems -- pega_platform
 
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.2024-03-147.7CVE-2023-50168
security@pega.com
phlex-ruby -- phlex
 
phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`.2024-03-117.1CVE-2024-28199
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can modify configurations to perform a remote code execution due to a missing authentication for a critical function.2024-03-129.8CVE-2024-25995
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated local attacker can perform a privilege escalation due to improper input validation in the OCPP agent service. 2024-03-128.4CVE-2024-25999
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can influence the communication due to the lack of encryption of sensitive data via a MITM. Charging is not affected.2024-03-128.7CVE-2024-26288
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can perform a command injection in the OCPP Service with limited privileges due to improper input validation.2024-03-127.3CVE-2024-25998
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can write memory out of bounds due to improper input validation in the MQTT stack. The brute force attack is not always successful because of memory randomization.2024-03-127.4CVE-2024-26001
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An improper input validation in the Qualcom plctool allows a local attacker with low privileges to gain root access by changing the ownership of specific files.2024-03-127.8CVE-2024-26002
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can DoS the control agent due to a out-of-bounds read which may prevent or disrupt the charging functionality. 2024-03-127.5CVE-2024-26003
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can DoS a control agent due to access of a uninitialized pointer which may prevent or disrupt the charging functionality.2024-03-127.5CVE-2024-26004
info@cert.vde.com
pickplugins -- post_grid,_form_maker,_popup_maker,_woocommerce_blocks,_post_blocks,_post_carousel_-_combo_blocks
 
The Post Grid Combo - 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'get_posts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well as the password for password-protected posts.2024-03-127.5CVE-2023-7072
security@wordfence.com
security@wordfence.com
security@wordfence.com
pixelemu -- terraclassifieds
 
Cross-Site Request Forgery (CSRF) vulnerability in Pixelemu TerraClassifieds.This issue affects TerraClassifieds: from n/a through 2.0.3.2024-03-168.8CVE-2023-51474
audit@patchstack.com
plv8 -- plv8
 
A user who can create objects in a database with plv8 3.2.1 installed is able to cause deferred triggers to execute as the Superuser during autovacuum.2024-03-147.2CVE-2024-1713
cve-coordination@google.com
projectdiscovery -- nuclei
 
projectdiscovery/nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies. The vulnerability is addressed in Nuclei v3.2.0. Users are strongly recommended to update to this version to mitigate the security risk. Users should refrain from using custom workflows if unable to upgrade immediately. Only trusted, verified workflows should be executed.2024-03-157.4CVE-2024-27920
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
pterodactyl -- wings
 
Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.2024-03-139.9CVE-2024-27102
security-advisories@github.com
security-advisories@github.com
realmag777 -- husky_-_products_filter_professional_for_woocommerce
 
The HUSKY - Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to SQL Injection via the 'name' parameter in the woof shortcode in all versions up to, and including, 1.3.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.2024-03-158.8CVE-2024-1795
security@wordfence.com
security@wordfence.com
rejetto_ -- http_file_server_
 
The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.2024-03-127.5CVE-2024-1226
cve-coordination@incibe.es
renventura -- woocommerce_add_to_cart_custom_redirect
 
The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wcr_dismiss_admin_notice' function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with contributor access and above, to update the values of arbitrary site options to 'dismissed'.2024-03-138.1CVE-2024-1862
security@wordfence.com
security@wordfence.com
security@wordfence.com
root3nl -- supportapp
 
Support App is an opensource application specialized in managing Apple devices. It's possible to abuse a vulnerability inside the postinstall installer script to make the installer execute arbitrary code as root. The cause of the vulnerability is the fact that the shebang `#!/bin/zsh` is being used. When the installer is executed it asks for the users password to be executed as root. However, it'll still be using the $HOME of the user and therefore loading the file `$HOME/.zshenv` when the `postinstall` script is executed. An attacker could add malicious code to `$HOME/.zshenv` and it will be executed when the app is installed. An attacker may leverage this vulnerability to escalate privilege on the system. This issue has been addressed in version 2.5.1 Rev 2. All users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-147.3CVE-2024-27301
security-advisories@github.com
security-advisories@github.com
sagemcom -- fast3686_v2_vodafone
 
Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the 'Login.asp and logout.asp' files do not handle session details correctly.2024-03-147.7CVE-2024-1623
cve-coordination@incibe.es
sandi_verdev -- watermark_reloaded
 
Cross-Site Request Forgery (CSRF) vulnerability in Sandi Verdev Watermark RELOADED allows Stored XSS.This issue affects Watermark RELOADED: from n/a through 1.3.5.2024-03-167.1CVE-2024-27195
audit@patchstack.com
sandisk -- privateaccess_windows_app
 
A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. This vulnerability is only exploitable locally if an attacker has access to a copy of the user's vault or has already gained access into a user's system. This attack is limited to the system in context and cannot be propagated. 2024-03-137.9CVE-2024-22167
psirt@wdc.com
santesoft -- sante_fft_imaging
 
In Santesoft Sante FFT Imaging versions 1.4.1 and prior once a user opens a malicious DCM file on affected FFT Imaging installations, a local attacker could perform an out-of-bounds write, which could allow for arbitrary code execution.2024-03-117.8CVE-2024-1696
ics-cert@hq.dhs.gov
sap_se -- sap_netweaver_as_java_(administrator_log_viewer_plug-in)
 
SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application.2024-03-129.1CVE-2024-22127
cna@sap.com
cna@sap.com
scott_reilly -- configure_smtp
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Reilly Configure SMTP allows Reflected XSS.This issue affects Configure SMTP: from n/a through 3.1.2024-03-157.1CVE-2024-27192
audit@patchstack.com
siemens -- cerberus_pro_en_engineering_tool
 
A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions < IP8), Cerberus PRO EN Fire Panel FC72x (All versions < IP8), Cerberus PRO EN X200 Cloud Distribution (All versions < V4.0.5016), Cerberus PRO EN X300 Cloud Distribution (All versions < V4.2.5015), Sinteso FS20 EN Engineering Tool (All versions < MP8), Sinteso FS20 EN Fire Panel FC20 (All versions < MP8), Sinteso FS20 EN X200 Cloud Distribution (All versions < V4.0.5016), Sinteso FS20 EN X300 Cloud Distribution (All versions < V4.2.5015), Sinteso Mobile (All versions < V3.0.0). The network communication library in affected systems does not validate the length of certain X.509 certificate attributes which might result in a stack-based buffer overflow. This could allow an unauthenticated remote attacker to execute code on the underlying operating system with root privileges.2024-03-1210CVE-2024-22039
productcert@siemens.com
siemens -- cerberus_pro_en_engineering_tool
 
A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions), Cerberus PRO EN Fire Panel FC72x (All versions < IP8 SR4), Cerberus PRO EN X200 Cloud Distribution (All versions < V4.3.5618), Cerberus PRO EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso FS20 EN Engineering Tool (All versions), Sinteso FS20 EN Fire Panel FC20 (All versions < MP8 SR4), Sinteso FS20 EN X200 Cloud Distribution (All versions < V4.3.5618), Sinteso FS20 EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso Mobile (All versions). The network communication library in affected systems insufficiently validates HMAC values which might result in a buffer overread. This could allow an unauthenticated remote attacker to crash the network service.2024-03-127.5CVE-2024-22040
productcert@siemens.com
siemens -- cerberus_pro_en_engineering_tool
 
A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions), Cerberus PRO EN Fire Panel FC72x (All versions < IP8 SR4), Cerberus PRO EN X200 Cloud Distribution (All versions < V4.3.5618), Cerberus PRO EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso FS20 EN Engineering Tool (All versions), Sinteso FS20 EN Fire Panel FC20 (All versions < MP8 SR4), Sinteso FS20 EN X200 Cloud Distribution (All versions < V4.3.5618), Sinteso FS20 EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso Mobile (All versions). The network communication library in affected systems improperly handles memory buffers when parsing X.509 certificates. This could allow an unauthenticated remote attacker to crash the network service.2024-03-127.5CVE-2024-22041
productcert@siemens.com
siemens -- sentron_3kc_atc6_expansion_module_ethernet
 
A vulnerability has been identified in SENTRON 3KC ATC6 Expansion Module Ethernet (3KC9000-8TL75) (All versions). Affected devices expose an unused, unstable http service at port 80/tcp on the Modbus-TCP Ethernet. This could allow an attacker on the same Modbus network to create a denial of service condition that forces the device to reboot.2024-03-127.5CVE-2024-22044
productcert@siemens.com
siemens -- simcenter_femap
 
A vulnerability has been identified in Simcenter Femap (All versions < V2306.0000). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted Catia MODEL file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-22051)2024-03-127.8CVE-2024-27907
productcert@siemens.com
siemens -- sinema_remote_connect_client
 
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. This information is also available via the web interface of the product.2024-03-127.6CVE-2024-22045
productcert@siemens.com
siemens -- sinema_remote_connect_server
 
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to resources and potentially lead to code execution.2024-03-129.8CVE-2022-32257
productcert@siemens.com
smub -- giveaways_and_contests_by_rafflepress_-_get_more_website_traffic,_email_subscribers,_and_social_followers
 
The Giveaways and Contests by RafflePress - Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'parent_url' parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-137.2CVE-2024-1935
security@wordfence.com
security@wordfence.com
security@wordfence.com
softing -- edgeconnector
 
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.2024-03-148CVE-2024-0860
ics-cert@hq.dhs.gov
spring -- spring_framework
 
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.2024-03-168.1CVE-2024-22259
security@vmware.com
stimulusreflex -- stimulus_reflex
 
stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.2024-03-128.8CVE-2024-28121
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
storeapps -- news_announcement_scroll
 
The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.2024-03-138.8CVE-2023-5663
security@wordfence.com
security@wordfence.com
security@wordfence.com
sygnoos -- social_media_share_buttons
 
The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.2024-03-168.8CVE-2024-1685
security@wordfence.com
security@wordfence.com
tatvic -- conversios_-_google_analytics_4_(ga4),_meta_pixel_&_more_via_google_tag_manager_for_woocommerce
 
The Conversios - Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'valueData' parameter in all versions up to, and including, 6.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.2024-03-138.8CVE-2024-1203
security@wordfence.com
security@wordfence.com
tenda -- ac18
 
A vulnerability was found in Tenda AC18 15.03.05.05 and classified as critical. Affected by this issue is the function formSetSpeedWan of the file /goform/SetSpeedWan. The manipulation of the argument speed_dir leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256892. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-158.8CVE-2024-2485
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
tenda -- ac18
 
A vulnerability was found in Tenda AC18 15.03.05.05. It has been classified as critical. This affects the function formQuickIndex of the file /goform/QuickIndex. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256893 was assigned to this vulnerability.2024-03-158.8CVE-2024-2486
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
tenda -- ac18
 
A vulnerability was found in Tenda AC18 15.03.05.05. It has been declared as critical. This vulnerability affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256894 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-158.8CVE-2024-2487
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
tenda -- ac18
 
A vulnerability was found in Tenda AC18 15.03.05.05. It has been rated as critical. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument startIP leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256895. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-158.8CVE-2024-2488
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
tenda -- ac18
 
A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. Affected is the function formSetQosBand of the file /goform/SetNetControlList. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256896. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-158.8CVE-2024-2489
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
tenda -- ac18
 
A vulnerability classified as critical was found in Tenda AC18 15.03.05.05. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime/schedEndTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256897 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-158.8CVE-2024-2490
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
themefusecom -- brizy_-_page_builder
 
The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.2024-03-138.8CVE-2024-1311
security@wordfence.com
security@wordfence.com
security@wordfence.com
themeum -- tutor_lms_-_elearning_and_online_course_solution
 
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.2024-03-138.8CVE-2024-1751
security@wordfence.com
security@wordfence.com
security@wordfence.com
tibco_software_inc. -- tibco_ftl_-_enterprise_edition
 
The FTL Server component of TIBCO Software Inc.'s TIBCO FTL - Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Enterprise Edition: versions 6.10.1 and below.2024-03-128.8CVE-2024-1138
security@tibco.com
tmccombs -- tls-listener
 
tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 `TcpStream`s a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service using `TlsListener::new()` vulnerable to a slow-loris DoS attack. This impacts any publicly accessible service using the default configuration of tls-listener in versions prior to 0.10.0. Users are advised to upgrade. Users unable to upgrade may mitigate this by passing a large value, such as `usize::MAX` as the parameter to `Builder::max_handshakes`.2024-03-157.5CVE-2024-28854
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
totolink -- x6000r
 
A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.852_20230719. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation of the argument ip leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256313 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-108.8CVE-2024-2353
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
ultimatemember -- ultimate_member_-_user_profile,_registration,_login,_member_directory,_content_restriction_&_membership_plugin
 
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.2024-03-139.8CVE-2024-1071
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
ultimatemember -- ultimate_member_-_user_profile,_registration,_login,_member_directory,_content_restriction_&_membership_plugin
 
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-137.2CVE-2024-2123
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
ultimatemember -- ultimate_member_-_user_profile,_registration,_login,_member_directory,_content_restriction_&_membership_plugin
 
In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag. 2024-03-137.2CVE-2024-25155
df4dee71-de3a-4139-9588-11b62fe6c0ff
df4dee71-de3a-4139-9588-11b62fe6c0ff
wago -- controller_bacnet/ip
 
An unautheticated remote attacker could send specifically crafted packets to a affected device. If an authenticated user then views that data in a specific page of the web-based management a buffer overflow will be triggered to gain full access of the device.2024-03-138.8CVE-2015-10123
info@cert.vde.com
webtechstreet -- elementor_addon_elements
 
The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP files on the server, which may expose sensitive information.2024-03-138.8CVE-2024-1358
security@wordfence.com
security@wordfence.com
security@wordfence.com
wp_codeus -- advanced_sermons
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Reflected XSS.This issue affects Advanced Sermons: from n/a through 3.2.2024-03-137.1CVE-2024-27952
audit@patchstack.com
wpdevteam -- essential_addons_for_elementor_-_best_elementor_templates,_widgets,_kits_&_woocommerce_builders
 
The Essential Addons for Elementor - Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's event calendar widget in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-137.4CVE-2024-1536
security@wordfence.com
security@wordfence.com
wpmudev -- hustle_-_email_marketing,_lead_generation,_optins,_popups
 
The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII.2024-03-138.6CVE-2024-0368
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpwax -- logo_showcase_ultimate_-_logo_carousel,_logo_slider_&_logo_grid
 
The Logo Showcase Ultimate - Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.2024-03-137.5CVE-2024-1951
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpwax -- post_grid,_slider_&_carousel_ultimate_-_with_shortcode,_gutenberg_block_&_elementor_widget
 
The Post Grid, Slider & Carousel Ultimate - with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.2024-03-138.8CVE-2024-2006
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpwax -- product_carousel_slider_&_grid_ultimate_for_woocommerce
 
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.2024-03-137.5CVE-2024-1950
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
yooooomi -- your_spotify
 
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-139.1CVE-2024-28194
security-advisories@github.com
yooooomi -- your_spotify
 
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-138.1CVE-2024-28195
security-advisories@github.com
security-advisories@github.com
zephyrproject-rtos -- zephyr
 
Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.2024-03-158.6CVE-2023-7060
vulnerabilities@zephyrproject.org
zephyrproject-rtos -- zephyr
 
Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges2024-03-118.8CVE-2024-0670
security@checkmk.com
security@checkmk.com
zitadel -- zitadel
 
Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim's account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`.2024-03-117.5CVE-2024-28197
security-advisories@github.com
zoom_video_communications,_inc. -- zoom_rooms_client_for_windows
 
Improper access control in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.2024-03-137.2CVE-2024-24693
security@zoom.us

Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
aio-libs -- aiosmtpd
 
aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-125.3CVE-2024-27305
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
ameliabooking -- booking_for_appointments_and_events_calendar_-_amelia
 
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-136.1CVE-2024-1484
security@wordfence.com
security@wordfence.com
apache_software_foundation -- apache_pulsar
 
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.2024-03-126.4CVE-2024-28098
security@apache.org
security@apache.org
apache_software_foundation -- apache_zookeeper
 
A vulnerability was found in SourceCodester Employee Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Admin/add-admin.php. The manipulation of the argument avatar leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256454 is the identifier assigned to this vulnerability.2024-03-124.7CVE-2024-2394
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
argoproj -- argo-cd
 
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.2024-03-136.4CVE-2023-50726
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
ari_soft -- ari_stream_quiz
 
Cross-Site Request Forgery (CSRF) vulnerability in ARI Soft ARI Stream Quiz.This issue affects ARI Stream Quiz: from n/a through 1.2.32.2024-03-165.4CVE-2023-51487
audit@patchstack.com
artibot -- artibot_free_chat_bot_for_wordpress_websitesThe ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.2024-03-134.4CVE-2024-0449
security@wordfence.com
security@wordfence.com
artibot -- artibot_free_chat_bot_for_wordpress_websites
 
The ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the artibot_update function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin settings.2024-03-135CVE-2024-0447
security@wordfence.com
security@wordfence.com
atlas_gondal -- export_media_urls
 
Cross-Site Request Forgery (CSRF) vulnerability in Atlas Gondal Export Media URLs.This issue affects Export Media URLs: from n/a through 1.0.2024-03-164.3CVE-2023-51510
audit@patchstack.com
automattic,_inc. -- crowdsignal_dashboard_-_polls,_surveys_&_more
 
Cross-Site Request Forgery (CSRF) vulnerability in Automattic, Inc. Crowdsignal Dashboard - Polls, Surveys & more.This issue affects Crowdsignal Dashboard - Polls, Surveys & more: from n/a through 3.0.11.2024-03-165.4CVE-2023-51489
audit@patchstack.com
averta -- depicter_slider
 
Cross-Site Request Forgery (CSRF) vulnerability in Averta Depicter Slider.This issue affects Depicter Slider: from n/a through 2.0.6.2024-03-165.4CVE-2023-51491
audit@patchstack.com
badger_meter -- monitool
 
Incorrectly limiting the path to a restricted directory vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows an authenticated attacker to retrieve any file from the device using the download-file functionality.2024-03-126.5CVE-2024-1303
cve-coordination@incibe.es
badger_meter -- monitool
 
Cross-site scripting vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows a remote attacker to send a specially crafted javascript payload to an authenticated user and partially hijack their browser session.2024-03-126.3CVE-2024-1304
cve-coordination@incibe.es
barrykooij -- related_posts_for_wordpress
 
The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handle_create_link() function. This makes it possible for unauthenticated attackers to add related posts to other posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This ultimately makes it possible for attackers to view draft and password protected posts.2024-03-135.4CVE-2024-0592
security@wordfence.com
security@wordfence.com
security@wordfence.com
basix -- nex-forms_-_ultimate_form_builder
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms - Ultimate Form Builder allows Stored XSS.This issue affects NEX-Forms - Ultimate Form Builder: from n/a through 8.5.5.2024-03-156.5CVE-2024-25593
audit@patchstack.com
bdthemes -- prime_slider_-_addons_for_elementor_(revolution_of_a_slider,_hero_slider,_ecommerce_slider)
 
The Prime Slider - Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tags' attribute of the Rubix widget in all versions up to, and including, 3.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1507
security@wordfence.com
security@wordfence.com
bdthemes -- prime_slider_-_addons_for_elementor_(revolution_of_a_slider,_hero_slider,_ecommerce_slider)
 
The Prime Slider - Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings['title_tags']' attribute of the Mercury widget in all versions up to, and including, 3.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1508
security@wordfence.com
security@wordfence.com
binhnguyenplus -- ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketin-¦The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflow_save_hook() function in versions up to, and including, 4.3. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladiflow_hook_configs' option.2024-03-124.3CVE-2023-4626
security@wordfence.com
security@wordfence.com
binhnguyenplus -- ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦
 
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladipage_config' option.2024-03-124.3CVE-2023-4627
security@wordfence.com
security@wordfence.com
binhnguyenplus -- ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦
 
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflow_save_hook() function in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to update the 'ladiflow_hook_configs' option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-124.3CVE-2023-4628
security@wordfence.com
security@wordfence.com
binhnguyenplus -- ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦
 
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the save_config() function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the 'ladipage_config' option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-124.3CVE-2023-4629
security@wordfence.com
security@wordfence.com
binhnguyenplus -- ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦
 
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS2024-03-124.3CVE-2023-4728
security@wordfence.com
security@wordfence.com
binhnguyenplus -- ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦
 
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-124.3CVE-2023-4729
security@wordfence.com
security@wordfence.com
binhnguyenplus -- ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦
 
The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to modify a variety of settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts,2024-03-124.3CVE-2023-4731
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
bitpressadmin -- contact_form_builder_by_bit_form:_create_contact_form,_multi_step_form,_conversational_form
 
The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up to, and including, 2.10.1. This makes it possible for unauthenticated attackers to modify form submissions.2024-03-135.3CVE-2024-1640
security@wordfence.com
security@wordfence.com
blossomthemes -- blossom_spa
 
The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.4 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts.2024-03-125.8CVE-2024-2107
security@wordfence.com
security@wordfence.com
bluecoral -- chat_bubble_-_floating_chat_with_contact_chat_icons,_messages,_telegram,_email,_sms,_call_me_back
 
The Chat Bubble - Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.2024-03-134.4CVE-2024-0898
security@wordfence.com
security@wordfence.com
bobbingwide -- oik
 
The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes such as bw_contact_button and bw_button shortcodes in all versions up to, and including, 4.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-146.4CVE-2024-2256
security@wordfence.com
security@wordfence.com
security@wordfence.com
bradwenqiang -- hr
 
A vulnerability was found in BradWenqiang HR 2.0. It has been rated as critical. Affected by this issue is the function selectAll of the file /bishe/register of the component Background Management. The manipulation of the argument userName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256886 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-156.3CVE-2024-2478
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
brainstormforce -- elementor_header_&_footer_builder
 
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyout_layout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1237
security@wordfence.com
security@wordfence.com
security@wordfence.com
britner -- gutenberg_blocks_by_kadence_blocks_-_page_builder_features
 
The Gutenberg Blocks by Kadence Blocks - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htmlTag attribute in all versions up to, and including, 3.2.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1541
security@wordfence.com
security@wordfence.com
security@wordfence.com
catchsquare -- wp_social_widget
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS.This issue affects WP Social Widget: from n/a through 2.2.5.2024-03-156.5CVE-2024-27189
audit@patchstack.com
charlestsmith -- word_replacer_pro
 
The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the word_replacer_ultra() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the affected WordPress site.2024-03-165.3CVE-2024-1733
security@wordfence.com
security@wordfence.com
choijun -- la-studio_element_kit_for_elementor
 
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets in all versions up to, and including, 1.3.7.4 due to insufficient input sanitization and output escaping the user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-146.4CVE-2024-2249
security@wordfence.com
security@wordfence.com
chrisbadgett -- lifterlms_-_wordpress_lms_plugin_for_elearning
 
The LifterLMS - WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site.2024-03-135.3CVE-2024-0377
security@wordfence.com
security@wordfence.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the Secure Copy Protocol (SCP) and SFTP feature of Cisco IOS XR Software could allow an authenticated, local attacker to create or overwrite files in a system directory, which could lead to a denial of service (DoS) condition. The attacker would require valid user credentials to perform this attack. This vulnerability is due to a lack of proper validation of SCP and SFTP CLI input parameters. An attacker could exploit this vulnerability by authenticating to the device and issuing SCP or SFTP CLI commands with specific parameters. A successful exploit could allow the attacker to impact the functionality of the device, which could lead to a DoS condition. The device may need to be manually rebooted to recover. Note: This vulnerability is exploitable only when a local user invokes SCP or SFTP commands at the Cisco IOS XR CLI. A local user with administrative privileges could exploit this vulnerability remotely.2024-03-136.5CVE-2024-20262
ykramarz@cisco.com
cisco -- cisco_ios_xr_software
 
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-126.4CVE-2024-2031
security@wordfence.com
security@wordfence.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition. This vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a crash of the dhcpd process. While the dhcpd process is restarting, which may take approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period and rely on the DHCPv4 server of the affected device. Notes: Only the dhcpd process crashes and eventually restarts automatically. The router does not reload. This vulnerability only applies to DHCPv4. DHCP version 6 (DHCPv6) is not affected.2024-03-135.3CVE-2024-20266
ykramarz@cisco.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to improper assignment of lookup keys to internal interface contexts. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access resources behind the affected device that were supposed to be protected by a configured ACL.2024-03-135.8CVE-2024-20315
ykramarz@cisco.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the access control list (ACL) processing on Pseudowire interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to improper assignment of lookup keys to internal interface contexts. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access resources behind the affected device that were supposed to be protected by a configured ACL.2024-03-135.8CVE-2024-20322
ykramarz@cisco.com
cisco -- cisco_ios_xr_software
 
A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to bypass configured management plane protection policies and access the Simple Network Management Plane (SNMP) server of an affected device. This vulnerability is due to incorrect UDP forwarding programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by attempting to perform an SNMP operation using broadcast as the destination address that could be processed by an affected device that is configured with an SNMP server. A successful exploit could allow the attacker to communicate to the device on the configured SNMP ports. Although an unauthenticated attacker could send UDP datagrams to the configured SNMP port, only an authenticated user can retrieve or modify data using SNMP requests.2024-03-134.3CVE-2024-20319
ykramarz@cisco.com
citrix -- citrix_sd-wan_standard/premium_editions
 
Server-Side Request Forgery (SSRF) in Citrix SD-WAN Standard/Premium Editions on or after 11.4.0 and before 11.4.4.46 allows an attacker to disclose limited information from the appliance via Access to management IP.2024-03-126.5CVE-2024-2049
secure@citrix.com
ckan -- ckan
 
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines.2024-03-134.3CVE-2024-27097
security-advisories@github.com
security-advisories@github.com
cloudflare -- quiche
 
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker.  quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.2024-03-125.9CVE-2024-1765
cna@cloudflare.com
codename065 -- download_manager
 
The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.2.85 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2023-6954
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
codename065 -- download_manager
 
The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately published).2024-03-135.3CVE-2023-6785
security@wordfence.com
security@wordfence.com
codeworkweb -- cww_companion
 
The CWW Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Module2 widget in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-126.4CVE-2024-2130
security@wordfence.com
security@wordfence.com
collizo4sky -- paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_-_profilepress
 
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1409
security@wordfence.com
security@wordfence.com
collizo4sky -- paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_-_profilepress
 
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1535
security@wordfence.com
security@wordfence.com
security@wordfence.com
collizo4sky -- paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_-_profilepress
 
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1806
security@wordfence.com
security@wordfence.com
security@wordfence.com
cool_plugins -- cryptocurrency_widgets_-_price_ticker_&_coins_list
 
Missing Authorization vulnerability in Cool Plugins Cryptocurrency Widgets - Price Ticker & Coins List.This issue affects Cryptocurrency Widgets - Price Ticker & Coins List: from n/a through 2.6.8.2024-03-134.7CVE-2024-27953
audit@patchstack.com
cozmoslabs -- paid_member_subscriptions
 
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through 2.10.4.2024-03-154.3CVE-2023-51522
audit@patchstack.com
cozyvision1 -- sms_alert_order_notifications_-_woocommerce
 
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.9. This is due to missing or incorrect nonce validation on the processBulkAction function. This makes it possible for unauthenticated attackers to delete pages and posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-134.3CVE-2024-1489
security@wordfence.com
security@wordfence.com
crmperks -- database_for_contact_form_7,_wpforms,_elementor_forms
 
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2030
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
cservit -- affiliate-toolkit – WordPress Affiliate PluginThe affiliate-toolkit - WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.2024-03-086.3CVE-2024-1851
security@wordfence.com
security@wordfence.com
cyberlord92 -- page_restriction_wordpress_(wp)_-_protect_wp_pages/post
 
The Page Restriction WordPress (WP) - Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage.2024-03-135.3CVE-2024-0681
security@wordfence.com
security@wordfence.com
david_de_boer -- paytium:_mollie_payment_forms_&_donations
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David de Boer Paytium: Mollie payment forms & donations allows Stored XSS.This issue affects Paytium: Mollie payment forms & donations: from n/a through 4.4.2.2024-03-136.5CVE-2024-25099
audit@patchstack.com
dell -- poweredge_bios_intel_16g
 
Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. A local low privileged attacker could potentially exploit this vulnerability leading to out-of-bound read/writes to SMRAM.2024-03-135.3CVE-2024-0162
security_alert@emc.com
dell -- poweredge_bios_intel_16g
 
Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain a TOCTOU race condition vulnerability. A local low privileged attacker could potentially exploit this vulnerability to gain access to otherwise unauthorized resources.2024-03-135.3CVE-2024-0163
security_alert@emc.com
devitemsllc -- ht_mega_-_absolute_addons_for_elementor
 
The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on the 'titleTag' user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-126.4CVE-2024-1397
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
devitemsllc -- ht_mega_-_absolute_addons_for_elementor
 
The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'border_type' attribute of the Post Carousel widget in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-126.4CVE-2024-1421
security@wordfence.com
security@wordfence.com
directus -- directus
 
Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password. Users who login via OAuth2 into Directus may be at risk. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-125.4CVE-2024-28239
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
discourse -- discourse
 
Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting.2024-03-156.5CVE-2024-27085
security-advisories@github.com
security-advisories@github.com
discourse -- discourse
 
Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-156.5CVE-2024-27100
security-advisories@github.com
security-advisories@github.com
discourse -- discourse
 
Discourse is an open source platform for community discussion. In affected versions an attacker can learn that a secret subcategory exists under a public category which has no public subcategories. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-155.3CVE-2024-24748
security-advisories@github.com
security-advisories@github.com
discourse -- discourse
 
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to site as various site settings like `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` will determine the amount of resources used when creating an upload. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should reduce `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` as smaller uploads require less resources to process. Alternatively, `client_max_body_size` can be reduced in Nginx to prevent large uploads from reaching the server.2024-03-155.3CVE-2024-24827
security-advisories@github.com
security-advisories@github.com
discourse -- discourse
 
Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should temporarily remove category backgrounds.2024-03-155.3CVE-2024-28242
security-advisories@github.com
security-advisories@github.com
doofinder -- doofinder_for_woocommerce
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Doofinder Doofinder for WooCommerce allows Stored XSS.This issue affects Doofinder for WooCommerce: from n/a through 2.1.8.2024-03-155.9CVE-2024-25596
audit@patchstack.com
dreamer -- cms
 
A vulnerability, which was classified as problematic, was found in Dreamer CMS 4.1.3. Affected is an unknown function of the file /admin/menu/toEdit. The manipulation of the argument id leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256314 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-104.3CVE-2024-2354
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
droitthemes -- droit_elementor_addons_-_widgets,_blocks,_templates_library_for_elementor_builder
 
The Droit Elementor Addons - Widgets, Blocks, Templates Library For Elementor Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping on user supplied attributes such as URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-135.4CVE-2024-2252
security@wordfence.com
security@wordfence.com
edge22 -- generateblocks
 
The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2 via Query Loop. This makes it possible for authenticated attackers, with contributor access and above, to see contents of posts and pages in draft or private status as well as those with scheduled publication dates.2024-03-134.3CVE-2024-1452
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
edge22 -- wp_show_posts
 
The WP Show Posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the wpsp_display function. This makes it possible for authenticated attackers with contributor access and above to view the contents of draft, trash, future, private and pending posts and pages.2024-03-135.3CVE-2024-1479
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
elementinvader -- elementinvader_addons_for_elementor
 
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link in the EliSlider in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-166.4CVE-2024-2308
security@wordfence.com
security@wordfence.com
elementor -- elementor_pro
 
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Elementor Pro.This issue affects Elementor Pro: from n/a through 3.19.2.2024-03-166.5CVE-2024-23523
audit@patchstack.com
exafunction -- codeium-chrome
 
codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.2024-03-116.5CVE-2024-28120
security-advisories@github.com
security-advisories@github.com
expresstech -- quiz_and_survey_master
 
Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master. This issue affects Quiz And Survey Master: from n/a through 8.1.18.2024-03-165.4CVE-2023-51521
audit@patchstack.com
file_manager -- file_manager_pro
 
The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-136.1CVE-2023-7015
security@wordfence.com
security@wordfence.com
fluid-cloudnative -- fluid
 
Fluid is an open source Kubernetes-native Distributed Dataset Orchestrator and Accelerator for data-intensive applications. An OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data. Users who're using versions < 0.9.3 with JuicefsRuntime should upgrade to v0.9.3.2024-03-154CVE-2023-51699
security-advisories@github.com
security-advisories@github.com
follow-redirects -- follow-redirects
 
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-146.5CVE-2024-28849
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
formfacade -- formfacade
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FormFacade allows Stored XSS.This issue affects FormFacade: from n/a through 1.0.0.2024-03-156.5CVE-2024-25934
audit@patchstack.com
fortinet -- fortimanager
 
A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiManager version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer-BigData before 7.2.5 and Fortinet FortiPortal version 6.0 all versions and version 5.3 all versions allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.2024-03-126.7CVE-2023-41842
psirt@fortinet.com
fortinet -- fortiportal
 
An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload.2024-03-124.3CVE-2024-21761
psirt@fortinet.com
fortinet -- fortiproxyAn authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS version 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14, and FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 SSL-VPN may allow an authenticated attacker to gain access to another user's bookmark via URL manipulation.2024-03-124.3CVE-2024-23112
psirt@fortinet.com
fortra -- filecatalyst
 
Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.  2024-03-135.3CVE-2024-25154
df4dee71-de3a-4139-9588-11b62fe6c0ff
df4dee71-de3a-4139-9588-11b62fe6c0ff
fortra -- goanywhere_mft
 
A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.2024-03-146.5CVE-2024-25156
df4dee71-de3a-4139-9588-11b62fe6c0ff
frenify -- categorify_-_wordpress_media_library_category_&_file_manager
 
The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxAddCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add categories.2024-03-134.3CVE-2024-0385
security@wordfence.com
security@wordfence.com
friendlyelec -- friendlywrt
 
Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data.2024-03-155.2CVE-2024-2495
cve-coordination@incibe.es
friendsofsymfony1 -- symfony1
 
Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods. These methods are called when php destroys the object in memory. However, it is possible to include any object type in `$this->_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this->_keys ...) for any class implementing ArrayAccess interface. This may allow an attacker to execute any PHP command which leads to remote code execution. This issue has been addressed in version 1.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-155CVE-2024-28859
security-advisories@github.com
security-advisories@github.com
gacjie -- server
 
A vulnerability, which was classified as critical, was found in Gacjie Server up to 1.0. This affects the function index of the file /app/admin/controller/Upload.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256503.2024-03-125.4CVE-2024-2406
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
geminilabs -- site_reviews
 
The Site Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user display name in all versions up to, and including, 6.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2293
security@wordfence.com
security@wordfence.com
security@wordfence.com
gonahkar -- custom_fields_shortcode
 
The Custom fields shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cf shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied custom post meta values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2023-6809
security@wordfence.com
security@wordfence.com
gpriday -- siteorigin_widgets_bundle
 
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.58.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected parameters include: $instance['fonts']['title_options']['tag'], $headline_tag, $sub_headline_tag, $feature['icon'].2024-03-136.4CVE-2024-1723
security@wordfence.com
security@wordfence.com
security@wordfence.com
hammadh -- play.ht_-_make_your_blog_posts_accessible_with_text_to_speech_audio
 
The Play.ht - Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.2024-03-135.4CVE-2024-0828
security@wordfence.com
security@wordfence.com
hammadh -- play.ht_-_make_your_blog_posts_accessible_with_text_to_speech_audio
 
The Play.ht - Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-134.3CVE-2024-0827
security@wordfence.com
security@wordfence.com
heimavista -- rpage
 
The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.2024-03-135.3CVE-2024-2412
twcert@cert.org.tw
hiroaki_miyashita -- custom_field_template
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6.2024-03-156.5CVE-2024-25919
audit@patchstack.com
hitachi -- cosminexus_component_container
 
Insertion of Sensitive Information into Log File vulnerability in Hitachi Cosminexus Component Container allows local users to gain sensitive information.This issue affects Cosminexus Component Container: from 11-30 before 11-30-05, from 11-20 through 11-20-*, from 11-10 through 11-10-*, from 11-00 before 11-00-12, All versions of V8 and V9.2024-03-125.6CVE-2023-6814
hirt@hitachi.co.jp
htplugins -- ht_easy_ga4_-_google_analytics_wordpress_plugin
 
The HT Easy GA4 - Google Analytics WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the login() function in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to update the email associated through the plugin with GA4.2024-03-135.3CVE-2024-1176
security@wordfence.com
security@wordfence.com
ibm -- host_access_transformation_services
 
IBM Host Access Transformation Services (HATS) 9.6 through 9.6.1.4 and 9.7 through 9.7.0.3 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 210989.2024-03-156.2CVE-2021-38938
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- integration_bus_for_z/os
 
IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 284564.2024-03-144.5CVE-2024-27265
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- maximo_application_suite_-_maximo_mobile_for_eam
 
IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. IBM X-Force ID: 266875.2024-03-135.1CVE-2023-43043
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- maximo_asset_management
 
IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262192.2024-03-136.4CVE-2023-38723
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- secure_proxy
 
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 270973.2024-03-156.1CVE-2023-47162
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- secure_proxy
 
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 270974.2024-03-156.1CVE-2023-47699
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- secure_proxy
 
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 269692.2024-03-155.4CVE-2023-46182
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- secure_proxy
 
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow an attacker to overwrite a log message under specific conditions. IBM X-Force ID: 270598.2024-03-155.9CVE-2023-47147
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- secure_proxy
 
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 269683.2024-03-154.3CVE-2023-46179
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- secure_proxy
 
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 269686.2024-03-154CVE-2023-46181
psirt@us.ibm.com
psirt@us.ibm.com
ibm -- sterling_partner_engagement_manager
 
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 250421.2024-03-135.4CVE-2023-28517
psirt@us.ibm.com
psirt@us.ibm.com
icopydoc -- yml_for_yandex_market
 
The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the feed_id parameter in all versions up to, and including, 4.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-136.1CVE-2024-1365
security@wordfence.com
security@wordfence.com
intoxstudio -- restrict_user_access_-_ultimate_membership_&_content_protection
 
The Restrict User Access - Ultimate Membership & Content Protection plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages via API.2024-03-135.3CVE-2024-0687
security@wordfence.com
security@wordfence.com
joseph_c_dolson -- my_calendar
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joseph C Dolson My Calendar allows Stored XSS.This issue affects My Calendar: from n/a through 3.4.23.2024-03-156.5CVE-2024-25916
audit@patchstack.com
justinbusa -- beaver_builder_-_wordpress_page_builder
 
The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-0896
security@wordfence.com
security@wordfence.com
security@wordfence.com
justinbusa -- beaver_builder_-_wordpress_page_builder
 
The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image URL parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-0897
security@wordfence.com
security@wordfence.com
justinbusa -- beaver_builder_-_wordpress_page_builder
 
The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the audio widget 'link_url' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1074
security@wordfence.com
security@wordfence.com
security@wordfence.com
justinbusa -- beaver_builder_-_wordpress_page_builder
 
The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via the heading tag in all versions up to, and including, 2.7.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1080
security@wordfence.com
security@wordfence.com
justinbusa -- beaver_builder_-_wordpress_page_builder
 
The Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Widget 'fl_builder_data[node_preview][link]' and 'fl_builder_data[settings][link_target]' parameters in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-135.4CVE-2024-0871
security@wordfence.com
security@wordfence.com
justinbusa -- beaver_builder_-_wordpress_page_builder
 
The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via a 'playground.wordpress.net' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-135.4CVE-2024-1038
security@wordfence.com
security@wordfence.com
security@wordfence.com
kbjohnson90 -- user_shortcodes_plus
 
The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive user meta.2024-03-135.3CVE-2023-6969
security@wordfence.com
security@wordfence.com
korenix -- jeti/o_6550
 
Information exposure vulnerability in Korenix JetI/O 6550 affecting firmware version F208 Build:0817. The SNMP protocol uses plaintext to transfer data, allowing an attacker to intercept traffic and retrieve credentials.2024-03-126.2CVE-2024-2371
cve-coordination@incibe.es
leap13 -- premium_addons_for_elementor
 
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Link Wrapper functionality in all versions up to, and including, 4.10.17 due to insufficient input sanitization and output escaping on user supplied links. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-0326
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
leap13 -- premium_addons_for_elementor
 
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Settings URL of the Banner, Team Members, and Image Scroll widgets in all versions up to, and including, 4.10.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1680
security@wordfence.com
security@wordfence.com
livemesh -- elementor_addons_by_livemesh
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Elementor Addons by Livemesh allows Stored XSS.This issue affects Elementor Addons by Livemesh: from n/a through 8.3.5.2024-03-146.5CVE-2024-27986
audit@patchstack.com
livemesh -- livemesh_addons_for_elementor
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.3.2024-03-156.5CVE-2024-25598
audit@patchstack.com
livemesh -- wpbakery_page_builder_addons_by_livemesh
 
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'per_line_mobile' shortcode in all versions up to, and including, 3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2079
security@wordfence.com
security@wordfence.com
logitech -- logi_tune
 
Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion.2024-03-154.4CVE-2024-2537
cve-coordination@logitech.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability, which was classified as critical, was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This affects an unknown part of the file home.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256953 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2516
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as critical. This vulnerability affects unknown code of the file book_history.php. The manipulation of the argument del_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256954 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2517
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/bookdate.php. The manipulation of the argument room_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256957 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2520
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability classified as critical has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This affects an unknown part of the file /admin/booktime.php. The manipulation of the argument room_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256959. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2522
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability, which was classified as critical, has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This issue affects some unknown processing of the file /admin/receipt.php. The manipulation of the argument room_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2524
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/rooms.php. The manipulation of the argument room_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256964. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2527
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/update-rooms.php. The manipulation of the argument room_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256965 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2528
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/rooms.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256966 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2529
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability classified as critical has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected is an unknown function of the file /admin/update-rooms.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256968. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2531
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability classified as critical was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/update-users.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256969 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-166.3CVE-2024-2532
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
mainwp -- mainwp_dashboard_-_wordpress_manager_for_multiple_websites_maintenance
 
The MainWP Dashboard - WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'posting_bulk' function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-134.3CVE-2024-1642
security@wordfence.com
security@wordfence.com
security@wordfence.com
mattermost -- mattermost
 
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.2024-03-156.1CVE-2024-2445
responsibledisclosure@mattermost.com
mattermost -- mattermost
 
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.2024-03-154.3CVE-2024-2446
responsibledisclosure@mattermost.com
mattermost -- mattermost_mobile
 
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-154.7CVE-2024-2497
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
mdp -- rotp
 
The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.2024-03-165.3CVE-2024-28862
security-advisories@github.com
metagauss -- eventprime_-_events_calendar,_bookings_and_tickets
 
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event.2024-03-135.3CVE-2024-1126
security@wordfence.com
security@wordfence.com
metagauss -- eventprime_-_events_calendar,_bookings_and_tickets
 
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free.2024-03-135.3CVE-2024-1321
security@wordfence.com
security@wordfence.com
metagauss -- eventprime_-_events_calendar,_bookings_and_tickets
 
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_all() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve all event booking which can contain PII.2024-03-134.3CVE-2024-1127
security@wordfence.com
security@wordfence.com
security@wordfence.com
mha_sistemas -- armhazena
 
A vulnerability classified as critical was found in MHA Sistemas arMHAzena 9.6.0.0. This vulnerability affects unknown code of the component Executa Page. The manipulation of the argument Companhia/Planta/Agente de/Agente até leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256888. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-156.3CVE-2024-2480
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
microsoft -- intune_company_portal_for_android
 
Microsoft Intune Linux Agent Elevation of Privilege Vulnerability2024-03-126.6CVE-2024-26201
secure@microsoft.com
microsoft -- microsoft_edge_(chromium-based)
 
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability2024-03-144.7CVE-2024-26163
secure@microsoft.com
microsoft -- microsoft_teams_for_android
 
Microsoft Teams for Android Information Disclosure Vulnerability2024-03-125CVE-2024-21448
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows USB Hub Driver Remote Code Execution Vulnerability2024-03-126.8CVE-2024-21429
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Hyper-V Denial of Service Vulnerability2024-03-125.5CVE-2024-21408
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability2024-03-125.7CVE-2024-21430
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Information Disclosure Vulnerability2024-03-125.5CVE-2024-26174
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Information Disclosure Vulnerability2024-03-125.5CVE-2024-26177
secure@microsoft.com
microsoft -- windows_10_version_1809
 
Windows Kernel Denial of Service Vulnerability2024-03-125.5CVE-2024-26181
secure@microsoft.com
microsoft -- windows_11_version_22h2
 
Windows Compressed Folder Tampering Vulnerability2024-03-126.5CVE-2024-26185
secure@microsoft.com
microsoft -- windows_11_version_22h2
 
Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability2024-03-125.5CVE-2024-26160
secure@microsoft.com
microsoft -- windows_defender_antimalware_platform
 
Microsoft Defender Security Feature Bypass Vulnerability2024-03-125.5CVE-2024-20671
secure@microsoft.com
microsoft -- windows_server_2019
 
Windows Standards-Based Storage Management Service Denial of Service Vulnerability2024-03-126.5CVE-2024-26197
secure@microsoft.com
movistar_ -- router_movistar_4g
 
Cross-Site Request Forgery vulnerability in Movistar's 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an attacker to force an end user to execute unwanted actions in a web application in which they are currently authenticated.2024-03-136.5CVE-2024-2416
cve-coordination@incibe.es
mra13 -- simple_membership
 
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution.2024-03-134.7CVE-2024-1985
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
msaari -- relevanssi_-_a_better_search
 
The Relevanssi - A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.2024-03-135.3CVE-2024-1380
security@wordfence.com
security@wordfence.com
n/a -- 1panel
 
A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.2024-03-106.3CVE-2024-2352
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a -- 3rd_and_4th_generation_intel(r)_xeon(r)_processors_when_using_intel(r)_sgx_or_intel(r)_tdx
 
Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.2024-03-146.1CVE-2023-22655
secure@intel.com
n/a -- intel(r)_atom(r)_processors
 
Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.2024-03-146.5CVE-2023-28746
secure@intel.com
n/a -- intel(r)_csme_installer_software
 
Incorrect default permissions in some Intel(R) CSME installer software before version 2328.5.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.2024-03-146.7CVE-2023-28389
secure@intel.com
n/a -- intel(r)_csme_installer_software
 
Improper input validation in the Intel(R) CSME installer software before version 2328.5.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.2024-03-146.7CVE-2023-32633
secure@intel.com
n/a -- intel(r)_processors
 
Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.2024-03-146.5CVE-2023-39368
secure@intel.com
n/a -- intel(r)_processors
 
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.2024-03-145.5CVE-2023-38575
secure@intel.com
n/a -- intel(r)_sps_firmware_versions
 
Uncontrolled resource consumption for some Intel(R) SPS firmware versions may allow a privileged user to potentially enable denial of service via network access.2024-03-146.8CVE-2023-35191
secure@intel.com
n/a -- intel(r)_xeon(r)_d_processors_with_intel(r)_sgx
 
Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access.2024-03-145.3CVE-2023-43490
secure@intel.com
n/a -- libvirt
 
An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.2024-03-115.5CVE-2024-1441
secalert@redhat.com
secalert@redhat.com
n/a -- openstack-designate
 
An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.2024-03-156.6CVE-2023-6725
secalert@redhat.com
secalert@redhat.com
n/a -- ovn
 
A flaw was found in the Open Virtual Network (OVN). In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service.2024-03-126.5CVE-2024-2182
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
ndijkstra -- mollie_forms
 
The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages.2024-03-114.3CVE-2024-1400
security@wordfence.com
security@wordfence.com
ndijkstra -- mollie_forms
 
The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export payment data collected by this plugin.2024-03-114.3CVE-2024-1645
security@wordfence.com
security@wordfence.com
security@wordfence.com
netweblogic -- events_manager_-_calendar,_bookings,_tickets,_and_more!
 
The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.4.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.2024-03-134.4CVE-2024-0614
security@wordfence.com
security@wordfence.com
security@wordfence.com
newsletter2go -- newsletter2go
 
The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter in all versions up to, and including, 4.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-126.4CVE-2024-1328
security@wordfence.com
security@wordfence.com
nik00726 -- team_circle_image_slider_with_lightbox
 
The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the circle_thumbnail_slider_with_lightbox_image_management_func() function. This makes it possible for unauthenticated attackers to edit image data which can be used to inject malicious JavaScript, along with deleting images, and uploading malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.2024-03-135.3CVE-2015-10130
security@wordfence.com
security@wordfence.com
nixos -- nix
 
Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-116.3CVE-2024-27297
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
nmedia -- comments_extra_fields_for_post,pages_and_cpt
 
The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.2024-03-134.3CVE-2024-0829
security@wordfence.com
security@wordfence.com
security@wordfence.com
nmedia -- comments_extra_fields_for_post,pages_and_cpt
 
The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0. This is due to missing or incorrect nonce validation on several ajax actions. This makes it possible for unauthenticated attackers to invoke those actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. As a result, they may modify comment form fields and update plugin settings.2024-03-134.3CVE-2024-0830
security@wordfence.com
security@wordfence.com
security@wordfence.com
openolat -- openolat
 
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system.2024-03-114.6CVE-2024-28198
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
opentext -- vertica_management_console
 
Certain functionality in OpenText Vertica Management console might be prone to bypass via crafted requests.  The vulnerability would affect one of Vertica's authentication functionalities by allowing specially crafted requests and sequences. This issue impacts the following Vertica Management Console versions: 10.x 11.1.1-24 or lower 12.0.4-18 or lower Please upgrade to one of the following Vertica Management Console versions: 10.x to upgrade to latest versions from below. 11.1.1-25 12.0.4-19 23.x 24.x2024-03-155CVE-2023-7248
security@opentext.com
opentext-- exceed_turbo_x
 
HTML injection in OpenText™ Exceed Turbo X affecting version 12.5.1. The vulnerability could result in Cross site scripting.  2024-03-136.4CVE-2023-38536
security@opentext.com
opentextâ„¢ -- exceed_turbo_x
 
Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.  2024-03-134.7CVE-2023-38535
security@opentext.com
palantir -- com.palantir.acme.gaia:gaia
 
One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.2024-03-126.8CVE-2023-30968
cve-coordination@palantir.com
palo_alto_networks -- globalprotect_app
 
An issue in the Palo Alto Networks GlobalProtect app enables a non-privileged user to disable the GlobalProtect app in configurations that allow a user to disable GlobalProtect with a passcode.2024-03-135.5CVE-2024-2431
psirt@paloaltonetworks.com
palo_alto_networks -- globalprotect_app
 
A privilege escalation (PE) vulnerability in the Palo Alto Networks GlobalProtect app on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.2024-03-134.5CVE-2024-2432
psirt@paloaltonetworks.com
palo_alto_networks -- pan-os
 
An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images. This issue affects only the web interface of the management plane; the dataplane is unaffected.2024-03-134.3CVE-2024-2433
psirt@paloaltonetworks.com
papercut -- papercut_ng,_papercut_mf
 
This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability.2024-03-146.3CVE-2024-1883
eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut -- papercut_ng,_papercut_mf
 
This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.2024-03-146.5CVE-2024-1884
eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut -- papercut_ng,_papercut_mf
 
This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.2024-03-144.8CVE-2024-1223
eb41dac7-0af8-4f84-9f6d-0272772514f4
pawaryogesh1989 -- bulk_edit_post_titles
 
The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.2024-03-134.3CVE-2024-0369
security@wordfence.com
security@wordfence.com
peering-manager -- peering-manager
 
Peering Manager is a BGP session management tool. Affected versions of Peering Manager are subject to a potential stored Cross-Site Scripting (XSS) attack in the `name` attribute of AS or Platform. The XSS triggers on a routers detail page. Adversaries are able to execute arbitrary JavaScript code with the permission of a victim. XSS attacks are often used to steal credentials or login tokens of other users. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-126.1CVE-2024-28112
security-advisories@github.com
security-advisories@github.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write only.2024-03-125.3CVE-2024-25994
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. The access is limited to the service user.2024-03-125.3CVE-2024-25996
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can perform a log injection due to improper input validation. Only a certain log file is affected.2024-03-125.3CVE-2024-25997
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can read memory out of bounds due to improper input validation in the MQTT stack. The brute force attack is not always successful because of memory randomization. 2024-03-125.9CVE-2024-26000
info@cert.vde.com
phoenix_contact -- charx_sec-3000
 
An unauthenticated remote attacker can gain service level privileges through an incomplete cleanup during service restart after a DoS. 2024-03-124.8CVE-2024-26005
info@cert.vde.com
pinterest -- querybook
 
Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-145.6CVE-2024-28251
security-advisories@github.com
security-advisories@github.com
postalserver -- postal
 
Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has 'authorised' to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with `<CR><LF>` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. Once upgraded, Postal will only accept End of DATA sequences which are explicitly `<CR><LF>.<CR><LF>`. If a non-compliant sequence is detected it will be logged to the SMTP server log. There are no workarounds for this issue.2024-03-115.3CVE-2024-27938
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
premium_addons_for_elementor -- premium_addons_pro_for_elementor
 
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's IHover widget link in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1996
security@wordfence.com
security@wordfence.com
premium_addons_for_elementor -- premium_addons_pro_for_elementor
 
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_fbchat_app_id' parameter of the Messenger Chat Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1997
security@wordfence.com
security@wordfence.com
premium_addons_for_elementor -- premium_addons_pro_for_elementor
 
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'navigation_dots' parameter of the Multi Scroll Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2000
security@wordfence.com
security@wordfence.com
premium_addons_for_elementor -- premium_addons_pro_for_elementor
 
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Global Badge module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2237
security@wordfence.com
security@wordfence.com
premium_addons_for_elementor -- premium_addons_pro_for_elementor
 
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Mouse Cursor module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2238
security@wordfence.com
security@wordfence.com
premium_addons_for_elementor -- premium_addons_pro_for_elementor
 
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Premium Magic Scroll module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2239
security@wordfence.com
security@wordfence.com
premium_addons_for_elementor -- premium_addons_pro_for_elementor
 
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.10.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-156.4CVE-2024-2399
security@wordfence.com
security@wordfence.com
security@wordfence.com
qnap -- qtsAn injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later2024-03-086.5CVE-2024-21900
security@qnapsecurity.com.tw
radgeek -- feedwordpress
 
The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may contain sensitive information.2024-03-135.3CVE-2024-0839
security@wordfence.com
security@wordfence.com
rayhanduitku -- duitku_payment_gateway
 
The Duitku Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_duitku_response function in all versions up to, and including, 2.11.4. This makes it possible for unauthenticated attackers to change the payment status of orders to failed.2024-03-135.3CVE-2024-0631
security@wordfence.com
security@wordfence.com
realmag777 -- husky_-_products_filter_for_woocommerce_(formerly_woof)
 
Cross-Site Request Forgery (CSRF) vulnerability in realmag777 HUSKY - Products Filter for WooCommerce (formerly WOOF).This issue affects HUSKY - Products Filter for WooCommerce (formerly WOOF): from n/a through 1.3.4.3.2024-03-154.3CVE-2023-50861
audit@patchstack.com
realmag777 -- husky_-_products_filter_professional_for_woocommerce
 
The HUSKY - Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'woof' shortcode in all versions up to, and including, 1.3.5.1 due to insufficient input sanitization and output escaping on user supplied attributes such as 'swoof_slug'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-156.4CVE-2024-1796
security@wordfence.com
security@wordfence.com
rednao -- woocommerce_pdf_invoice_builder
 
Cross-Site Request Forgery (CSRF) vulnerability in RedNao WooCommerce PDF Invoice Builder.This issue affects WooCommerce PDF Invoice Builder: from n/a through 1.2.101.2024-03-165.4CVE-2023-51486
audit@patchstack.com
rejetto_ -- http_file_server_
 
An open redirect vulnerability, the exploitation of which could allow an attacker to create a custom URL and redirect a legitimate page to a malicious site.2024-03-126.5CVE-2024-1227
cve-coordination@incibe.es
rocket_elements -- split_test_for_elementor
 
Cross-Site Request Forgery (CSRF) vulnerability in Rocket Elements Split Test For Elementor.This issue affects Split Test For Elementor: from n/a through 1.6.9.2024-03-164.3CVE-2023-51407
audit@patchstack.com
rogierlankhorst -- burst_statistics_-_privacy-friendly_analytics_for_wordpress
 
The Burst Statistics - Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'burst_total_pageviews_count' custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the 'Show Toolbar when viewing site' option enabled in their profile.2024-03-136.4CVE-2024-1894
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
sap_se -- netweaver_(wsrm)
 
Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.2024-03-125.3CVE-2024-25644
cna@sap.com
cna@sap.com
sap_se -- sap_abap_platform
 
Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. As a result, the selected template would only be accessible to the owner.2024-03-124.3CVE-2024-27900
cna@sap.com
cna@sap.com
sap_se -- sap_fiori_front_end_server
 
SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application.2024-03-124.6CVE-2024-22133
cna@sap.com
cna@sap.com
sap_se -- sap_netweaver_(enterprise_portal)
 
Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application.2024-03-125.3CVE-2024-25645
cna@sap.com
cna@sap.com
sap_se -- sap_netweaver_as_abap_applications_based_on_sapgui_for_html_(webgui)
 
Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user's browser. There is no impact on the availability of the system2024-03-125.4CVE-2024-27902
cna@sap.com
cna@sap.com
sap_se -- sap_netweaver_process_integration_(support_web_pages)
 
Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.2024-03-125.3CVE-2024-28163
cna@sap.com
cna@sap.com
sewpafly -- post_thumbnail_editor
 
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sewpafly Post Thumbnail Editor.This issue affects Post Thumbnail Editor: from n/a through 2.4.8.2024-03-165.3CVE-2024-24845
audit@patchstack.com
shapedplugin -- easy_accordion_-_best_accordion_faq_plugin_for_wordpress
 
The Easy Accordion - Best Accordion FAQ Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'accordion_content_source' attribute in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1363
security@wordfence.com
security@wordfence.com
siemens -- sentron_7km_pac3120_ac/dc
 
A vulnerability has been identified in SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)), SENTRON 7KM PAC3120 DC (7KM3120-1BA01-1EA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)), SENTRON 7KM PAC3220 AC/DC (7KM3220-0BA01-1DA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)), SENTRON 7KM PAC3220 DC (7KM3220-1BA01-1EA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)). The read out protection of the internal flash of affected devices was not properly set at the end of the manufacturing process. An attacker with physical access to the device could read out the data.2024-03-124.6CVE-2024-21483
productcert@siemens.com
siemens -- siveillance_control
 
A vulnerability has been identified in Siveillance Control (All versions >= V2.8 < V3.1.1). The affected product does not properly check the list of access groups that are assigned to an individual user. This could enable a locally logged on user to gain write privileges for objects where they only have read privileges.2024-03-125.5CVE-2023-45793
productcert@siemens.com
sirv.com -- sirv
 
Missing Authorization vulnerability in sirv.Com Sirv.This issue affects Sirv: from n/a through 7.1.2.2024-03-155.4CVE-2023-50898
audit@patchstack.com
skyhigh -- skyhigh_client_proxy
 
A malicious insider can bypass the existing policy of Skyhigh Client Proxy without a valid release code.2024-03-145.5CVE-2024-0311
trellixpsirt@trellix.com
skyhigh -- skyhigh_client_proxy
 
A malicious insider can uninstall Skyhigh Client Proxy without a valid uninstall password.2024-03-145.5CVE-2024-0312
trellixpsirt@trellix.com
skyhigh -- skyhigh_client_proxy
 
A malicious insider exploiting this vulnerability can circumvent existing security controls put in place by the organization. On the contrary, if the victim is legitimately using the temporary bypass to reach out to the Internet for retrieving application and system updates, a remote device could target it and undo the bypass, thereby denying the victim access to the update service, causing it to fail.2024-03-145.5CVE-2024-0313
trellixpsirt@trellix.com
snowflakedb -- snowflake-hive-metastore-connector
 
The Snowflake Hive metastore connector provides an easy way to query Hive-managed data via Snowflake. Snowflake Hive MetaStore Connector has addressed a potential elevation of privilege vulnerability in a `helper script` for the Hive MetaStore Connector. A malicious insider without admin privileges could, in theory, use the script to download content from a Microsoft domain to the local system and replace the valid content with malicious code. If the attacker then also had local access to the same system where the maliciously modified script is run, they could attempt to manipulate users into executing the attacker-controlled helper script, potentially gaining elevated privileges to the local system. The vulnerability in the script was patched on February 09, 2024, without a version bump to the Connector. User who use the helper script are strongly advised to use the latest version as soon as possible. Users unable to upgrade should avoid using the helper script.2024-03-154CVE-2024-28851
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
softaculous -- backuply_-_backup,_restore,_migrate_and_clone
 
The Backuply - Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.7 via the backup_name parameter in the backuply_download_backup function. This makes it possible for attackers to have an account with only activate_plugins capability to access arbitrary files on the server, which can contain sensitive information. This only impacts sites hosted on Windows servers.2024-03-164.9CVE-2024-2294
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
soundcloud_inc.,_lawrie_malen -- soundcloud_shortcode
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SoundCloud Inc., Lawrie Malen SoundCloud Shortcode allows Stored XSS.This issue affects SoundCloud Shortcode: from n/a through 4.0.1.2024-03-156.5CVE-2024-25936
audit@patchstack.com
sourcecodester -- best_pos_management_system
 
A vulnerability was found in SourceCodester Best POS Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /view_order.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256705 was assigned to this vulnerability.2024-03-136.3CVE-2024-2418
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
sourcecodester -- crud_without_page_reload
 
A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file add_user.php. The manipulation of the argument city leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256453 was assigned to this vulnerability.2024-03-126.3CVE-2024-2393
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
stylemix -- masterstudy_lms_wordpress_plugin_-_for_online_courses_and_education
 
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. This can allow unauthenticated attackers to extract sensitive data including all registered user's username and email addresses which can be used to help perform future attacks.2024-03-135.3CVE-2024-2106
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
subratamal -- terawallet_-_best_woocommerce_wallet_system_with_cashback_rewards,_partial_payment,_wallet_refunds
 
The TeraWallet - Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails.2024-03-134.3CVE-2024-1690
security@wordfence.com
security@wordfence.com
surya2developer -- hostel_management_service
 
A vulnerability, which was classified as problematic, has been found in Surya2Developer Hostel Management Service 1.0. This issue affects some unknown processing of the file /change-password.php of the component Password Change Handler. The manipulation of the argument oldpassword leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256889 was assigned to this vulnerability.2024-03-154.3CVE-2024-2483
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
surya2developer -- hostel_management_system
 
A vulnerability, which was classified as critical, was found in Surya2Developer Hostel Management System 1.0. Affected is an unknown function of the file /admin/manage-students.php. The manipulation of the argument del leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256890 is the identifier assigned to this vulnerability.2024-03-156.5CVE-2024-2481
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
svenl77 -- post_form_-_registration_form_-_profile_form_for_user_profiles_-_frontend_content_forms_for_user_submissions_(ugc)
 
The Post Form - Registration Form - Profile Form for User Profiles - Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.2024-03-134.3CVE-2024-1158
security@wordfence.com
security@wordfence.com
security@wordfence.com
sysbasics -- customize_my_account_for_woocommerce
 
Cross-Site Request Forgery (CSRF) vulnerability in SysBasics Customize My Account for WooCommerce.This issue affects Customize My Account for WooCommerce: from n/a through 1.8.3.2024-03-154.3CVE-2023-51369
audit@patchstack.com
takayukister -- contact_form_7
 
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'active-tab' parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-136.1CVE-2024-2242
security@wordfence.com
security@wordfence.com
techfyd -- sky_addons_for_elementor_(free_templates_library,_live_copy,_animations,_post_grid,_post_carousel,_particles,_sliders,_chart,_blogs)
 
The Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapper link URL value in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2286
security@wordfence.com
security@wordfence.com
techjewel -- contact_form_plugin_by_fluent_forms_for_quiz,_survey,_and_drag_&_drop_wp_form_builder
 
The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploitation level depends on who is granted the right to create forms by an administrator. This level can be as low as contributor, but by default is admin.2024-03-134.9CVE-2023-6957
security@wordfence.com
security@wordfence.com
thedark -- auto_affiliate_links
 
The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or higher, to add arbitrary links to posts.2024-03-134.3CVE-2024-1843
security@wordfence.com
security@wordfence.com
security@wordfence.com
themefusecom -- brizy_-_page_builder
 
The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1291
security@wordfence.com
security@wordfence.com
themefusecom -- brizy_-_page_builder
 
The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1293
security@wordfence.com
security@wordfence.com
themefusecom -- brizy_-_page_builder
 
The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1296
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
themefusion -- avada_|_website_builder_for_wordpress_&_woocommerce
 
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form's "password" field).2024-03-136.5CVE-2024-1668
security@wordfence.com
security@wordfence.com
themegrill -- maintenance_page
 
The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails.2024-03-135.3CVE-2024-1370
security@wordfence.com
security@wordfence.com
themegrill -- maintenance_page
 
The Maintenance Page plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 1.0.8 via the REST API. This makes it possible for unauthenticated attackers to view post titles and content when the site is in maintenance mode.2024-03-135.3CVE-2024-1462
security@wordfence.com
security@wordfence.com
themeisle -- orbit_fox_by_themeisle
 
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form widget addr2_width attribute in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1497
security@wordfence.com
security@wordfence.com
security@wordfence.com
themeisle -- orbit_fox_by_themeisle
 
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in the $settings['title_tags'] parameter in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1499
security@wordfence.com
security@wordfence.com
security@wordfence.com
themeisle -- orbit_fox_by_themeisle
 
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2126
security@wordfence.com
security@wordfence.com
themencode_llc -- tnc_pdf_viewer
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode LLC TNC PDF viewer allows Stored XSS.This issue affects TNC PDF viewer: from n/a through 2.8.0.2024-03-136.5CVE-2024-25097
audit@patchstack.com
themisle -- otter_blocks_pro_-_gutenberg_blocks,_page_builder_for_gutenberg_editor_&_fse
 
The Otter Blocks - Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form file field CSS metabox in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1684
security@wordfence.com
security@wordfence.com
themisle -- otter_blocks_pro_-_gutenberg_blocks,_page_builder_for_gutenberg_editor_&_fse
 
The Otter Blocks - Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file upload form, which allows SVG uploads, in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that the patch in 2.6.4 allows SVG uploads but the uploaded SVG files are sanitized.2024-03-136.1CVE-2024-1691
security@wordfence.com
security@wordfence.com
tibco_software_inc. -- tibco_activespaces_-_enterprise_edition
 
The Proxy and Client components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.2024-03-124.3CVE-2024-1137
security@tibco.com
timstrifler -- exclusive_addons_for_elementor
 
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1234
security@wordfence.com
security@wordfence.com
timstrifler -- exclusive_addons_for_elementor
 
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1413
security@wordfence.com
security@wordfence.com
timstrifler -- exclusive_addons_for_elementor
 
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1414
security@wordfence.com
security@wordfence.com
timstrifler -- exclusive_addons_for_elementor
 
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Covid-19 Stats Widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-2028
security@wordfence.com
security@wordfence.com
turtlepod -- f(x)_private_site
 
The f(x) Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the API. This makes it possible for unauthenticated attackers to obtain page and post contents of a site protected with this plugin.2024-03-125.3CVE-2024-0906
security@wordfence.com
security@wordfence.com
vantage6 -- vantage6
 
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`. These routes send emails to users if they have lost their password or MFA token. This issue has been addressed in commit `aecfd6d0e` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.2024-03-145.3CVE-2024-24770
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
vantage6 -- vantage6
 
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.2024-03-144.2CVE-2024-23823
security-advisories@github.com
security-advisories@github.com
vantage6 -- vantage6-ui
 
vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit `68dfa6614` which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While an upgrade path is not available users may modify the docker image build to insert the headers into nginx.2024-03-145.4CVE-2024-24562
security-advisories@github.com
security-advisories@github.com
visualcomposer -- visual_composer_website_builder,_landing_page_builder,_custom_theme_builder,_maintenance_mode_&_coming_soon_pages
 
The Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 45.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2023-6880
security@wordfence.com
security@wordfence.com
wago -- controller_bacnet/ip
 
An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required. This leads to a limited impact of confidentiality and integrity but no impact of availability.2024-03-135.4CVE-2018-25090
info@cert.vde.com
wbw -- product_table_by_wbw
 
Cross Site Request Forgery (CSRF) vulnerability in WBW Product Table by WBW.This issue affects Product Table by WBW: from n/a through 1.8.6.2024-03-164.3CVE-2023-51512
audit@patchstack.com
webtechstreet -- elementor_addon_elementsThe Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'icon_align' attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1393
security@wordfence.com
security@wordfence.com
security@wordfence.com
webtechstreet -- elementor_addon_elements
 
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eae_custom_overlay_switcher' attribute of the Thumbnail Slider widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1391
security@wordfence.com
security@wordfence.com
security@wordfence.com
webtechstreet -- elementor_addon_elements
 
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button1_icon' attribute of the Dual Button widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1392
security@wordfence.com
security@wordfence.com
security@wordfence.com
webtechstreet -- elementor_addon_elements
 
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the modal popup widget's effect setting in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1422
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
wokamoto -- simple_tweet
 
The Simple Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tweet this text value in all versions up to, and including, 1.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-0700
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpchill -- simple_restrict
 
The Simple Restrict plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.6 via the REST API. This makes it possible for authenticated attackers to bypass the plugin's restrictions to extract post titles and content2024-03-135.3CVE-2024-1083
security@wordfence.com
security@wordfence.com
wpdatatables -- wpdatatables_-_wordpress_data_table,_dynamic_tables_&_table_charts_plugin
 
The wpDataTables - WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-136.1CVE-2024-0591
security@wordfence.com
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpdevteam -- essential_addons_for_elementor_-_best_elementor_templates,_widgets,_kits_&_woocommerce_builders
 
The Essential Addons for Elementor - Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Data Table widget in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1537
security@wordfence.com
security@wordfence.com
wpdevteam -- essential_blocks_-_page_builder_gutenberg_blocks,_patterns_&_templates
 
The Essential Blocks - Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1854
security@wordfence.com
security@wordfence.com
wpeventmanager -- wp_event_manager_-_events_calendar,_registrations,_sell_tickets_with_woocommerce
 
The WP Event Manager - Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the plugin parameter in all versions up to, and including, 3.1.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-136.1CVE-2024-0976
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpgmaps -- wp_go_maps_(formerly_wp_google_maps)The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgmza' shortcode in all versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1582
security@wordfence.com
security@wordfence.com
wpgmaps -- wp_go_maps_(formerly_wp_google_maps)
 
The WP Go Maps for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.2024-03-134.4CVE-2023-4839
security@wordfence.com
security@wordfence.com
wpmu_dev -- broken_link_checker
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Broken Link Checker allows Stored XSS.This issue affects Broken Link Checker: from n/a through 2.2.3.2024-03-155.9CVE-2024-25592
audit@patchstack.com
wpswings -- ultimate_gift_cards_for_woocommerce_-_create,_redeem_&_manage_digital_gift_certificates_with_personalized_templates
 
The Ultimate Gift Cards for WooCommerce - Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wps_wgm_preview_email_template(). This makes it possible for unauthenticated attackers to read password protected and draft posts that may contain sensitive data.2024-03-165.3CVE-2024-1857
security@wordfence.com
security@wordfence.com
wpvividplugins -- wpvivid_backup_for_mainwp
 
The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 0.9.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.2024-03-136.1CVE-2024-1383
security@wordfence.com
security@wordfence.com
security@wordfence.com
wpwax -- legal_pages
 
Cross-Site Request Forgery (CSRF), Incorrect Authorization vulnerability in wpWax Legal Pages.This issue affects Legal Pages: from n/a through 1.3.7.2024-03-154.3CVE-2023-50886
audit@patchstack.com
xpeedstudio -- elementskit_elementor_addons
 
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blog post read more button in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-166.4CVE-2024-1239
security@wordfence.com
security@wordfence.com
xpeedstudio -- elementskit_elementor_addons
 
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-166.4CVE-2024-2042
security@wordfence.com
security@wordfence.com
security@wordfence.com
xpeedstudio -- elementskit_elementor_addons
 
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the progress bar element attributes in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled.2024-03-165.5CVE-2023-6525
security@wordfence.com
security@wordfence.com
security@wordfence.com
xpeedstudio -- metform_elementor_contact_form_builder
 
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2024-03-136.4CVE-2024-1585
security@wordfence.com
security@wordfence.com
security@wordfence.com
xpeedstudio -- wp_social_login_and_register_social_counter
 
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp_social/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to enable and disable certain providers for the social share and login features.2024-03-136.5CVE-2024-1763
security@wordfence.com
security@wordfence.com
yonifre -- maspik_-_spam_blacklist
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Maspik - Spam Blacklist allows Stored XSS.This issue affects Maspik - Spam Blacklist: from n/a through 0.10.6.2024-03-135.9CVE-2024-25101
audit@patchstack.com
yooooomi -- your_spotify
 
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify API access and refresh tokens to guest users. Attackers with access to a public token for guest access to YourSpotify can therefore obtain access to Spotify API tokens of YourSpotify users. As a consequence, attackers may extract profile information, information about listening habits, playlists and other information from the corresponding Spotify profile. In addition, the attacker can pause and resume playback in the Spotify app at will. This issue has been resolved in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this issue.2024-03-136.5CVE-2024-28193
security-advisories@github.com
yooooomi -- your_spotify
 
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account. Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether. When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-136.5CVE-2024-28196
security-advisories@github.com
yooooomi -- your_spotify
 
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 is vulnerable to NoSQL injection in the public access token processing logic. Attackers can fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This vulnerability allows an attacker to fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-135.3CVE-2024-28192
security-advisories@github.com
zemana -- antilogger
 
Zemana AntiLogger v2.74.204.664 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers2024-03-155.5CVE-2024-2180
help@fluidattacks.com
help@fluidattacks.com
zemana -- antilogger
 
Zemana AntiLogger v2.74.204.664 is vulnerable to a Denial of Service (DoS) vulnerability by triggering the 0x80002004 and 0x80002010 IOCTL codes of the zam64.sys and zamguard64.sys drivers.2024-03-155.5CVE-2024-2204
help@fluidattacks.com
help@fluidattacks.com
zemena -- antilogger
 
Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.2024-03-145.5CVE-2024-1853
help@fluidattacks.com
help@fluidattacks.com
zoom_video_communications,_inc. -- zoom_rooms_client_for_windows
 
Race condition in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.2024-03-135.3CVE-2024-24692
security@zoom.us

Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
bpftrace -- bpftrace
 
If kernel headers need to be extracted, bpftrace will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default.2024-03-102.8CVE-2024-2313
security@ubuntu.com
security@ubuntu.com
cloudflare -- quiche
 
Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Each QUIC connection possesses a set of connection Identifiers (IDs); see RFC 9000 Section 5.1 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Endpoints declare the number of active connection IDs they are willing to support using the active_connection_id_limit transport parameter. The peer can create new IDs using a NEW_CONNECTION_ID frame but must stay within the active ID limit. This is done by retirement of old IDs, the endpoint sends NEW_CONNECTION_ID includes a value in the retire_prior_to field, which elicits a RETIRE_CONNECTION_ID frame as confirmation. An unauthenticated remote attacker can exploit the vulnerability by sending NEW_CONNECTION_ID frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that RETIRE_CONNECTION_ID frames can only be sent at a slower rate than they are received, leading to storage of information related to connection IDs in an unbounded queue. Quiche versions 0.19.2 and 0.20.1 are the earliest to address this problem. There is no workaround for affected versions.2024-03-123.7CVE-2024-1410
cna@cloudflare.com
collaboraonline -- online
 
Collabora Online is a collaborative online office suite based on LibreOffice technology. Each document in Collabora Online is opened by a separate "Kit" instance in a different "jail" with a unique directory "jailID" name. For security reasons, this directory name is randomly generated and should not be given out to the client. In affected versions of Collabora Online it is possible to use the CELL() function, with the "filename" argument, in the spreadsheet component to get a path which includes this JailID. The impact of this vulnerability in its own is low because it requires to be chained with another vulnerability. Users should upgrade to Collabora Online 23.05.9; Collabora Online 22.05.22; Collabora Online 21.11.10 or higher. There are no known workarounds for this vulnerability.2024-03-112.6CVE-2024-25114
security-advisories@github.com
security-advisories@github.com
dell -- poweredge_platform
 
Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper parameter initialization vulnerability. A local low privileged attacker could potentially exploit this vulnerability to read the contents of non-SMM stack memory.2024-03-133.8CVE-2024-0154
security_alert@emc.com
dell -- poweredge_platform
 
Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper parameter initialization vulnerability. A local low privileged attacker could potentially exploit this vulnerability to read the contents of non-SMM stack memory.2024-03-133.8CVE-2024-0173
security_alert@emc.com
directus -- directus
 
Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-122.3CVE-2024-28238
security-advisories@github.com
discourse -- discourse
 
A vulnerability has been found in Surya2Developer Hostel Management Service 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /check_availability.php of the component HTTP POST Request Handler. The manipulation of the argument oldpassword leads to observable response discrepancy. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256891.2024-03-153.7CVE-2024-2482
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
ibm -- maximo_application_suite
 
IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075.2024-03-133.7CVE-2023-32335
psirt@us.ibm.com
psirt@us.ibm.com
psirt@us.ibm.com
iovisor -- bpf_compiler_collection
 
If kernel headers need to be extracted, bcc will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default.2024-03-102.8CVE-2024-2314
security@ubuntu.com
security@ubuntu.com
keerti1924 -- secret-coder-php-project
 
A vulnerability has been found in keerti1924 Secret-Coder-PHP-Project 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /secret_coder.sql. The manipulation leads to inclusion of sensitive information in source code. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256315. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-103.7CVE-2024-2355
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability, which was classified as problematic, has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this issue is some unknown functionality of the file home.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256952. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2515
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as problematic. This issue affects some unknown processing of the file book_history.php. The manipulation of the argument id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256955. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2518
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been classified as problematic. Affected is an unknown function of the file navbar.php. The manipulation of the argument id leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256956. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2519
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/bookdate.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256958 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2521
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability classified as problematic was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This vulnerability affects unknown code of the file /admin/booktime.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256960. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2523
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability, which was classified as problematic, was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected is an unknown function of the file /admin/receipt.php. The manipulation of the argument id leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256962 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2525
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/rooms.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256963. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2526
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/update-rooms.php. The manipulation of the argument id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256967. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2530
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
magesh-k21 -- online-college-event-hall-reservation-system
 
A vulnerability, which was classified as problematic, has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this issue is some unknown functionality of the file /admin/update-users.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256970 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-163.5CVE-2024-2533
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
mattermost -- mattermost
 
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.2024-03-153.1CVE-2024-28053
responsibledisclosure@mattermost.com
mattermost -- mattermost_mobile
 
Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.2024-03-153.5CVE-2024-24975
responsibledisclosure@mattermost.com
mha_sistemas -- armhazena
 
A vulnerability classified as problematic has been found in MHA Sistemas arMHAzena 9.6.0.0. This affects an unknown part of the component Cadastro Page. The manipulation of the argument Query leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256887. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-153.5CVE-2024-2479
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
microsoft -- microsoft_edge_for_android
 
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability2024-03-143.9CVE-2024-26246
secure@microsoft.com
n/a -- eve-ng
 
A vulnerability was found in EVE-NG 5.0.1-13 and classified as problematic. Affected by this issue is some unknown functionality of the component Lab Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256442 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.2024-03-122.4CVE-2024-2391
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a -- intel(r)_local_manageability_service_software
 
Insertion of sensitive information into log file for some Intel(R) Local Manageability Service software before version 2316.5.1.2 may allow an authenticated user to potentially enable information disclosure via local access.2024-03-143.3CVE-2023-27502
secure@intel.com
n/a -- musicshelf
 
A vulnerability classified as problematic has been found in Musicshelf 1.0/1.1 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256320.2024-03-101.8CVE-2024-2364
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a -- musicshelf
 
A vulnerability classified as problematic was found in Musicshelf 1.0/1.1 on Android. Affected by this vulnerability is an unknown functionality of the file io\fabric\sdk\android\services\network\PinningTrustManager.java of the component SHA-1 Handler. The manipulation leads to password hash with insufficient computational effort. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-256321 was assigned to this vulnerability.2024-03-111.6CVE-2024-2365
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
n/a -- quarkus
 
A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.2024-03-133.5CVE-2024-1979
secalert@redhat.com
secalert@redhat.com
secalert@redhat.com
papercut -- papercut_ng,_papercut_mf
 
This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This CVE only affects Linux and macOS PaperCut NG/MF servers.2024-03-143.1CVE-2024-1221
eb41dac7-0af8-4f84-9f6d-0272772514f4
peering-manager -- peering-manager
 
Peering Manager is a BGP session management tool. In Peering Manager <=1.8.2, it is possible to redirect users to an arbitrary page using a crafted url. As a result users can be redirected to an unexpected location. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.2024-03-123.5CVE-2024-28113
security-advisories@github.com
security-advisories@github.com

Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
N/A -- N/A
 
In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Fix memory leak in amd_sfh_work Kmemleak tool detected a memory leak in the amd_sfh driver. ==================== unreferenced object 0xffff88810228ada0 (size 32): comm "insmod", pid 3968, jiffies 4295056001 (age 775.792s) hex dump (first 32 bytes): 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s............. 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 "............... backtrace: [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0 [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh] [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh] [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub] [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common] [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d] [<00000000915760ce>] platform_probe+0x6a/0xd0 [<0000000060258a1f>] really_probe+0x192/0x620 [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0 [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110 [<0000000070d15018>] bus_for_each_drv+0xfd/0x160 [<0000000013a3c312>] __device_attach+0x18b/0x220 [<000000008c7b4afc>] device_initial_probe+0x13/0x20 [<00000000e6e99665>] bus_probe_device+0xfe/0x120 [<00000000833fa90b>] device_add+0x6a6/0xe00 [<00000000fa901078>] platform_device_add+0x180/0x380 ==================== The fix is to freeing request_list entry once the processed entry is removed from the request_list.2024-03-15not yet calculatedCVE-2021-47133
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A -- N/A
 
GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path.2024-03-11not yet calculatedCVE-2022-46070
cve@mitre.org
N/A -- N/A
 
Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter.2024-03-13not yet calculatedCVE-2023-36238
cve@mitre.org
N/A -- N/A
 
SQL Injection vulnerability in Student Enrollment In PHP 1.0 allows attackers to run arbitrary code via the Student Search function.2024-03-13not yet calculatedCVE-2023-41504
cve@mitre.org
N/A -- N/A
 
An arbitrary file upload vulnerability in the Add Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.2024-03-13not yet calculatedCVE-2023-41505
cve@mitre.org
N/A -- N/A
 
There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload.2024-03-14not yet calculatedCVE-2023-42286
cve@mitre.org
N/A -- N/A
 
Cross Site Scripting (XSS) vulnerability in Code-Projects Exam Form Submission 1.0 allows attackers to run arbitrary code via "Subject Name" and "Subject Code" section.2024-03-12not yet calculatedCVE-2023-42307
cve@mitre.org
N/A -- N/A
 
Cross Site Scripting (XSS) vulnerability in Manage Fastrack Subjects in Code-Projects Exam Form Submission 1.0 allows attackers to run arbitrary code via the "Subject Name" and "Subject Code" Section.2024-03-12not yet calculatedCVE-2023-42308
cve@mitre.org
N/A -- N/A
 
Null Pointer Dereference in mask_cidr6 component at cidr.c in Tcpreplay 4.4.4 allows attackers to crash the application via crafted tcprewrite command.2024-03-12not yet calculatedCVE-2023-43279
cve@mitre.org
N/A -- N/A
 
Cross Site Scripting vulnerability in My Food Recipe Using PHP with Source Code v.1.0 allows a local attacker to execute arbitrary code via a crafted payload to the Recipe Name, Procedure, and ingredients parameters.2024-03-12not yet calculatedCVE-2023-43292
cve@mitre.org
N/A -- N/A
 
Reflected cross-site scripting (XSS) vulnerability in Racktables v0.22.0 and before, allows local attackers to execute arbitrary code and obtain sensitive information via the search component in index.php.2024-03-12not yet calculatedCVE-2023-49453
cve@mitre.org
N/A -- N/A
 
An issue in NETGEAR-DGND4000 v.1.1.00.15_1.00.15 allows a remote attacker to escalate privileges via the next_file parameter to the /setup.cgi component.2024-03-14not yet calculatedCVE-2023-50677
cve@mitre.org
N/A -- N/A
 
djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.2024-03-16not yet calculatedCVE-2024-22513
cve@mitre.org
N/A -- N/A
 
SQL Injection vulnerability in Code-projects.org Scholars Tracking System 1.0 allows attackers to run arbitrary code via login.php.2024-03-12not yet calculatedCVE-2024-24092
cve@mitre.org
N/A -- N/A
 
SQL Injection vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via Personal Information Update information.2024-03-12not yet calculatedCVE-2024-24093
cve@mitre.org
N/A -- N/A
 
Cross Site Scripting (XSS) vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via the News Feed.2024-03-12not yet calculatedCVE-2024-24097
cve@mitre.org
N/A -- N/A
 
Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Eligibility Information Update.2024-03-12not yet calculatedCVE-2024-24101
cve@mitre.org
N/A -- N/A
 
SQL Injection vulnerability in Code-projects Computer Science Time Table System 1.0 allows attackers to run arbitrary code via adminFormvalidation.php.2024-03-13not yet calculatedCVE-2024-24105
cve@mitre.org
N/A -- N/A
 
Cross Site Scripting (XSS) vulnerability in Gnuboard g6 before Github commit 58c737a263ac0c523592fd87ff71b9e3c07d7cf5, allows remote attackers execute arbitrary code via the wr_content parameter.2024-03-16not yet calculatedCVE-2024-24156
cve@mitre.org
N/A -- N/A
 
In TP-Link Omada er605 1.0.1 through (v2.6) 2.2.3, a cloud-brd binary is susceptible to an integer overflow that leads to a heap-based buffer overflow. After heap shaping, an attacker can achieve code execution in the context of the cloud-brd binary that runs at the root level. This is fixed in ER605(UN)_v2_2.2.4 Build 020240119.2024-03-14not yet calculatedCVE-2024-25139
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
SQL Injection vulnerability in ABO.CMS version 5.8, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), escalate privileges, and obtain sensitive information via the tb_login parameter in admin login page.2024-03-15not yet calculatedCVE-2024-25227
cve@mitre.org
N/A -- N/A
 
Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.2024-03-14not yet calculatedCVE-2024-25228
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
SQL Injection vulnerability in code-projects Agro-School Management System 1.0 allows attackers to run arbitrary code via the Login page.2024-03-13not yet calculatedCVE-2024-25250
cve@mitre.org
N/A -- N/A
 
SQL injection vulnerability in Employee Management System v.1.0 allows a local attacker to obtain sensitive information via a crafted payload to the txtemail parameter in the login.php.2024-03-12not yet calculatedCVE-2024-25325
cve@mitre.org
N/A -- N/A
 
DIR-822 Rev. B Firmware v2.02KRB09 and DIR-822-CA Rev. B Firmware v2.03WWb01 suffer from a LAN-Side Unauthenticated Remote Code Execution (RCE) vulnerability elevated from HNAP Stack-Based Buffer Overflow.2024-03-12not yet calculatedCVE-2024-25331
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authentication is enabled), the encryption key of RabbitMQ queue messages, and session cookies.2024-03-14not yet calculatedCVE-2024-25649
cve@mitre.org
N/A -- N/A
 
Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key (used to encrypt RabbitMQ messages) via crafted payloads to the /pre-authenticate, /authenticate, and /execute-and-respond REST API endpoints. This makes it possible for a PAM administrator to impersonate the Engine and exfiltrate sensitive information from the messages published in the RabbitMQ exchanges, without being audited in the application.2024-03-14not yet calculatedCVE-2024-25650
cve@mitre.org
N/A -- N/A
 
User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint.2024-03-14not yet calculatedCVE-2024-25651
cve@mitre.org
N/A -- N/A
 
In Delinea PAM Secret Server 11.4, it is possible for a user (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users.2024-03-14not yet calculatedCVE-2024-25652
cve@mitre.org
N/A -- N/A
 
Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI.2024-03-14not yet calculatedCVE-2024-25653
cve@mitre.org
N/A -- N/A
 
Cross Site Scripting (XSS) vulnerability in Sourcecodester Insurance Management System 1.0 allows attackers to run arbitrary code via the Subject and Description fields when submitting a support ticket.2024-03-11not yet calculatedCVE-2024-25854
cve@mitre.org
N/A -- N/A
 
A Cross Site Scripting vulnerability in Healthcare-Chatbot through 9b7058a can occur via a crafted payload to the email1 or pwd1 parameter in login.php.2024-03-15not yet calculatedCVE-2024-26454
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.2024-03-14not yet calculatedCVE-2024-26475
cve@mitre.org
N/A -- N/A
 
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.2024-03-14not yet calculatedCVE-2024-26503
cve@mitre.org
N/A -- N/A
 
HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted payload to the english.php component.2024-03-12not yet calculatedCVE-2024-26521
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
An issue in mz-automation libiec61850 v.1.5.3 and before, allows a remote attacker to cause a denial of service (DoS) via the mmsServer_handleDeleteNamedVariableListRequest function of src/mms/iso_mms/server/mms_named_variable_list_service.c.2024-03-13not yet calculatedCVE-2024-26529
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
A heap-based buffer overflow in Clmg before 3.3.3 can occur via a crafted file to cimg_library::CImg<unsigned char>::_load_analyze.2024-03-15not yet calculatedCVE-2024-26540
cve@mitre.org
N/A -- N/A
 
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.2024-03-15not yet calculatedCVE-2024-27351
cve@mitre.org
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter.2024-03-13not yet calculatedCVE-2024-27703
cve@mitre.org
N/A -- N/A
 
An issue in GLPI v.10.0.12 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted script to the title field.2024-03-15not yet calculatedCVE-2024-27756
cve@mitre.org
N/A -- N/A
 
In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.2024-03-12not yet calculatedCVE-2024-27758
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component.2024-03-16not yet calculatedCVE-2024-28069
cve@mitre.org
N/A -- N/A
 
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information and gain unauthorized access.2024-03-16not yet calculatedCVE-2024-28070
cve@mitre.org
N/A -- N/A
 
gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a out of boundary write vulnerability via swf_get_string at scene_manager/swf_parse.c:3252024-03-15not yet calculatedCVE-2024-28318
cve@mitre.org
N/A -- N/A
 
gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an out of boundary read vulnerability via gf_dash_setup_period media_tools/dash_client.c:63742024-03-15not yet calculatedCVE-2024-28319
cve@mitre.org
N/A -- N/A
 
The bwdates-report-result.php file in Phpgurukul User Registration & Login and User Management System 3.1 contains a potential security vulnerability related to user input validation. The script retrieves user-provided date inputs without proper validation, making it susceptible to SQL injection attacks.2024-03-14not yet calculatedCVE-2024-28323
cve@mitre.org
N/A -- N/A
 
A login bypass in TOTOLINK A8000RU V7.1cu.643_B20200521 allows attackers to login to Administrator accounts via providing a crafted session cookie.2024-03-12not yet calculatedCVE-2024-28338
cve@mitre.org
N/A -- N/A
 
An information leak in the debuginfo.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required.2024-03-12not yet calculatedCVE-2024-28339
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
An information leak in the currentsetting.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required.2024-03-12not yet calculatedCVE-2024-28340
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.config.smb_admin_name in the apply.cgi interface, thereby gaining root shell privileges.2024-03-15not yet calculatedCVE-2024-28353
cve@mitre.org
N/A -- N/A
 
There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in the apply.cgi interface, thereby gaining root shell privileges.2024-03-15not yet calculatedCVE-2024-28354
cve@mitre.org
N/A -- N/A
 
Tenda AX12 v1.0 v22.03.01.16 was discovered to contain a stack overflow via the ssid parameter in the sub_431CF0 function.2024-03-14not yet calculatedCVE-2024-28383
cve@mitre.org
N/A -- N/A
 
SQL injection vulnerability in SunnyToo stproductcomments module for PrestaShop v.1.0.5 and before, allows a remote attacker to escalate privileges and obtain sensitive information via the StProductCommentClass::getListcomments method.2024-03-14not yet calculatedCVE-2024-28388
cve@mitre.org
N/A -- N/A
 
An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control.2024-03-14not yet calculatedCVE-2024-28390
cve@mitre.org
N/A -- N/A
 
SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProductAddToCart, getSearchProducts, and displayAjaxProductSku methods.2024-03-14not yet calculatedCVE-2024-28391
cve@mitre.org
N/A -- N/A
 
TOTOLINK X2000R before v1.0.0-B20231213.1013 contains a Store Cross-site scripting (XSS) vulnerability in Root Access Control under the Wireless Page.2024-03-15not yet calculatedCVE-2024-28401
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
TOTOLINK X2000R before V1.0.0-B20231213.1013 is vulnerable to Cross Site Scripting (XSS) via the VPN Page.2024-03-15not yet calculatedCVE-2024-28403
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page.2024-03-15not yet calculatedCVE-2024-28404
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php.2024-03-14not yet calculatedCVE-2024-28417
cve@mitre.org
N/A -- N/A
 
Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php2024-03-14not yet calculatedCVE-2024-28418
cve@mitre.org
N/A -- N/A
 
Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file upload vulnerability in the unsafe_load function at cli.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted YML file.2024-03-14not yet calculatedCVE-2024-28423
cve@mitre.org
N/A -- N/A
 
zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file.2024-03-14not yet calculatedCVE-2024-28424
cve@mitre.org
N/A -- N/A
 
greykite v1.0.0 was discovered to contain an arbitrary file upload vulnerability in the load_obj function at /templates/pickle_utils.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file.2024-03-14not yet calculatedCVE-2024-28425
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/archives_do.php2024-03-13not yet calculatedCVE-2024-28429
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/catalog_edit.php.2024-03-13not yet calculatedCVE-2024-28430
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/catalog_del.php.2024-03-13not yet calculatedCVE-2024-28431
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_edit.php.2024-03-13not yet calculatedCVE-2024-28432
cve@mitre.org
N/A -- N/A
 
Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the mitInterface parameter of fromAddressNat function.2024-03-12not yet calculatedCVE-2024-28535
cve@mitre.org
N/A -- N/A
 
Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the entrys parameter fromAddressNat function.2024-03-12not yet calculatedCVE-2024-28553
cve@mitre.org
N/A -- N/A
 
RiteCMS v3.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component main_menu/edit_section.2024-03-13not yet calculatedCVE-2024-28623
cve@mitre.org
N/A -- N/A
 
Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022, allow remote attackers to execute arbitrary code and cause a denial of service (DoS) via the IP field.2024-03-16not yet calculatedCVE-2024-28639
cve@mitre.org
N/A -- N/A
 
Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022 allows a remote attacker to cause a denial of service (D0S) via the command field.2024-03-16not yet calculatedCVE-2024-28640
cve@mitre.org
N/A -- N/A
 
A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.2024-03-13not yet calculatedCVE-2024-28662
cve@mitre.org
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_add.php2024-03-13not yet calculatedCVE-2024-28665
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/media_add.php2024-03-13not yet calculatedCVE-2024-28666
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/templets_one_edit.php2024-03-13not yet calculatedCVE-2024-28667
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/mychannel_add.php2024-03-13not yet calculatedCVE-2024-28668
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/freelist_edit.php.2024-03-13not yet calculatedCVE-2024-28669
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/freelist_main.php.2024-03-13not yet calculatedCVE-2024-28670
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/stepselect_main.php.2024-03-13not yet calculatedCVE-2024-28671
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/media_edit.php.2024-03-13not yet calculatedCVE-2024-28672
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/mychannel_edit.php.2024-03-13not yet calculatedCVE-2024-28673
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/diy_edit.php2024-03-13not yet calculatedCVE-2024-28675
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via /dede/article_edit.php.2024-03-13not yet calculatedCVE-2024-28676
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/article_keywords_main.php.2024-03-13not yet calculatedCVE-2024-28677
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_description_main.php2024-03-13not yet calculatedCVE-2024-28678
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via Photo Collection.2024-03-13not yet calculatedCVE-2024-28679
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/diy_add.php.2024-03-13not yet calculatedCVE-2024-28680
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/plus_edit.php.2024-03-13not yet calculatedCVE-2024-28681
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/sys_cache_up.php.2024-03-13not yet calculatedCVE-2024-28682
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via create file.2024-03-13not yet calculatedCVE-2024-28683
cve@mitre.org
N/A -- N/A
 
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/module_main.php2024-03-13not yet calculatedCVE-2024-28684
cve@mitre.org
N/A -- N/A
 
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.  Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability2024-03-14not yet calculatedCVE-2024-28746
security@apache.org
security@apache.org
N/A -- N/A
 
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.2024-03-15not yet calculatedCVE-2024-28752
security@apache.org
N/A -- N/A
 
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).2024-03-10not yet calculatedCVE-2024-28757
cve@mitre.org
cve@mitre.org
N/A -- N/A
 
Student Information Chatbot a0196ab allows SQL injection via the username to the login function in index.php.2024-03-11not yet calculatedCVE-2024-28816
cve@mitre.org
N/A -- N/A
 
Amazon AWS aws-js-s3-explorer (aka AWS JavaScript S3 Explorer) 1.0.0 allows XSS via a crafted S3 bucket name to index.html.2024-03-11not yet calculatedCVE-2024-28823
cve@mitre.org
cve@mitre.org
amd -- cpu
 
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.2024-03-15not yet calculatedCVE-2024-2193
cret@cert.org
cret@cert.org
cret@cert.org
cret@cert.org
cret@cert.org
cret@cert.org
cret@cert.org
cret@cert.org
apache_software_foundation -- apache_doris
 
The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks. Users are recommended to upgrade to version 2.0.0 + or 1.2.8, which fixes this issue.2024-03-12not yet calculatedCVE-2023-41313
security@apache.org
apache_software_foundation -- apache_tomcat
 
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.2024-03-13not yet calculatedCVE-2024-23672
security@apache.org
apache_software_foundation -- apache_tomcat
 
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.2024-03-13not yet calculatedCVE-2024-24549
security@apache.org
apache_software_foundation -- apache_zookeeper
 
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.2024-03-15not yet calculatedCVE-2024-23944
security@apache.org
apple -- garageband
 
A use-after-free issue was addressed with improved memory management. This issue is fixed in GarageBand 10.4.11. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.2024-03-12not yet calculatedCVE-2024-23300
product-security@apple.com
product-security@apple.com
apple -- itunes_for_windows
 
A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.13.1 for Windows. A local attacker may be able to elevate their privileges.2024-03-14not yet calculatedCVE-2023-42938
product-security@apple.com
product-security@apple.com
apple -- xcode
 
A logic issue was addressed with improved state management.2024-03-15not yet calculatedCVE-2024-23298
product-security@apple.com
devolutions -- remote_desktop_manager
 
Improper cleanup in temporary file handling component in Devolutions Remote Desktop Manager 2024.1.12 and earlier on Windows allows an attacker that compromised a user endpoint, under specific circumstances, to access sensitive information via residual files in the temporary directory.2024-03-13not yet calculatedCVE-2024-2403
security@devolutions.net
google -- android
 
In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0039
security@android.com
security@android.com
security@android.com
security@android.com
google -- android
 
In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0044
security@android.com
security@android.com
security@android.com
security@android.com
google -- android
 
In smp_proc_sec_req of smp_act.cc, there is a possible out of bounds read due to improper input validation. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0045
security@android.com
security@android.com
google -- android
 
In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0046
security@android.com
security@android.com
google -- android
 
In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. This could lead to local denial of service when policies are deserialized on reboot with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0047
security@android.com
security@android.com
security@android.com
security@android.com
google -- android
 
In Session of AccountManagerService.java, there is a possible method to retain foreground service privileges due to incorrect handling of null responses. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0048
security@android.com
security@android.com
google -- android
 
In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0049
security@android.com
security@android.com
google -- android
 
In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a missing validation check. This could lead to a local non-security issue with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0050
security@android.com
security@android.com
google -- android
 
In onQueueFilled of SoftMPEG4.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0051
security@android.com
security@android.com
google -- android
 
In multiple functions of healthconnect, there is a possible leakage of exercise route data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0052
security@android.com
security@android.com
google -- android
 
In getCustomPrinterIcon of PrintManagerService.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-0053
security@android.com
security@android.com
google -- android
 
there is a possible Authentication Bypass due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-22005
dsap-vuln-management@google.com
google -- android
 
OOB read in the TMU plugin that allows for memory disclosure in the power management subsystem of the device.2024-03-11not yet calculatedCVE-2024-22006
dsap-vuln-management@google.com
google -- android
 
In constraint_check of fvp.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-22007
dsap-vuln-management@google.com
google -- android
 
In config_gov_time_windows of tmu.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-22008
dsap-vuln-management@google.com
google -- android
 
In init_data of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-22009
dsap-vuln-management@google.com
google -- android
 
In dvfs_plugin_caller of fvp.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-22010
dsap-vuln-management@google.com
google -- android
 
In ss_ProcessRejectComponent of ss_MmConManagement.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-22011
dsap-vuln-management@google.com
google -- android
 
In access_secure_service_from_temp_bond of btm_sec.cc, there is a possible way to achieve keystroke injection due to improper input validation. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-23717
security@android.com
security@android.com
google -- android
 
In dumpBatteryDefend of dump_power.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25984
dsap-vuln-management@google.com
google -- android
 
In bigo_unlocked_ioctl of bigo.c, there is a possible UAF due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25985
dsap-vuln-management@google.com
google -- android
 
In ppmp_unprotect_buf of drm_fw.c, there is a possible compromise of protected memory due to a logic error in the code. This could lead to local escalation of privilege to TEE with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25986
dsap-vuln-management@google.com
google -- android
 
In pt_sysctl_command of pt.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25987
dsap-vuln-management@google.com
google -- android
 
In SAEMM_DiscloseGuti of SAEMM_RadioMessageCodec.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25988
dsap-vuln-management@google.com
google -- android
 
In gpu_slc_liveness_update of pixel_gpu_slc.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25989
dsap-vuln-management@google.com
google -- android
 
In pktproc_perftest_gen_rx_packet_sktbuf_mode of link_rx_pktproc.c, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25990
dsap-vuln-management@google.com
google -- android
 
In acpm_tmu_ipc_handler of tmu_plugin.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25991
dsap-vuln-management@google.com
google -- android
 
In tmu_tz_control of tmu.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25992
dsap-vuln-management@google.com
google -- android
 
In tmu_reset_tmu_trip_counter of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-25993
dsap-vuln-management@google.com
google -- android
 
In tmu_set_gov_active of tmu.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27204
dsap-vuln-management@google.com
google -- android
 
there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27205
dsap-vuln-management@google.com
google -- android
 
there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27206
dsap-vuln-management@google.com
google -- android
 
Exported broadcast receivers allowing malicious apps to bypass broadcast protection.2024-03-11not yet calculatedCVE-2024-27207
dsap-vuln-management@google.com
google -- android
 
there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27208
dsap-vuln-management@google.com
google -- android
 
there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27209
dsap-vuln-management@google.com
google -- android
 
In policy_check of fvp.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27210
dsap-vuln-management@google.com
google -- android
 
In AtiHandleAPOMsgType of ati_Main.c, there is a possible OOB write due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27211
dsap-vuln-management@google.com
google -- android
 
In init_data of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27212
dsap-vuln-management@google.com
google -- android
 
In BroadcastSystemMessage of servicemgr.cpp, there is a possible Remote Code Execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27213
dsap-vuln-management@google.com
google -- android
 
In update_freq_data of , there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27218
dsap-vuln-management@google.com
google -- android
 
In tmu_set_pi of tmu.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27219
dsap-vuln-management@google.com
google -- android
 
In lpm_req_handler of , there is a possible out of bounds memory access due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27220
dsap-vuln-management@google.com
google -- android
 
In update_policy_data of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27221
dsap-vuln-management@google.com
google -- android
 
In onSkipButtonClick of FaceEnrollFoldPage.java, there is a possible way to access the file the app cannot access due to Intent Redirect GRANT_URI_PERMISSIONS Attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27222
dsap-vuln-management@google.com
google -- android
 
In EUTRAN_LCS_DecodeFacilityInformationElement of LPP_LcsManagement.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure after authenticating the cell connection with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27223
dsap-vuln-management@google.com
google -- android
 
In strncpy of strncpy.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27224
dsap-vuln-management@google.com
google -- android
 
In sendHciCommand of bluetooth_hci.cc, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27225
dsap-vuln-management@google.com
google -- android
 
In tmu_config_gov_params of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27226
dsap-vuln-management@google.com
google -- android
 
A malicious DNS response can trigger a number of OOB reads, writes, and other memory issues2024-03-11not yet calculatedCVE-2024-27227
dsap-vuln-management@google.com
google -- android
 
there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27228
dsap-vuln-management@google.com
google -- android
 
In ss_SendCallBarringPwdRequiredIndMsg of ss_CallBarring.c, there is a possible null pointer deref due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27229
dsap-vuln-management@google.com
google -- android
 
In ProtocolPsKeepAliveStatusAdapter::getCode() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27230
dsap-vuln-management@google.com
google -- android
 
In ppcfw_init_secpolicy of ppcfw.c, there is a possible permission bypass due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27233
dsap-vuln-management@google.com
google -- android
 
In fvp_set_target of fvp.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27234
dsap-vuln-management@google.com
google -- android
 
In plugin_extern_func of , there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27235
dsap-vuln-management@google.com
google -- android
 
In aoc_unlocked_ioctl of aoc.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27236
dsap-vuln-management@google.com
google -- android
 
In wipe_ns_memory of nsmemwipe.c, there is a possible incorrect size calculation due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.2024-03-11not yet calculatedCVE-2024-27237
dsap-vuln-management@google.com
google -- chrome
 
Use after free in Performance Manager in Google Chrome prior to 122.0.6261.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)2024-03-13not yet calculatedCVE-2024-2400
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
hp_inc. -- hp_pc_bios
 
A potential security vulnerability has been reported in the system BIOS of certain HP PC products, which might allow memory tampering. HP is releasing mitigation for the potential vulnerability.2024-03-12not yet calculatedCVE-2023-5410
hp-security-alert@hp.com
implem_inc. -- pleasanter_
 
Pleasanter 1.3.49.0 and earlier contains a cross-site scripting vulnerability. If an attacker tricks the user to access the product with a specially crafted URL and perform a specific operation, an arbitrary script may be executed on the web browser of the user.2024-03-12not yet calculatedCVE-2024-21584
vultures@jpcert.or.jp
vultures@jpcert.or.jp
linux -- linux

 

In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned [BUG] There is a bug report that, on a ext4-converted btrfs, scrub leads to various problems, including: - "unable to find chunk map" errors BTRFS info (device vdb): scrub: started on devid 1 BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 4096 BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 45056 This would lead to unrepariable errors. - Use-after-free KASAN reports: ================================================================== BUG: KASAN: slab-use-after-free in __blk_rq_map_sg+0x18f/0x7c0 Read of size 8 at addr ffff8881013c9040 by task btrfs/909 CPU: 0 PID: 909 Comm: btrfs Not tainted 6.7.0-x64v3-dbg #11 c50636e9419a8354555555245df535e380563b2b Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-2 12/24/2023 Call Trace: <TASK> dump_stack_lvl+0x43/0x60 print_report+0xcf/0x640 kasan_report+0xa6/0xd0 __blk_rq_map_sg+0x18f/0x7c0 virtblk_prep_rq.isra.0+0x215/0x6a0 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff] virtio_queue_rqs+0xc4/0x310 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff] blk_mq_flush_plug_list.part.0+0x780/0x860 __blk_flush_plug+0x1ba/0x220 blk_finish_plug+0x3b/0x60 submit_initial_group_read+0x10a/0x290 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] flush_scrub_stripes+0x38e/0x430 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] scrub_stripe+0x82a/0xae0 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] scrub_chunk+0x178/0x200 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] scrub_enumerate_chunks+0x4bc/0xa30 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] btrfs_scrub_dev+0x398/0x810 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] btrfs_ioctl+0x4b9/0x3020 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] __x64_sys_ioctl+0xbd/0x100 do_syscall_64+0x5d/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f47e5e0952b - Crash, mostly due to above use-after-free [CAUSE] The converted fs has the following data chunk layout: item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM 2214658048) itemoff 16025 itemsize 80 length 86016 owner 2 stripe_len 65536 type DATA|single For above logical bytenr 2214744064, it's at the chunk end (2214658048 + 86016 = 2214744064). This means btrfs_submit_bio() would split the bio, and trigger endio function for both of the two halves. However scrub_submit_initial_read() would only expect the endio function to be called once, not any more. This means the first endio function would already free the bbio::bio, leaving the bvec freed, thus the 2nd endio call would lead to use-after-free. [FIX] - Make sure scrub_read_endio() only updates bits in its range Since we may read less than 64K at the end of the chunk, we should not touch the bits beyond chunk boundary. - Make sure scrub_submit_initial_read() only to read the chunk range This is done by calculating the real number of sectors we need to read, and add sector-by-sector to the bio. Thankfully the scrub read repair path won't need extra fixes: - scrub_stripe_submit_repair_read() With above fixes, we won't update error bit for range beyond chunk, thus scrub_stripe_submit_repair_read() should never submit any read beyond the chunk.2024-03-11not yet calculatedCVE-2024-26616
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: neighbour: allow NUD_NOARP entries to be forced GCed IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to fill up the neighbour table with enough entries that it will overflow for valid connections after that. This behaviour is more prevalent after commit 58956317c8de ("neighbor: Improve garbage collection") is applied, as it prevents removal from entries that are not NUD_FAILED, unless they are more than 5s old.2024-03-15not yet calculatedCVE-2021-47109
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. We need to disable it for all CPUs to guard against memory corruption e.g. on restore from hibernate. Note, writing '0' to kvmclock MSR doesn't clear memory location, it just prevents hypervisor from updating the location so for the short while after write and while CPU is still alive, the clock remains usable and correct so we don't need to switch to some other clocksource.2024-03-15not yet calculatedCVE-2021-47110
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: xen-netback: take a reference to the RX task thread Do this in order to prevent the task from being freed if the thread returns (which can be triggered by the frontend) before the call to kthread_stop done as part of the backend tear down. Not taking the reference will lead to a use-after-free in that scenario. Such reference was taken before but dropped as part of the rework done in 2ac061ce97f4. Reintroduce the reference taking and add a comment this time explaining why it's needed. This is XSA-374 / CVE-2021-28691.2024-03-15not yet calculatedCVE-2021-47111
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Teardown PV features on boot CPU as well Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from hibernation we must properly teardown all these features to make sure hypervisor doesn't write to stale locations after we jump to the previously hibernated kernel (which can try to place anything there). For secondary CPUs the job is already done by kvm_cpu_down_prepare(), register syscore ops to do the same for boot CPU.2024-03-15not yet calculatedCVE-2021-47112
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: btrfs: abort in rename_exchange if we fail to insert the second ref Error injection stress uncovered a problem where we'd leave a dangling inode ref if we failed during a rename_exchange. This happens because we insert the inode ref for one side of the rename, and then for the other side. If this second inode ref insert fails we'll leave the first one dangling and leave a corrupt file system behind. Fix this by aborting if we did the insert for the first inode ref.2024-03-15not yet calculatedCVE-2021-47113
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption by fallocate When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to the end of the cluster will be zeroed with buffer write, at that time isize is not yet updated to match the new size, if writeback is kicked in, it will invoke ocfs2_writepage()->block_write_full_page() where the pages out of inode size will be dropped. That will cause file corruption. Fix this by zero out eof blocks when extending the inode size. Running the following command with qemu-image 4.2.1 can get a corrupted coverted image file easily. qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ -O qcow2 -o compat=1.1 $qcow_image.conv The usage of fallocate in qemu is like this, it first punches holes out of inode size, then extend the inode size. fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0 v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/2024-03-15not yet calculatedCVE-2021-47114
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_mb_init_backend on error path. Fix a memory leak discovered by syzbot when a file system is corrupted with an illegally large s_log_groups_per_flex.2024-03-15not yet calculatedCVE-2021-47116
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed We got follow bug_on when run fsstress with injecting IO fault: [130747.323114] kernel BUG at fs/ext4/extents_status.c:762! [130747.323117] Internal error: Oops - BUG: 0 [#1] SMP ...... [130747.334329] Call trace: [130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] [130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] [130747.335368] ext4_find_extent+0x300/0x330 [ext4] [130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] [130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] [130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] [130747.336995] ext4_readpage+0x54/0x100 [ext4] [130747.337359] generic_file_buffered_read+0x410/0xae8 [130747.337767] generic_file_read_iter+0x114/0x190 [130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] [130747.338556] __vfs_read+0x11c/0x188 [130747.338851] vfs_read+0x94/0x150 [130747.339110] ksys_read+0x74/0xf0 This patch's modification is according to Jan Kara's suggestion in: https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ "I see. Now I understand your patch. Honestly, seeing how fragile is trying to fix extent tree after split has failed in the middle, I would probably go even further and make sure we fix the tree properly in case of ENOSPC and EDQUOT (those are easily user triggerable). Anything else indicates a HW problem or fs corruption so I'd rather leave the extent tree as is and don't try to fix it (which also means we will not create overlapping extents)."2024-03-15not yet calculatedCVE-2021-47117
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff ---truncated---2024-03-15not yet calculatedCVE-2021-47118
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev(); otherwise the buffer head (and its page referenced by b_data) will not be freed by kill_bdev, and subsequently that bh will be leaked. If blocksizes differ, sb_set_blocksize() will kill current buffers and page cache by using kill_bdev(). And then super block will be reread again but using correct blocksize this time. sb_set_blocksize() didn't fully free superblock page and buffer head, and being busy, they were not freed and instead leaked. This can easily be reproduced by calling an infinite loop of: systemctl start <ext4_on_lvm>.mount, and systemctl stop <ext4_on_lvm>.mount ... since systemd creates a cgroup for each slice which it mounts, and the bh leak get amplified by a dying memory cgroup that also never gets freed, and memory consumption is much more easily noticed.2024-03-15not yet calculatedCVE-2021-47119
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: fix NULL-deref on disconnect Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic Trackpad 2") added a sanity check for an Apple trackpad but returned success instead of -ENODEV when the check failed. This means that the remove callback will dereference the never-initialised driver data pointer when the driver is later unbound (e.g. on USB disconnect).2024-03-15not yet calculatedCVE-2021-47120
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: net: caif: fix memory leak in cfusbl_device_notify In case of caif_enroll_dev() fail, allocated link_support won't be assigned to the corresponding structure. So simply free allocated pointer in case of error.2024-03-15not yet calculatedCVE-2021-47121
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: net: caif: fix memory leak in caif_device_notify In case of caif_enroll_dev() fail, allocated link_support won't be assigned to the corresponding structure. So simply free allocated pointer in case of error2024-03-15not yet calculatedCVE-2021-47122
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix ltout double free on completion race Always remove linked timeout on io_link_timeout_fn() from the master request link list, otherwise we may get use-after-free when first io_link_timeout_fn() puts linked timeout in the fail path, and then will be found and put on master's free.2024-03-15not yet calculatedCVE-2021-47123
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix link timeout refs WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] io_put_req fs/io_uring.c:2140 [inline] io_queue_linked_timeout fs/io_uring.c:6300 [inline] __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354 io_submit_sqe fs/io_uring.c:6534 [inline] io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660 __do_sys_io_uring_enter fs/io_uring.c:9240 [inline] __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182 io_link_timeout_fn() should put only one reference of the linked timeout request, however in case of racing with the master request's completion first io_req_complete() puts one and then io_put_req_deferred() is called.2024-03-15not yet calculatedCVE-2021-47124
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: sch_htb: fix refcount leak in htb_parent_to_leaf_offload The commit ae81feb7338c ("sch_htb: fix null pointer dereference on a null new_q") fixes a NULL pointer dereference bug, but it is not correct. Because htb_graft_helper properly handles the case when new_q is NULL, and after the previous patch by skipping this call which creates an inconsistency : dev_queue->qdisc will still point to the old qdisc, but cl->parent->leaf.q will point to the new one (which will be noop_qdisc, because new_q was NULL). The code is based on an assumption that these two pointers are the same, so it can lead to refcount leaks. The correct fix is to add a NULL pointer check to protect qdisc_refcount_inc inside htb_parent_to_leaf_offload.2024-03-15not yet calculatedCVE-2021-47125
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Reported by syzbot: HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7 compiler: Debian clang version 11.0.1-2 ================================================================== BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760 CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x202/0x31e lib/dump_stack.c:120 print_address_description+0x5f/0x3b0 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report+0x15c/0x200 mm/kasan/report.c:416 fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536 fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174 rcu_do_batch kernel/rcu/tree.c:2559 [inline] rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794 __do_softirq+0x372/0x7a6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422 irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 </IRQ> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515 Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d RSP: 0018:ffffc90009e06560 EFLAGS: 00000206 RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1 R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4 rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267 rcu_read_lock include/linux/rcupdate.h:656 [inline] ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231 ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212 ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379 ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982 ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238 ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638 ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848 ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900 ext4_append+0x1a4/0x360 fs/ext4/namei.c:67 ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768 ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814 vfs_mkdir+0x45b/0x640 fs/namei.c:3819 ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline] ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146 ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193 ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788 ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355 ovl_get_workdir fs/overlayfs/super.c:1492 [inline] ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035 mount_nodev+0x52/0xe0 fs/super.c:1413 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2903 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3233 do_mount fs/namespace.c:3246 [inline] __do_sys_mount fs/namespace.c:3454 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 ---truncated---2024-03-15not yet calculatedCVE-2021-47126
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: ice: track AF_XDP ZC enabled queues in bitmap Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") silently introduced a regression and broke the Tx side of AF_XDP in copy mode. xsk_pool on ice_ring is set only based on the existence of the XDP prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. That is not something that should happen for copy mode as it should use the regular data path ice_clean_tx_irq. This results in a following splat when xdpsock is run in txonly or l2fwd scenarios in copy mode: <snip> [ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 106.057269] #PF: supervisor read access in kernel mode [ 106.062493] #PF: error_code(0x0000) - not-present page [ 106.067709] PGD 0 P4D 0 [ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45 [ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50 [ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00 [ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206 [ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800 [ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800 [ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800 [ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff [ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018 [ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000 [ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0 [ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 106.192898] PKRU: 55555554 [ 106.195653] Call Trace: [ 106.198143] <IRQ> [ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice] [ 106.205087] ice_napi_poll+0x3e/0x590 [ice] [ 106.209356] __napi_poll+0x2a/0x160 [ 106.212911] net_rx_action+0xd6/0x200 [ 106.216634] __do_softirq+0xbf/0x29b [ 106.220274] irq_exit_rcu+0x88/0xc0 [ 106.223819] common_interrupt+0x7b/0xa0 [ 106.227719] </IRQ> [ 106.229857] asm_common_interrupt+0x1e/0x40 </snip> Fix this by introducing the bitmap of queues that are zero-copy enabled, where each bit, corresponding to a queue id that xsk pool is being configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and checked within ice_xsk_pool(). The latter is a function used for deciding which napi poll routine is executed. Idea is being taken from our other drivers such as i40e and ixgbe.2024-03-15not yet calculatedCVE-2021-47127
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") added an implementation of the locked_down LSM hook to SELinux, with the aim to restrict which domains are allowed to perform operations that would breach lockdown. This is indirectly also getting audit subsystem involved to report events. The latter is problematic, as reported by Ondrej and Serhei, since it can bring down the whole system via audit: 1) The audit events that are triggered due to calls to security_locked_down() can OOM kill a machine, see below details [0]. 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit() when trying to wake up kauditd, for example, when using trace_sched_switch() tracepoint, see details in [1]. Triggering this was not via some hypothetical corner case, but with existing tools like runqlat & runqslower from bcc, for example, which make use of this tracepoint. Rough call sequence goes like: rq_lock(rq) -> -------------------------+ trace_sched_switch() -> | bpf_prog_xyz() -> +-> deadlock selinux_lockdown() -> | audit_log_end() -> | wake_up_interruptible() -> | try_to_wake_up() -> | rq_lock(rq) --------------+ What's worse is that the intention of 59438b46471a to further restrict lockdown settings for specific applications in respect to the global lockdown policy is completely broken for BPF. The SELinux policy rule for the current lockdown check looks something like this: allow <who> <who> : lockdown { <reason> }; However, this doesn't match with the 'current' task where the security_locked_down() is executed, example: httpd does a syscall. There is a tracing program attached to the syscall which triggers a BPF program to run, which ends up doing a bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does the permission check against 'current', that is, httpd in this example. httpd has literally zero relation to this tracing program, and it would be nonsensical having to write an SELinux policy rule against httpd to let the tracing helper pass. The policy in this case needs to be against the entity that is installing the BPF program. For example, if bpftrace would generate a histogram of syscall counts by user space application: bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' bpftrace would then go and generate a BPF program from this internally. One way of doing it [for the sake of the example] could be to call bpf_get_current_task() helper and then access current->comm via one of bpf_probe_read_kernel{,_str}() helpers. So the program itself has nothing to do with httpd or any other random app doing a syscall here. The BPF program _explicitly initiated_ the lockdown check. The allow/deny policy belongs in the context of bpftrace: meaning, you want to grant bpftrace access to use these helpers, but other tracers on the system like my_random_tracer _not_. Therefore fix all three issues at the same time by taking a completely different approach for the security_locked_down() hook, that is, move the check into the program verification phase where we actually retrieve the BPF func proto. This also reliably gets the task (current) that is trying to install the BPF tracing program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since we're moving this out of the BPF helper's fast-path which can be called several millions of times per second. The check is then also in line with other security_locked_down() hooks in the system where the enforcement is performed at open/load time, for example, open_kcore() for /proc/kcore access or module_sig_check() for module signatures just to pick f ---truncated---2024-03-15not yet calculatedCVE-2021-47128
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: skip expectations for confirmed conntrack nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed conntrack entry. However, nf_ct_ext_add() can only be called for !nf_ct_is_confirmed(). [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 [ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 [ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 [ 1825.352508] Call Trace: [ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] [ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] [ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] Add the ct helper extension only for unconfirmed conntrack. Skip rule evaluation if the ct helper extension does not exist. Thus, you can only create expectations from the first packet. It should be possible to remove this limitation by adding a new action to attach a generic ct helper to the first packet. Then, use this ct helper extension from follow up packets to create the ct expectation. While at it, add a missing check to skip the template conntrack too and remove check for IPCT_UNTRACK which is implicit to !ct.2024-03-15not yet calculatedCVE-2021-47129
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: nvmet: fix freeing unallocated p2pmem In case p2p device was found but the p2p pool is empty, the nvme target is still trying to free the sgl from the p2p pool instead of the regular sgl pool and causing a crash (BUG() is called). Instead, assign the p2p_dev for the request only if it was allocated from p2p pool. This is the crash that was caused: [Sun May 30 19:13:53 2021] ------------[ cut here ]------------ [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI ... [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! ... [Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0 ... [Sun May 30 19:13:53 2021] Call Trace: [Sun May 30 19:13:53 2021] ------------[ cut here ]------------ [Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70 [Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80 [Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet] [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma] [Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma]2024-03-15not yet calculatedCVE-2021-47130
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context. This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode. On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets. The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del). A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It's used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver).2024-03-15not yet calculatedCVE-2021-47131
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix sk_forward_memory corruption on retransmission MPTCP sk_forward_memory handling is a bit special, as such field is protected by the msk socket spin_lock, instead of the plain socket lock. Currently we have a code path updating such field without handling the relevant lock: __mptcp_retrans() -> __mptcp_clean_una_wakeup() Several helpers in __mptcp_clean_una_wakeup() will update sk_forward_alloc, possibly causing such field corruption, as reported by Matthieu. Address the issue providing and using a new variant of blamed function which explicitly acquires the msk spin lock.2024-03-15not yet calculatedCVE-2021-47132
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: efi/fdt: fix panic when no valid fdt found setup_arch() would invoke efi_init()->efi_get_fdt_params(). If no valid fdt found then initial_boot_params will be null. So we should stop further fdt processing here. I encountered this issue on risc-v.2024-03-15not yet calculatedCVE-2021-47134
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report Fix possible array out of bound access in mt7921_mcu_tx_rate_report. Remove unnecessary varibable in mt7921_mcu_tx_rate_report2024-03-15not yet calculatedCVE-2021-47135
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: drm: Don't unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry the whole thing from the top. But we forget to reset the fb pointer back to NULL, and so if we then get another error during the retry, before the fb lookup, we proceed the unref the same fb again without having gotten another reference. The end result is that the fb will (eventually) end up being freed while it's still in use. Reset fb to NULL once we've unreffed it to avoid doing it again until we've done another fb lookup. This turned out to be pretty easy to hit on a DG2 when doing async flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I saw that drm_closefb() simply got stuck in a busy loop while walking the framebuffer list. Fortunately I was able to convince it to oops instead, and from there it was easier to track down the culprit.2024-03-11not yet calculatedCVE-2023-52486
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. However, if any concurrent user holds a reference to a peer flow (for example, the neighbor update workqueue task is updating peer flow's parent encap entry concurrently), then the flow will not be removed from the peer list and, consecutively, DUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm will try to remove the flow from eswitch instances that it has never peered with causing either NULL pointer dereference when trying to remove the flow peer list head of peer_index that was never initialized or a warning if the list debug config is enabled[0]. Fix the issue by always removing the peer flow from the list even when not releasing the last reference to it. [0]: [ 3102.985806] ------------[ cut here ]------------ [ 3102.986223] list_del corruption, ffff888139110698->next is NULL [ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg ss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding] [ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3 [ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b [ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286 [ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640 [ 3102.997188] DEL flow 00000000be367878 on port 0 [ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff [ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100 [ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240 [ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000 [ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0 [ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3103.003787] Call Trace: [ 3103.004055] <TASK> [ 3103.004297] ? __warn+0x7d/0x130 [ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.005094] ? report_bug+0xf1/0x1c0 [ 3103.005439] ? console_unlock+0x4a/0xd0 [ 3103.005806] ? handle_bug+0x3f/0x70 [ 3103.006149] ? exc_invalid_op+0x13/0x60 [ 3103.006531] ? asm_exc_invalid_op+0x16/0x20 [ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core] [ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] [ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core] [ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core] [ 3103.009901] tc_setup_cb_destroy+0xab/0x180 [ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower] [ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower] [ 3103.0 ---truncated---2024-03-11not yet calculatedCVE-2023-52487
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO The SC16IS7XX IC supports a burst mode to access the FIFOs where the initial register address is sent ($00), followed by all the FIFO data without having to resend the register address each time. In this mode, the IC doesn't increment the register address for each R/W byte. The regmap_raw_read() and regmap_raw_write() are functions which can perform IO over multiple registers. They are currently used to read/write from/to the FIFO, and although they operate correctly in this burst mode on the SPI bus, they would corrupt the regmap cache if it was not disabled manually. The reason is that when the R/W size is more than 1 byte, these functions assume that the register address is incremented and handle the cache accordingly. Convert FIFO R/W functions to use the regmap _noinc_ versions in order to remove the manual cache control which was a workaround when using the _raw_ versions. FIFO registers are properly declared as volatile so cache will not be used/updated for FIFO accesses.2024-03-11not yet calculatedCVE-2023-52488
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN's as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 ---truncated---2024-03-11not yet calculatedCVE-2023-52489
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving 'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anon_vma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.2024-03-11not yet calculatedCVE-2023-52490
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.2024-03-11not yet calculatedCVE-2023-52491
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local is nullified. When dma_async_device_unregister() is called (because of managed API or intentionally by DMA controller driver), channels are unconditionally unregistered, leading to this NULL pointer: [ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [...] [ 1.484499] Call trace: [ 1.486930] device_del+0x40/0x394 [ 1.490314] device_unregister+0x20/0x7c [ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0 Look at dma_async_device_register() function error path, channel device unregistration is done only if chan->local is not NULL. Then add the same condition at the beginning of __dma_async_device_channel_unregister() function, to avoid NULL pointer issue whatever the API used to reach this function.2024-03-11not yet calculatedCVE-2023-52492
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Drop chan lock before queuing buffers Ensure read and write locks for the channel are not taken in succession by dropping the read lock from parse_xfer_event() such that a callback given to client can potentially queue buffers and acquire the write lock in that process. Any queueing of buffers should be done without channel read lock acquired as it can result in multiple locks and a soft lockup. [mani: added fixes tag and cc'ed stable]2024-03-11not yet calculatedCVE-2023-52493
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Add alignment check for event ring read pointer Though we do check the event ring read pointer by "is_valid_ring_ptr" to make sure it is in the buffer range, but there is another risk the pointer may be not aligned. Since we are expecting event ring elements are 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer could lead to multiple issues like DoS or ring buffer memory corruption. So add a alignment check for event ring read pointer.2024-03-11not yet calculatedCVE-2023-52494
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix port sanity check The PMIC GLINK altmode driver currently supports at most two ports. Fix the incomplete port sanity check on notifications to avoid accessing and corrupting memory beyond the port array if we ever get a notification for an unsupported port.2024-03-11not yet calculatedCVE-2023-52495
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: PM: sleep: Fix possible deadlocks in core system-wide PM code It is reported that in low-memory situations the system-wide resume core code deadlocks, because async_schedule_dev() executes its argument function synchronously if it cannot allocate memory (and not only in that case) and that function attempts to acquire a mutex that is already held. Executing the argument function synchronously from within dpm_async_fn() may also be problematic for ordering reasons (it may cause a consumer device's resume callback to be invoked before a requisite supplier device's one, for example). Address this by changing the code in question to use async_schedule_dev_nocall() for scheduling the asynchronous execution of device suspend and resume functions and to directly run them synchronously if async_schedule_dev_nocall() returns false.2024-03-11not yet calculatedCVE-2023-52498
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Check mailbox/SMT channel for consistency On reception of a completion interrupt the shared memory area is accessed to retrieve the message header at first and then, if the message sequence number identifies a transaction which is still pending, the related payload is fetched too. When an SCMI command times out the channel ownership remains with the platform until eventually a late reply is received and, as a consequence, any further transmission attempt remains pending, waiting for the channel to be relinquished by the platform. Once that late reply is received the channel ownership is given back to the agent and any pending request is then allowed to proceed and overwrite the SMT area of the just delivered late reply; then the wait for the reply to the new request starts. It has been observed that the spurious IRQ related to the late reply can be wrongly associated with the freshly enqueued request: when that happens the SCMI stack in-flight lookup procedure is fooled by the fact that the message header now present in the SMT area is related to the new pending transaction, even though the real reply has still to arrive. This race-condition on the A2P channel can be detected by looking at the channel status bits: a genuine reply from the platform will have set the channel free bit before triggering the completion IRQ. Add a consistency check to validate such condition in the A2P ISR.2024-03-13not yet calculatedCVE-2023-52608
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds another global out-of-bounds read for policy ksmbd_nl_policy. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810 CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 __nlmsg_parse include/net/netlink.h:748 [inline] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdd66a8f359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003 RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: ksmbd_nl_policy+0x100/0xa80 The buggy address belongs to the physical page: page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9 ^ ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9 ================================================================== To fix it, add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do. Also change two sites that refer the KSMBD_EVENT_MAX to correct value.2024-03-11not yet calculatedCVE-2024-26608
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in bytes, we'll write past the buffer.2024-03-11not yet calculatedCVE-2024-26610
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Currently when packet is shrunk via bpf_xdp_adjust_tail() and memory type is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens: [1136314.192256] BUG: kernel NULL pointer dereference, address: 0000000000000034 [1136314.203943] #PF: supervisor read access in kernel mode [1136314.213768] #PF: error_code(0x0000) - not-present page [1136314.223550] PGD 0 P4D 0 [1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257 [1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210 [1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86 [1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246 [1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX: 0000000000000000 [1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc9003168c000 [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09: 0000000000010000 [1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12: 0000000000000001 [1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15: 0000000000000001 [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000) knlGS:0000000000000000 [1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4: 00000000007706f0 [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1136314.431890] PKRU: 55555554 [1136314.439143] Call Trace: [1136314.446058] <IRQ> [1136314.452465] ? __die+0x20/0x70 [1136314.459881] ? page_fault_oops+0x15b/0x440 [1136314.468305] ? exc_page_fault+0x6a/0x150 [1136314.476491] ? asm_exc_page_fault+0x22/0x30 [1136314.484927] ? __xdp_return+0x6c/0x210 [1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0 [1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60 [1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice] [1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice] [1136314.528506] ice_napi_poll+0x467/0x670 [ice] [1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0 [1136314.546010] __napi_poll+0x29/0x1b0 [1136314.553462] net_rx_action+0x133/0x270 [1136314.561619] __do_softirq+0xbe/0x28e [1136314.569303] do_softirq+0x3f/0x60 This comes from __xdp_return() call with xdp_buff argument passed as NULL which is supposed to be consumed by xsk_buff_free() call. To address this properly, in ZC case, a node that represents the frag being removed has to be pulled out of xskb_list. Introduce appropriate xsk helpers to do such node operation and use them accordingly within bpf_xdp_adjust_tail().2024-03-11not yet calculatedCVE-2024-26611
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: netfs, fscache: Prevent Oops in fscache_put_cache() This function dereferences "cache" and then checks if it's IS_ERR_OR_NULL(). Check first, then dereference.2024-03-11not yet calculatedCVE-2024-26612
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: <IRQ> _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 </TASK> The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---2024-03-11not yet calculatedCVE-2024-26614
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL> - continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D' BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.2024-03-11not yet calculatedCVE-2024-26615
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: move mmu notification mechanism inside mm lock Move mmu notification mechanism inside mm lock to prevent race condition in other components which depend on it. The notifier will invalidate memory range. Depending upon the number of iterations, different memory ranges would be invalidated. The following warning would be removed by this patch: WARNING: CPU: 0 PID: 5067 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 kvm_mmu_notifier_change_pte+0x860/0x960 arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 There is no behavioural and performance change with this patch when there is no component registered with the mmu notifier. [akpm@linux-foundation.org: narrow the scope of `range', per Sean]2024-03-11not yet calculatedCVE-2024-26617
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Always exit sme_alloc() early with existing storage When sme_alloc() is called with existing storage and we are not flushing we will always allocate new storage, both leaking the existing storage and corrupting the state. Fix this by separating the checks for flushing and for existing storage as we do for SVE. Callers that reallocate (eg, due to changing the vector length) should call sme_free() themselves.2024-03-11not yet calculatedCVE-2024-26618
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: riscv: Fix module loading free order Reverse order of kfree calls to resolve use-after-free error.2024-03-11not yet calculatedCVE-2024-26619
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or domain is assigned to the mdev. The purpose of the function is to update the guest's AP configuration by filtering the matrix of adapters and domains assigned to the mdev. When an adapter or domain is assigned, only the APQNs associated with the APID of the new adapter or APQI of the new domain are inspected. If an APQN does not reference a queue device bound to the vfio_ap device driver, then it's APID will be filtered from the mdev's matrix when updating the guest's AP configuration. Inspecting only the APID of the new adapter or APQI of the new domain will result in passing AP queues through to a guest that are not bound to the vfio_ap device driver under certain circumstances. Consider the following: guest's AP configuration (all also assigned to the mdev's matrix): 14.0004 14.0005 14.0006 16.0004 16.0005 16.0006 unassign domain 4 unbind queue 16.0005 assign domain 4 When domain 4 is re-assigned, since only domain 4 will be inspected, the APQNs that will be examined will be: 14.0004 16.0004 Since both of those APQNs reference queue devices that are bound to the vfio_ap device driver, nothing will get filtered from the mdev's matrix when updating the guest's AP configuration. Consequently, queue 16.0005 will get passed through despite not being bound to the driver. This violates the linux device model requirement that a guest shall only be given access to devices bound to the device driver facilitating their pass-through. To resolve this problem, every adapter and domain assigned to the mdev will be inspected when filtering the mdev's matrix.2024-03-11not yet calculatedCVE-2024-26620
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful. As is documented in the kdoc comment for nfsd4_release_lockowner(), the test on so_count can transiently return a false positive resulting in a return of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is clearly a protocol violation and with the Linux NFS client it can cause incorrect behaviour. If RELEASE_LOCKOWNER is sent while some other thread is still processing a LOCK request which failed because, at the time that request was received, the given owner held a conflicting lock, then the nfsd thread processing that LOCK request can hold a reference (conflock) to the lock owner that causes nfsd4_release_lockowner() to return an incorrect error. The Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it never sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so it knows that the error is impossible. It assumes the lock owner was in fact released so it feels free to use the same lock owner identifier in some later locking request. When it does reuse a lock owner identifier for which a previous RELEASE failed, it will naturally use a lock_seqid of zero. However the server, which didn't release the lock owner, will expect a larger lock_seqid and so will respond with NFS4ERR_BAD_SEQID. So clearly it is harmful to allow a false positive, which testing so_count allows. The test is nonsense because ... well... it doesn't mean anything. so_count is the sum of three different counts. 1/ the set of states listed on so_stateids 2/ the set of active vfs locks owned by any of those states 3/ various transient counts such as for conflicting locks. When it is tested against '2' it is clear that one of these is the transient reference obtained by find_lockowner_str_locked(). It is not clear what the other one is expected to be. In practice, the count is often 2 because there is precisely one state on so_stateids. If there were more, this would fail. In my testing I see two circumstances when RELEASE_LOCKOWNER is called. In one case, CLOSE is called before RELEASE_LOCKOWNER. That results in all the lock states being removed, and so the lockowner being discarded (it is removed when there are no more references which usually happens when the lock state is discarded). When nfsd4_release_lockowner() finds that the lock owner doesn't exist, it returns success. The other case shows an so_count of '2' and precisely one state listed in so_stateid. It appears that the Linux client uses a separate lock owner for each file resulting in one lock state per lock owner, so this test on '2' is safe. For another client it might not be safe. So this patch changes check_for_locks() to use the (newish) find_any_file_locked() so that it doesn't take a reference on the nfs4_file and so never calls nfsd_file_put(), and so never sleeps. With this check is it safe to restore the use of check_for_locks() rather than testing so_count against the mysterious '2'.2024-03-13not yet calculatedCVE-2024-26629
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux -- linux
 
In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix folio read-after-free in cache walk In cachestat, we access the folio from the page cache's xarray to compute its page offset, and check for its dirty and writeback flags. However, we do not hold a reference to the folio before performing these actions, which means the folio can concurrently be released and reused as another folio/page/slab. Get around this altogether by just using xarray's existing machinery for the folio page offsets and dirty/writeback states. This changes behavior for tmpfs files to now always report zeroes in their dirty and writeback counters. This is okay as tmpfs doesn't follow conventional writeback cache behavior: its pages get "cleaned" during swapout, after which they're no longer resident etc.2024-03-13not yet calculatedCVE-2024-26630
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
mas -- masmobile_classic_android_app
 
An authorization bypass was discovered in the Carrier MASmobile Classic application through 1.16.18 for Android, MASmobile Classic app through 1.7.24 for iOS, and MAS ASP.Net Services through 1.9. It can be achieved via session ID prediction, allowing remote attackers to retrieve sensitive data including customer data, security system status, and event history. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The affected products cannot simply be updated; they must be removed, but can be replaced by other Carrier software as explained in the Carrier advisory.2024-03-16not yet calculatedCVE-2023-36483
productsecurity@carrier.com
nixos -- nix
 
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with editor or higher privilege who can login to the product may obtain arbitrary files on the server including password files.2024-03-12not yet calculatedCVE-2024-27279
vultures@jpcert.or.jp
vultures@jpcert.or.jp
omron_corporation -- machine_automation_controller_nj_series_
 
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section.2024-03-12not yet calculatedCVE-2024-27121
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
sciener -- gateway_g2
 
Sciener server does not validate connection requests from the GatewayG2, allowing an impersonation attack that provides the attacker the unlockKey field.2024-03-15not yet calculatedCVE-2023-7007
cret@cert.org
sciener -- kontrol_lux
 
The AES key utilized in the pairing process between a lock using Sciener firmware and a wireless keypad is not unique, and can be reused to compromise other locks using the Sciener firmware.2024-03-15not yet calculatedCVE-2023-7003
cret@cert.org
sciener -- kontrol_lux
 
The unlockKey character in a lock using Sciener firmware can be brute forced through repeated challenge requests, compromising the locks integrity.2024-03-15not yet calculatedCVE-2023-7006
cret@cert.org
sciener -- kontrol_lux
 
Some Sciener-based locks support plaintext message processing over Bluetooth Low Energy, allowing unencrypted malicious commands to be passed to the lock. These malicious commands, less then 16 bytes in length, will be processed by the lock as if they were encrypted communications. This can be further exploited by an attacker to compromise the lock's integrity.2024-03-15not yet calculatedCVE-2023-7009
cret@cert.org
sciener -- kontrol_lux
 
Sciener locks' firmware update mechanism do not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A challenge request can be sent to the lock with a command to prepare for an update, rather than an unlock request, allowing an attacker to compromise the device.2024-03-15not yet calculatedCVE-2023-7017
cret@cert.org
sciener -- ttlock_app
 
TTLock App virtual keys and settings are only deleted client side, and if preserved, can access the lock after intended deletion.2024-03-15not yet calculatedCVE-2023-6960
cret@cert.org
sciener -- ttlock_app
 
The TTLock App does not employ proper verification procedures to ensure that it is communicating with the expected device, allowing for connection to a device that spoofs the MAC address of a lock, which compromises the legitimate locks integrity.2024-03-15not yet calculatedCVE-2023-7004
cret@cert.org
sky_co.,ltd. -- skysea_client_view
 
Improper access control vulnerability exists in the specific folder of SKYSEA Client View versions from Ver.16.100 prior to Ver.19.2. If this vulnerability is exploited, an arbitrary file may be placed in the specific folder by a user who can log in to the PC where the product's Windows client is installed. In case the file is a specially crafted DLL file, arbitrary code may be executed with SYSTEM privilege.2024-03-12not yet calculatedCVE-2024-21805
vultures@jpcert.or.jp
vultures@jpcert.or.jp
sky_co.,ltd. -- skysea_client_view
 
Improper access control vulnerability exists in the resident process of SKYSEA Client View versions from Ver.11.220 prior to Ver.19.2. If this vulnerability is exploited, an arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed.2024-03-12not yet calculatedCVE-2024-24964
vultures@jpcert.or.jp
vultures@jpcert.or.jp
sonicwall -- email_security
 
An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system.2024-03-14not yet calculatedCVE-2024-22398
PSIRT@sonicwall.com
sonicwall -- sonicos
 
An Integer-based buffer overflow vulnerability in the SonicOS via IPSec allows a remote attacker in specific conditions to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a specially crafted IKEv2 payload.2024-03-14not yet calculatedCVE-2024-22396
PSIRT@sonicwall.com
sonicwall -- sonicos
 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the SonicOS SSLVPN portal allows a remote authenticated attacker as a firewall 'admin' user to store and execute arbitrary JavaScript code.2024-03-14not yet calculatedCVE-2024-22397
PSIRT@sonicwall.com
the_libreswan_project_(www.libreswan.org) -- libreswan
 
The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.2024-03-11not yet calculatedCVE-2024-2357
d42dc95b-23f1-4e06-9076-20753a0fb0df
toyoko_inn_it_solution_co.,_ltd. -- toyoko_inn_official_app_for_ios
 
The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don't properly verify server certificates, which allows a man-in-the-middle attacker to spoof servers and obtain sensitive information via a crafted certificate.2024-03-13not yet calculatedCVE-2024-27440
vultures@jpcert.or.jp
vultures@jpcert.or.jp
vultures@jpcert.or.jp
unknown -- 404_solution
 
The 404 Solution WordPress plugin before 2.35.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins.2024-03-11not yet calculatedCVE-2024-1068
contact@wpscan.com
unknown -- enhanced_text_widget
 
The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)2024-03-11not yet calculatedCVE-2024-0559
contact@wpscan.com
contact@wpscan.com
unknown -- login_as_user_or_customer
 
The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site.2024-03-11not yet calculatedCVE-2023-7247
contact@wpscan.com
contact@wpscan.com
unknown -- paid_memberships_pro
 
The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata.2024-03-11not yet calculatedCVE-2024-1279
contact@wpscan.com
unknown -- photos_and_files_contest_gallery
 
The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.2024-03-11not yet calculatedCVE-2024-1487
contact@wpscan.com
unknown -- seriously_simple_podcasting
 
The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner's email address (which by default is the admin email address) via an unauthenticated crafted request.2024-03-11not yet calculatedCVE-2023-6444
contact@wpscan.com
unknown -- starbox
 
The Starbox WordPress plugin before 3.5.0 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks2024-03-11not yet calculatedCVE-2024-1273
contact@wpscan.com
unknown -- ultimate_posts_widget
 
The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)2024-03-11not yet calculatedCVE-2024-0561
contact@wpscan.com
unknown -- user_registration
 
The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.2024-03-11not yet calculatedCVE-2024-1290
contact@wpscan.com
veribo,_roland_murg -- wp_simple_booking_calendar
 
Cross-Site Request Forgery (CSRF) vulnerability in Veribo, Roland Murg WP Simple Booking Calendar.This issue affects WP Simple Booking Calendar: from n/a through 2.0.8.4.2024-03-15not yet calculatedCVE-2023-51525
audit@patchstack.com

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.