Latest vulnerabilities [Friday, January 26, 2024]

Latest vulnerabilities [Friday, January 26, 2024]
{{titre}}

Last update performed on 01/26/2024 at 11:57:07 PM

(19) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : exodusintel.com

Vulnerability ID : CVE-2024-23613

First published on : 26-01-2024 00:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A buffer overflow vulnerability exists in Symantec Deployment Solution version 7.9 when parsing UpdateComputer tokens. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as SYSTEM.

CVE ID : CVE-2024-23613
Source : disclosures@exodusintel.com
CVSS Score : 10.0

References :
https://blog.exodusintel.com/2024/01/25/symantec-deployment-solution-axengine-exe-buffer-overflow-remote-code-execution | source : disclosures@exodusintel.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23614

First published on : 26-01-2024 00:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 9.5 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as root.

CVE ID : CVE-2024-23614
Source : disclosures@exodusintel.com
CVSS Score : 10.0

References :
https://blog.exodusintel.com/2024/01/25/symantec-messaging-gateway-stack-buffer-overflow-remote-code-execution/ | source : disclosures@exodusintel.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23615

First published on : 26-01-2024 00:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 10.5 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as root.

CVE ID : CVE-2024-23615
Source : disclosures@exodusintel.com
CVSS Score : 10.0

References :
https://blog.exodusintel.com/2024/01/25/symantec-messaging-gateway-libdec2lha-so-stack-buffer-overflow-remote-code-execution/ | source : disclosures@exodusintel.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23616

First published on : 26-01-2024 00:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A buffer overflow vulnerability exists in Symantec Server Management Suite version 7.9 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as SYSTEM.

CVE ID : CVE-2024-23616
Source : disclosures@exodusintel.com
CVSS Score : 10.0

References :
https://blog.exodusintel.com/2024/01/25/symantec-server-management-suite-axengine-exe-buffer-overflow-remote-code-execution/ | source : disclosures@exodusintel.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23621

First published on : 26-01-2024 00:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. A remote, unauthenticated attacker can exploit this vulnerability to achieve remote code execution.

CVE ID : CVE-2024-23621
Source : disclosures@exodusintel.com
CVSS Score : 10.0

References :
https://blog.exodusintel.com/2024/01/25/ibm-merge-healthcare-efilm-workstation-license-server-buffer-overflow/ | source : disclosures@exodusintel.com

Vulnerability : CWE-131


Vulnerability ID : CVE-2024-23622

First published on : 26-01-2024 00:15:10
Last modified on : 26-01-2024 13:51:45

Description :
A stack-based buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. A remote, unauthenticated attacker can exploit this vulnerability to achieve remote code execution with SYSTEM privileges.

CVE ID : CVE-2024-23622
Source : disclosures@exodusintel.com
CVSS Score : 10.0

References :
https://blog.exodusintel.com/2024/01/25/ibm-merge-healthcare-efilm-workstation-license-server-copysls_request3-buffer-overflow/ | source : disclosures@exodusintel.com

Vulnerability : CWE-131


Vulnerability ID : CVE-2024-23619

First published on : 26-01-2024 00:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A hardcoded credential vulnerability exists in IBM Merge Healthcare eFilm Workstation. A remote, unauthenticated attacker can exploit this vulnerability to achieve information disclosure or remote code execution.

CVE ID : CVE-2024-23619
Source : disclosures@exodusintel.com
CVSS Score : 9.8

References :
https://blog.exodusintel.com/2024/01/25/ibm-merge-healthcare-efilm-workstation-information-disclosure/ | source : disclosures@exodusintel.com

Vulnerability : CWE-798


Vulnerability ID : CVE-2024-23617

First published on : 26-01-2024 00:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A buffer overflow vulnerability exists in Symantec Data Loss Prevention version 14.0.2 and before. A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a crafted document to achieve code execution.

CVE ID : CVE-2024-23617
Source : disclosures@exodusintel.com
CVSS Score : 9.6

References :
https://blog.exodusintel.com/2024/01/25/symantec-data-loss-prevention-wp6sr-dll-stack-buffer-overflow-remote-code-execution/ | source : disclosures@exodusintel.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23618

First published on : 26-01-2024 00:15:09
Last modified on : 26-01-2024 13:51:45

Description :
An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices. An unauthenticated attacker can exploit this vulnerability to achieve code execution as root.

CVE ID : CVE-2024-23618
Source : disclosures@exodusintel.com
CVSS Score : 9.6

References :
https://blog.exodusintel.com/2024/01/25/arris-surfboard-sbg6950ac2-arbitrary-command-execution-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-306


Vulnerability ID : CVE-2024-23624

First published on : 26-01-2024 00:15:10
Last modified on : 26-01-2024 13:51:45

Description :
A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.

CVE ID : CVE-2024-23624
Source : disclosures@exodusintel.com
CVSS Score : 9.6

References :
https://blog.exodusintel.com/2024/01/25/d-link-dap-1650-gena-cgi-subscribe-command-injection-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-77


Vulnerability ID : CVE-2024-23625

First published on : 26-01-2024 00:15:10
Last modified on : 26-01-2024 13:51:45

Description :
A command injection vulnerability exists in D-Link DAP-1650 devices when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.

CVE ID : CVE-2024-23625
Source : disclosures@exodusintel.com
CVSS Score : 9.6

References :
https://blog.exodusintel.com/2024/01/25/d-link-dap-1650-subscribe-callback-command-injection-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-77


Vulnerability ID : CVE-2024-23629

First published on : 26-01-2024 00:15:11
Last modified on : 26-01-2024 13:51:45

Description :
An authentication bypass vulnerability exists in the web component of the Motorola MR2600. An attacker can exploit this vulnerability to access protected URLs and retrieve sensitive information.

CVE ID : CVE-2024-23629
Source : disclosures@exodusintel.com
CVSS Score : 9.6

References :
https://blog.exodusintel.com/2024/01/25/motorola-mr2600-authentication-bypass-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-287


Vulnerability ID : CVE-2024-23626

First published on : 26-01-2024 00:15:10
Last modified on : 26-01-2024 13:51:45

Description :
A command injection vulnerability exists in the โ€˜SaveSysLogParamsโ€™ parameter of the Motorola MR2600. A remote attacker can exploit this vulnerability to achieve command execution. Authentication is required, however can be bypassed.

CVE ID : CVE-2024-23626
Source : disclosures@exodusintel.com
CVSS Score : 9.0

References :
https://blog.exodusintel.com/2024/01/25/motorola-mr2600-savesyslogparams-command-injection-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-77


Vulnerability ID : CVE-2024-23627

First published on : 26-01-2024 00:15:11
Last modified on : 26-01-2024 13:51:45

Description :
A command injection vulnerability exists in the 'SaveStaticRouteIPv4Params' parameter of the Motorola MR2600. A remote attacker can exploit this vulnerability to achieve command execution. Authentication is required, however can be bypassed.

CVE ID : CVE-2024-23627
Source : disclosures@exodusintel.com
CVSS Score : 9.0

References :
https://blog.exodusintel.com/2024/01/25/motorola-mr2600-savestaticrouteipv4params-command-injection-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-77


Vulnerability ID : CVE-2024-23628

First published on : 26-01-2024 00:15:11
Last modified on : 26-01-2024 13:51:45

Description :
A command injection vulnerability exists in the 'SaveStaticRouteIPv6Params' parameter of the Motorola MR2600. A remote attacker can exploit this vulnerability to achieve command execution. Authentication is required, however can be bypassed.

CVE ID : CVE-2024-23628
Source : disclosures@exodusintel.com
CVSS Score : 9.0

References :
https://blog.exodusintel.com/2024/01/25/motorola-mr2600-savestaticrouteipv6params-command-injection-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-77


Vulnerability ID : CVE-2024-23630

First published on : 26-01-2024 00:15:12
Last modified on : 26-01-2024 13:51:45

Description :
An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed.

CVE ID : CVE-2024-23630
Source : disclosures@exodusintel.com
CVSS Score : 9.0

References :
https://blog.exodusintel.com/2024/01/25/motorola-mr2600-arbitrary-firmware-upload-vulnerability/ | source : disclosures@exodusintel.com

Vulnerability : CWE-434


Source : gitlab.com

Vulnerability ID : CVE-2024-0402

First published on : 26-01-2024 01:15:08
Last modified on : 26-01-2024 13:51:45

Description :
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

CVE ID : CVE-2024-0402
Source : cve@gitlab.com
CVSS Score : 9.9

References :
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ | source : cve@gitlab.com
https://gitlab.com/gitlab-org/gitlab/-/issues/437819 | source : cve@gitlab.com

Vulnerability : CWE-22


Source : cisco.com

Vulnerability ID : CVE-2024-20253

First published on : 26-01-2024 18:15:10
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device.

CVE ID : CVE-2024-20253
Source : ykramarz@cisco.com
CVSS Score : 9.9

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm | source : ykramarz@cisco.com


Source : microsoft.com

Vulnerability ID : CVE-2024-21326

First published on : 26-01-2024 01:15:10
Last modified on : 26-01-2024 13:51:45

Description :
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE ID : CVE-2024-21326
Source : secure@microsoft.com
CVSS Score : 9.6

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21326 | source : secure@microsoft.com


(47) HIGH VULNERABILITIES [7.0, 8.9]

Source : exodusintel.com

Vulnerability ID : CVE-2024-23620

First published on : 26-01-2024 00:15:09
Last modified on : 26-01-2024 13:51:45

Description :
An improper privilege management vulnerability exists in IBM Merge Healthcare eFilm Workstation. A local, authenticated attacker can exploit this vulnerability to escalate privileges to SYSTEM.

CVE ID : CVE-2024-23620
Source : disclosures@exodusintel.com
CVSS Score : 8.8

References :
https://blog.exodusintel.com/2024/01/25/ibm-merge-healthcare-efilm-workstation-system-privilege-escalation/ | source : disclosures@exodusintel.com

Vulnerability : CWE-269


Source : microsoft.com

Vulnerability ID : CVE-2024-21385

First published on : 26-01-2024 01:15:10
Last modified on : 26-01-2024 13:51:45

Description :
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE ID : CVE-2024-21385
Source : secure@microsoft.com
CVSS Score : 8.3

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21385 | source : secure@microsoft.com


Source : netapp.com

Vulnerability ID : CVE-2024-21985

First published on : 26-01-2024 16:15:22
Last modified on : 26-01-2024 16:33:07

Description :
ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 and 9.13.1P4 are susceptible to a vulnerability which could allow an authenticated user with multiple remote accounts with differing roles to perform actions via REST API beyond their intended privilege. Possible actions include viewing limited configuration details and metrics or modifying limited settings, some of which could result in a Denial of Service (DoS).

CVE ID : CVE-2024-21985
Source : security-alert@netapp.com
CVSS Score : 7.6

References :
https://security.netapp.com/advisory/ntap-20240126-0001/ | source : security-alert@netapp.com

Vulnerability : CWE-269


Source : usom.gov.tr

Vulnerability ID : CVE-2023-6919

First published on : 26-01-2024 08:15:42
Last modified on : 26-01-2024 13:51:45

Description :
Path Traversal: '/../filedir' vulnerability in Biges Safe Life Technologies Electronics Inc. VGuard allows Absolute Path Traversal.This issue affects VGuard: before V500.0003.R008.4011.C0012.B351.C.

CVE ID : CVE-2023-6919
Source : iletisim@usom.gov.tr
CVSS Score : 7.5

References :
https://www.usom.gov.tr/bildirim/tr-24-0054 | source : iletisim@usom.gov.tr

Vulnerability : CWE-25


Source : vuldb.com

Vulnerability ID : CVE-2024-0945

First published on : 26-01-2024 21:15:08
Last modified on : 26-01-2024 21:15:08

Description :
A vulnerability classified as critical has been found in 60IndexPage up to 1.8.5. This affects an unknown part of the file /include/file.php of the component Parameter Handler. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252189 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0945
Source : cna@vuldb.com
CVSS Score : 7.3

References :
https://note.zhaoj.in/share/7F54gy22y7uJ | source : cna@vuldb.com
https://vuldb.com/?ctiid.252189 | source : cna@vuldb.com
https://vuldb.com/?id.252189 | source : cna@vuldb.com

Vulnerability : CWE-918


Vulnerability ID : CVE-2024-0946

First published on : 26-01-2024 21:15:08
Last modified on : 26-01-2024 21:15:08

Description :
A vulnerability classified as critical was found in 60IndexPage up to 1.8.5. This vulnerability affects unknown code of the file /apply/index.php of the component Parameter Handler. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252190 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0946
Source : cna@vuldb.com
CVSS Score : 7.3

References :
https://note.zhaoj.in/share/iNSyaClT0hGi | source : cna@vuldb.com
https://vuldb.com/?ctiid.252190 | source : cna@vuldb.com
https://vuldb.com/?id.252190 | source : cna@vuldb.com

Vulnerability : CWE-918


Source : incibe.es

Vulnerability ID : CVE-2024-23856

First published on : 26-01-2024 09:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemlist.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23856
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23857

First published on : 26-01-2024 09:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnlinecreate.php, in the batchno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23857
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23858

First published on : 26-01-2024 09:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancelinecreate.php, in the batchno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23858
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23859

First published on : 26-01-2024 09:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurelinecreate.php, in the flatamount parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23859
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23860

First published on : 26-01-2024 09:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencylist.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23860
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23861

First published on : 26-01-2024 09:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/unitofmeasurementcreate.php, in the unitofmeasurementid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23861
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23862

First published on : 26-01-2024 09:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grndisplay.php, in the grnno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23862
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23863

First published on : 26-01-2024 10:15:07
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructuredisplay.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23863
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23864

First published on : 26-01-2024 10:15:07
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrylist.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23864
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23865

First published on : 26-01-2024 10:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurelist.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23865
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23866

First published on : 26-01-2024 10:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrycreate.php, in the countryid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23866
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23867

First published on : 26-01-2024 10:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statecreate.php, in the stateid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23867
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23868

First published on : 26-01-2024 10:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnlist.php, in the deleted parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23868
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23869

First published on : 26-01-2024 10:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuanceprint.php, in the issuanceno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23869
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23870

First published on : 26-01-2024 10:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancelist.php, in the delete parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23870
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23871

First published on : 26-01-2024 10:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/unitofmeasurementmodify.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23871
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23872

First published on : 26-01-2024 10:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationmodify.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23872
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23873

First published on : 26-01-2024 10:15:09
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencymodify.php, in the currencyid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23873
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23874

First published on : 26-01-2024 10:15:10
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/companymodify.php, in the address1 parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23874
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23875

First published on : 26-01-2024 10:15:10
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancedisplay.php, in the issuanceno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23875
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23876

First published on : 26-01-2024 10:15:10
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurecreate.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23876
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23877

First published on : 26-01-2024 10:15:10
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencycreate.php, in the currencyid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23877
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23878

First published on : 26-01-2024 10:15:10
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnprint.php, in the grnno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23878
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23879

First published on : 26-01-2024 10:15:10
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statemodify.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23879
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23880

First published on : 26-01-2024 10:15:11
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodelist.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23880
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23881

First published on : 26-01-2024 10:15:11
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statelist.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23881
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23882

First published on : 26-01-2024 10:15:11
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodecreate.php, in the taxcodeid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23882
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23883

First published on : 26-01-2024 10:15:11
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructuremodify.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23883
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23884

First published on : 26-01-2024 10:15:11
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnmodify.php, in the grndate parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23884
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23885

First published on : 26-01-2024 10:15:12
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrymodify.php, in the countryid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23885
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23886

First published on : 26-01-2024 10:15:12
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemmodify.php, in the bincardinfo parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23886
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23887

First published on : 26-01-2024 10:15:12
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grncreate.php, in the grndate parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23887
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23888

First published on : 26-01-2024 10:15:12
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stocktransactionslist.php, in the itemidy parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23888
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23889

First published on : 26-01-2024 10:15:12
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemgroupcreate.php, in the itemgroupid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23889
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23890

First published on : 26-01-2024 11:15:08
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itempopup.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23890
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23891

First published on : 26-01-2024 11:15:08
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemcreate.php, in the itemid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23891
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23892

First published on : 26-01-2024 11:15:08
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentercreate.php, in the costcenterid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23892
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23893

First published on : 26-01-2024 11:15:09
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentermodify.php, in the costcenterid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23893
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23894

First published on : 26-01-2024 11:15:09
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancecreate.php, in the issuancedate parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23894
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23896

First published on : 26-01-2024 11:15:09
Last modified on : 26-01-2024 13:51:15

Description :
A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stock.php, in the batchno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

CVE ID : CVE-2024-23896
Source : cve-coordination@incibe.es
CVSS Score : 7.1

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Source : redhat.com

Vulnerability ID : CVE-2023-6291

First published on : 26-01-2024 15:15:08
Last modified on : 26-01-2024 16:33:07

Description :
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

CVE ID : CVE-2023-6291
Source : secalert@redhat.com
CVSS Score : 7.1

References :
https://access.redhat.com/errata/RHSA-2023:7854 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7855 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7856 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7857 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7858 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7860 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7861 | source : secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2023-6291 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2251407 | source : secalert@redhat.com

Vulnerability : CWE-20


(31) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : gitlab.com

Vulnerability ID : CVE-2023-6159

First published on : 26-01-2024 02:15:07
Last modified on : 26-01-2024 13:51:45

Description :
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.

CVE ID : CVE-2023-6159
Source : cve@gitlab.com
CVSS Score : 6.5

References :
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ | source : cve@gitlab.com
https://gitlab.com/gitlab-org/gitlab/-/issues/431924 | source : cve@gitlab.com
https://hackerone.com/reports/2251278 | source : cve@gitlab.com

Vulnerability : CWE-1333


Vulnerability ID : CVE-2023-5933

First published on : 26-01-2024 01:15:08
Last modified on : 26-01-2024 13:51:45

Description :
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.

CVE ID : CVE-2023-5933
Source : cve@gitlab.com
CVSS Score : 6.4

References :
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ | source : cve@gitlab.com
https://gitlab.com/gitlab-org/gitlab/-/issues/430236 | source : cve@gitlab.com
https://hackerone.com/reports/2225710 | source : cve@gitlab.com

Vulnerability : CWE-80


Vulnerability ID : CVE-2023-5612

First published on : 26-01-2024 02:15:07
Last modified on : 26-01-2024 13:51:45

Description :
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.

CVE ID : CVE-2023-5612
Source : cve@gitlab.com
CVSS Score : 5.3

References :
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ | source : cve@gitlab.com
https://gitlab.com/gitlab-org/gitlab/-/issues/428441 | source : cve@gitlab.com
https://hackerone.com/reports/2208790 | source : cve@gitlab.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-0456

First published on : 26-01-2024 01:15:09
Last modified on : 26-01-2024 13:51:45

Description :
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project

CVE ID : CVE-2024-0456
Source : cve@gitlab.com
CVSS Score : 4.3

References :
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ | source : cve@gitlab.com
https://gitlab.com/gitlab-org/gitlab/-/issues/430726 | source : cve@gitlab.com

Vulnerability : CWE-285


Source : vuldb.com

Vulnerability ID : CVE-2024-0919

First published on : 26-01-2024 09:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability was found in TRENDnet TEW-815DAP 1.0.2.0. It has been classified as critical. This affects the function do_setNTP of the component POST Request Handler. The manipulation of the argument NtpDstStart/NtpDstEnd leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252123. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0919
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://vuldb.com/?ctiid.252123 | source : cna@vuldb.com
https://vuldb.com/?id.252123 | source : cna@vuldb.com
https://warp-desk-89d.notion.site/TEW-815DAP-94a631c20dee4f399268dbcc880f1f4c?pvs=4 | source : cna@vuldb.com

Vulnerability : CWE-77


Vulnerability ID : CVE-2024-0933

First published on : 26-01-2024 17:15:11
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability was found in Niushop B2B2C V5 and classified as critical. Affected by this issue is some unknown functionality of the file \app\model\Upload.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252140. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0933
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://docs.qq.com/doc/DYnNWeHdTVXZqZURH | source : cna@vuldb.com
https://vuldb.com/?ctiid.252140 | source : cna@vuldb.com
https://vuldb.com/?id.252140 | source : cna@vuldb.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2024-0936

First published on : 26-01-2024 17:15:11
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability classified as critical was found in van_der_Schaar LAB TemporAI 0.0.3. Affected by this vulnerability is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252181 was assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.

CVE ID : CVE-2024-0936
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/bayuncao/vul-cve-5 | source : cna@vuldb.com
https://github.com/bayuncao/vul-cve-5/blob/main/poc.py | source : cna@vuldb.com
https://vuldb.com/?ctiid.252181 | source : cna@vuldb.com
https://vuldb.com/?id.252181 | source : cna@vuldb.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-0937

First published on : 26-01-2024 18:15:10
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252182 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.

CVE ID : CVE-2024-0937
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/bayuncao/vul-cve-6 | source : cna@vuldb.com
https://github.com/bayuncao/vul-cve-6/blob/main/poc.py | source : cna@vuldb.com
https://vuldb.com/?ctiid.252182 | source : cna@vuldb.com
https://vuldb.com/?id.252182 | source : cna@vuldb.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-0939

First published on : 26-01-2024 19:15:08
Last modified on : 26-01-2024 19:15:08

Description :
A vulnerability has been found in Beijing Baichuo Smart S210 Management Platform up to 20240117 and classified as critical. This vulnerability affects unknown code of the file /Tool/uploadfile.php. The manipulation of the argument file_upload leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252184. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0939
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/Yu1e/vuls/blob/main/an%20arbitrary%20file%20upload%20vulnerability%20in%20BaiZhuo%20Networks%20Smart%20S210%20multi-service%20security%20gateway%20intelligent%20management%20platform.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252184 | source : cna@vuldb.com
https://vuldb.com/?id.252184 | source : cna@vuldb.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2024-0938

First published on : 26-01-2024 18:15:10
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability, which was classified as critical, was found in Tongda OA 2017 up to 11.9. This affects an unknown part of the file /general/email/inbox/delete_webmail.php. The manipulation of the argument WEBBODY_ID_STR leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-252183. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0938
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/Yu1e/vuls/blob/main/SQL%20injection%20vulnerability%20exists%20in%20Tongda%20OA.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252183 | source : cna@vuldb.com
https://vuldb.com/?id.252183 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2024-0941

First published on : 26-01-2024 19:15:08
Last modified on : 26-01-2024 19:15:08

Description :
A vulnerability was found in Novel-Plus 4.3.0-RC1 and classified as critical. This issue affects some unknown processing of the file /novel/bookComment/list. The manipulation of the argument sort leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-252185 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0941
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/red0-ha1yu/warehouse/blob/main/novel-plus_sqlinject2.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252185 | source : cna@vuldb.com
https://vuldb.com/?id.252185 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2024-0918

First published on : 26-01-2024 09:15:07
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability was found in TRENDnet TEW-800MB 1.0.1.0 and classified as critical. Affected by this issue is some unknown functionality of the component POST Request Handler. The manipulation of the argument DeviceURL leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0918
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://vuldb.com/?ctiid.252122 | source : cna@vuldb.com
https://vuldb.com/?id.252122 | source : cna@vuldb.com
https://warp-desk-89d.notion.site/TEW-800MB-1f9576ce12234b72b08b9c7f4c7d32a6?pvs=4 | source : cna@vuldb.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-0920

First published on : 26-01-2024 09:15:08
Last modified on : 26-01-2024 13:51:45

Description :
A vulnerability was found in TRENDnet TEW-822DRE 1.03B02. It has been declared as critical. This vulnerability affects unknown code of the file /admin_ping.htm of the component POST Request Handler. The manipulation of the argument ipv4_ping/ipv6_ping leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252124. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0920
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://vuldb.com/?ctiid.252124 | source : cna@vuldb.com
https://vuldb.com/?id.252124 | source : cna@vuldb.com
https://warp-desk-89d.notion.site/TEW-822DRE-5289eb95796749c2878843519ab451d8?pvs=4 | source : cna@vuldb.com

Vulnerability : CWE-77


Vulnerability ID : CVE-2024-0921

First published on : 26-01-2024 14:15:50
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability has been found in D-Link DIR-816 A2 1.10CNB04 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/setDeviceSettings of the component Web Interface. The manipulation of the argument statuscheckpppoeuser leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252139.

CVE ID : CVE-2024-0921
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/xiyuanhuaigu/cve/blob/main/rce.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252139 | source : cna@vuldb.com
https://vuldb.com/?id.252139 | source : cna@vuldb.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-0922

First published on : 26-01-2024 14:15:50
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49_multi_TDE01. Affected by this vulnerability is the function formQuickIndex. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252127. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0922
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/formQuickIndex.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252127 | source : cna@vuldb.com
https://vuldb.com/?id.252127 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0923

First published on : 26-01-2024 14:15:50
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.49_multi_TDE01. Affected by this issue is the function formSetDeviceName. The manipulation of the argument devName leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252128. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0923
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/formSetDeviceName.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252128 | source : cna@vuldb.com
https://vuldb.com/?id.252128 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0924

First published on : 26-01-2024 15:15:08
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.49_multi_TDE01. This affects the function formSetPPTPServer. The manipulation of the argument startIp leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252129 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0924
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/formSetPPTPServer.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252129 | source : cna@vuldb.com
https://vuldb.com/?id.252129 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0925

First published on : 26-01-2024 15:15:08
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability has been found in Tenda AC10U 15.03.06.49_multi_TDE01 and classified as critical. This vulnerability affects the function formSetVirtualSer. The manipulation of the argument list leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252130 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0925
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/formSetVirtualSer.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252130 | source : cna@vuldb.com
https://vuldb.com/?id.252130 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0926

First published on : 26-01-2024 15:15:08
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01 and classified as critical. This issue affects the function formWifiWpsOOB. The manipulation of the argument index leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252131. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0926
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/formWifiWpsOOB.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252131 | source : cna@vuldb.com
https://vuldb.com/?id.252131 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0927

First published on : 26-01-2024 15:15:09
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01. It has been classified as critical. Affected is the function fromAddressNat. The manipulation of the argument entrys/mitInterface/page leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252132. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0927
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/fromAddressNat_1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252132 | source : cna@vuldb.com
https://vuldb.com/?id.252132 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0928

First published on : 26-01-2024 16:15:21
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01. It has been declared as critical. Affected by this vulnerability is the function fromDhcpListClient. The manipulation of the argument page/listN leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0928
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/fromDhcpListClient_1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252133 | source : cna@vuldb.com
https://vuldb.com/?id.252133 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0929

First published on : 26-01-2024 16:15:22
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01. It has been rated as critical. Affected by this issue is the function fromNatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252134 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0929
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/fromNatStaticSetting.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252134 | source : cna@vuldb.com
https://vuldb.com/?id.252134 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0930

First published on : 26-01-2024 16:15:22
Last modified on : 26-01-2024 16:33:07

Description :
A vulnerability classified as critical has been found in Tenda AC10U 15.03.06.49_multi_TDE01. This affects the function fromSetWirelessRepeat. The manipulation of the argument wpapsk_crypto leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252135. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0930
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/fromSetWirelessRepeat.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252135 | source : cna@vuldb.com
https://vuldb.com/?id.252135 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0931

First published on : 26-01-2024 17:15:10
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49_multi_TDE01. This vulnerability affects the function saveParentControlInfo. The manipulation of the argument deviceId/time/urls leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252136. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0931
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/saveParentControlInfo_1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252136 | source : cna@vuldb.com
https://vuldb.com/?id.252136 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-0932

First published on : 26-01-2024 17:15:11
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.49_multi_TDE01. This issue affects the function setSmartPowerManagement. The manipulation of the argument time leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252137 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0932
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/setSmartPowerManagement.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252137 | source : cna@vuldb.com
https://vuldb.com/?id.252137 | source : cna@vuldb.com

Vulnerability : CWE-121


Source : cisco.com

Vulnerability ID : CVE-2024-20263

First published on : 26-01-2024 18:15:11
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. This vulnerability is due to incorrect processing of ACLs on a stacked configuration when either the primary or backup switches experience a full stack reload or power cycle. An attacker could exploit this vulnerability by sending crafted traffic through an affected device. A successful exploit could allow the attacker to bypass configured ACLs, causing traffic to be dropped or forwarded in an unexpected manner. The attacker does not have control over the conditions that result in the device being in the vulnerable state. Note: In the vulnerable state, the ACL would be correctly applied on the primary devices but could be incorrectly applied to the backup devices.

CVE ID : CVE-2024-20263
Source : ykramarz@cisco.com
CVSS Score : 5.8

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-bus-acl-bypass-5zn9hNJk | source : ykramarz@cisco.com


Vulnerability ID : CVE-2024-20305

First published on : 26-01-2024 18:15:11
Last modified on : 26-01-2024 18:29:26

Description :
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

CVE ID : CVE-2024-20305
Source : ykramarz@cisco.com
CVSS Score : 4.8

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-xss-9TFuu5MS | source : ykramarz@cisco.com


Source : flexerasoftware.com

Vulnerability ID : CVE-2023-29081

First published on : 26-01-2024 20:15:54
Last modified on : 26-01-2024 20:15:54

Description :
A vulnerability has been reported in Suite Setups built with versions prior to InstallShield 2023 R2. This vulnerability may allow locally authenticated users to cause a Denial of Service (DoS) condition when handling move operations on local, temporary folders.

CVE ID : CVE-2023-29081
Source : PSIRT-CNA@flexerasoftware.com
CVSS Score : 5.5

References :
https://community.flexera.com/t5/InstallShield-Knowledge-Base/CVE-2023-29081-InstallShield-Symlink-Vulnerability-Affecting/ta-p/305052 | source : PSIRT-CNA@flexerasoftware.com

Vulnerability : CWE-276


Source : microsoft.com

Vulnerability ID : CVE-2024-21387

First published on : 26-01-2024 01:15:10
Last modified on : 26-01-2024 13:51:45

Description :
Microsoft Edge for Android Spoofing Vulnerability

CVE ID : CVE-2024-21387
Source : secure@microsoft.com
CVSS Score : 5.3

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21387 | source : secure@microsoft.com


Vulnerability ID : CVE-2024-21382

First published on : 26-01-2024 01:15:10
Last modified on : 26-01-2024 13:51:45

Description :
Microsoft Edge for Android Information Disclosure Vulnerability

CVE ID : CVE-2024-21382
Source : secure@microsoft.com
CVSS Score : 4.3

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21382 | source : secure@microsoft.com


Source : github.com

Vulnerability ID : CVE-2024-23820

First published on : 26-01-2024 17:15:13
Last modified on : 26-01-2024 18:29:26

Description :
OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue.

CVE ID : CVE-2024-23820
Source : security-advisories@github.com
CVSS Score : 5.3

References :
https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39 | source : security-advisories@github.com
https://github.com/openfga/openfga/releases/tag/v1.4.3 | source : security-advisories@github.com
https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87 | source : security-advisories@github.com

Vulnerability : CWE-770


(6) LOW VULNERABILITIES [0.1, 3.9]

Source : vuldb.com

Vulnerability ID : CVE-2024-0942

First published on : 26-01-2024 20:15:54
Last modified on : 26-01-2024 20:15:54

Description :
A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-252186 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0942
Source : cna@vuldb.com
CVSS Score : 3.7

References :
https://drive.google.com/file/d/1oWAGbmDtHDIUN1WSRAh4ZnuzHOuvTU4T/view?usp=sharing | source : cna@vuldb.com
https://vuldb.com/?ctiid.252186 | source : cna@vuldb.com
https://vuldb.com/?id.252186 | source : cna@vuldb.com
https://youtu.be/b0tU2CiLbnU | source : cna@vuldb.com

Vulnerability : CWE-613


Vulnerability ID : CVE-2024-0943

First published on : 26-01-2024 20:15:54
Last modified on : 26-01-2024 20:15:54

Description :
A vulnerability was found in Totolink N350RT 9.3.5u.6255. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252187. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0943
Source : cna@vuldb.com
CVSS Score : 3.7

References :
https://drive.google.com/file/d/1OBs4kc1KvbqrMhQHs54WtwxxxiBoI0hL/view?usp=sharing | source : cna@vuldb.com
https://vuldb.com/?ctiid.252187 | source : cna@vuldb.com
https://vuldb.com/?id.252187 | source : cna@vuldb.com

Vulnerability : CWE-613


Vulnerability ID : CVE-2024-0944

First published on : 26-01-2024 20:15:54
Last modified on : 26-01-2024 20:15:54

Description :
A vulnerability was found in Totolink T8 4.1.5cu.833_20220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252188. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0944
Source : cna@vuldb.com
CVSS Score : 3.7

References :
https://drive.google.com/file/d/1YPisSnxM5CwSLKFgs9w5k5MtNUgiijVo/view?usp=sharing | source : cna@vuldb.com
https://vuldb.com/?ctiid.252188 | source : cna@vuldb.com
https://vuldb.com/?id.252188 | source : cna@vuldb.com

Vulnerability : CWE-613


Vulnerability ID : CVE-2024-0948

First published on : 26-01-2024 22:15:11
Last modified on : 26-01-2024 22:15:11

Description :
A vulnerability, which was classified as problematic, has been found in NetBox up to 3.7.0. This issue affects some unknown processing of the file /core/config-revisions of the component Home Page Configuration. The manipulation with the input <<h1 onload=alert(1)>>test</h1> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252191. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-0948
Source : cna@vuldb.com
CVSS Score : 2.4

References :
https://drive.google.com/file/d/1tcgyzu9Fh3AMG0INR0EdOR7ZjWmBK0ZR/view?usp=sharing | source : cna@vuldb.com
https://vuldb.com/?ctiid.252191 | source : cna@vuldb.com
https://vuldb.com/?id.252191 | source : cna@vuldb.com

Vulnerability : CWE-79


Source : microsoft.com

Vulnerability ID : CVE-2024-21383

First published on : 26-01-2024 01:15:10
Last modified on : 26-01-2024 13:51:45

Description :
Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE ID : CVE-2024-21383
Source : secure@microsoft.com
CVSS Score : 3.3

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21383 | source : secure@microsoft.com


Vulnerability ID : CVE-2024-21336

First published on : 26-01-2024 18:15:12
Last modified on : 26-01-2024 18:29:26

Description :
Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE ID : CVE-2024-21336
Source : secure@microsoft.com
CVSS Score : 2.5

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21336 | source : secure@microsoft.com


(20) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-38317

First published on : 26-01-2024 05:15:11
Last modified on : 26-01-2024 13:51:45

Description :
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the network interface name entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.

CVE ID : CVE-2023-38317
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/openNDS/openNDS/blob/master/ChangeLog | source : cve@mitre.org
https://github.com/openNDS/openNDS/releases/tag/v10.1.3 | source : cve@mitre.org
https://openwrt.org/docs/guide-user/services/captive-portal/opennds | source : cve@mitre.org
https://www.forescout.com/resources/sierra21-vulnerabilities | source : cve@mitre.org


Vulnerability ID : CVE-2023-38318

First published on : 26-01-2024 05:15:11
Last modified on : 26-01-2024 13:51:45

Description :
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the gateway FQDN entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.

CVE ID : CVE-2023-38318
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/openNDS/openNDS/blob/master/ChangeLog | source : cve@mitre.org
https://github.com/openNDS/openNDS/releases/tag/v10.1.3 | source : cve@mitre.org
https://openwrt.org/docs/guide-user/services/captive-portal/opennds | source : cve@mitre.org
https://www.forescout.com/resources/sierra21-vulnerabilities | source : cve@mitre.org


Vulnerability ID : CVE-2023-38319

First published on : 26-01-2024 05:15:12
Last modified on : 26-01-2024 13:51:45

Description :
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the FAS key entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.

CVE ID : CVE-2023-38319
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/openNDS/openNDS/blob/master/ChangeLog | source : cve@mitre.org
https://github.com/openNDS/openNDS/releases/tag/v10.1.3 | source : cve@mitre.org
https://openwrt.org/docs/guide-user/services/captive-portal/opennds | source : cve@mitre.org
https://www.forescout.com/resources/sierra21-vulnerabilities | source : cve@mitre.org


Vulnerability ID : CVE-2023-38323

First published on : 26-01-2024 05:15:12
Last modified on : 26-01-2024 13:51:45

Description :
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the status path script entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.

CVE ID : CVE-2023-38323
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/openNDS/openNDS/blob/master/ChangeLog | source : cve@mitre.org
https://github.com/openNDS/openNDS/releases/tag/v10.1.3 | source : cve@mitre.org
https://openwrt.org/docs/guide-user/services/captive-portal/opennds | source : cve@mitre.org
https://www.forescout.com/resources/sierra21-vulnerabilities | source : cve@mitre.org


Vulnerability ID : CVE-2023-48126

First published on : 26-01-2024 07:15:56
Last modified on : 26-01-2024 13:51:45

Description :
An issue in Luxe Beauty Clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48126
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/Luxe%20Beauty%20Clinic.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48127

First published on : 26-01-2024 07:15:56
Last modified on : 26-01-2024 13:51:45

Description :
An issue in myGAKUYA mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48127
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/myGAKUYA.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48128

First published on : 26-01-2024 07:15:57
Last modified on : 26-01-2024 13:51:45

Description :
An issue in UNITED BOXING GYM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48128
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/UNITED%20BOXING%20GYM.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48130

First published on : 26-01-2024 07:15:57
Last modified on : 26-01-2024 13:51:45

Description :
An issue in GINZA CAFE mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48130
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/GINZA%20CAFE.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48131

First published on : 26-01-2024 07:15:57
Last modified on : 26-01-2024 13:51:45

Description :
An issue in CHIGASAKI BAKERY mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48131
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CHIGASAKI%20BAKERY.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48132

First published on : 26-01-2024 07:15:58
Last modified on : 26-01-2024 13:51:45

Description :
An issue in kosei entertainment esportsstudioLegends mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48132
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/esportsstudioLegends.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48133

First published on : 26-01-2024 07:15:58
Last modified on : 26-01-2024 13:51:45

Description :
An issue in angel coffee mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48133
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/angel%20coffee.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48135

First published on : 26-01-2024 07:15:58
Last modified on : 26-01-2024 13:51:45

Description :
An issue in mimasaka_farm mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48135
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/mimasaka_farm.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-48129

First published on : 26-01-2024 08:15:42
Last modified on : 26-01-2024 13:51:45

Description :
An issue in kimono-oldnew mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE ID : CVE-2023-48129
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/kimono-oldnew.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-22545

First published on : 26-01-2024 08:15:42
Last modified on : 26-01-2024 13:51:45

Description :
TRENDnet TEW-824DRU version 1.04b01 is vulnerable to Command Injection via the system.ntp.server in the sub_420AE0() function.

CVE ID : CVE-2024-22545
Source : cve@mitre.org
CVSS Score : /

References :
https://warp-desk-89d.notion.site/TEW-824DRU-e7228d462ce24fa1a9fecb0bee57caad | source : cve@mitre.org


Vulnerability ID : CVE-2022-48622

First published on : 26-01-2024 09:15:07
Last modified on : 26-01-2024 13:51:45

Description :
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

CVE ID : CVE-2022-48622
Source : cve@mitre.org
CVSS Score : /

References :
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22550

First published on : 26-01-2024 15:15:09
Last modified on : 26-01-2024 16:33:07

Description :
An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.

CVE ID : CVE-2024-22550
Source : cve@mitre.org
CVSS Score : /

References :
https://packetstormsecurity.com/files/176312/ShopSite-14.0-Cross-Site-Scripting.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-22551

First published on : 26-01-2024 15:15:09
Last modified on : 26-01-2024 16:33:07

Description :
WhatACart v2.0.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /site/default/search.

CVE ID : CVE-2024-22551
Source : cve@mitre.org
CVSS Score : /

References :
https://packetstormsecurity.com/files/176314/WhatACart-2.0.7-Cross-Site-Scripting.html | source : cve@mitre.org


Source : jpcert.or.jp

Vulnerability ID : CVE-2024-23388

First published on : 26-01-2024 07:15:59
Last modified on : 26-01-2024 13:51:45

Description :
Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

CVE ID : CVE-2024-23388
Source : vultures@jpcert.or.jp
CVSS Score : /

References :
https://jvn.jp/en/jp/JVN70818619/ | source : vultures@jpcert.or.jp


Source : openssl.org

Vulnerability ID : CVE-2024-0727

First published on : 26-01-2024 09:15:07
Last modified on : 26-01-2024 13:51:45

Description :
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

CVE ID : CVE-2024-0727
Source : openssl-security@openssl.org
CVSS Score : /

References :
https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2 | source : openssl-security@openssl.org
https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a | source : openssl-security@openssl.org
https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c | source : openssl-security@openssl.org
https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8 | source : openssl-security@openssl.org
https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539 | source : openssl-security@openssl.org
https://www.openssl.org/news/secadv/20240125.txt | source : openssl-security@openssl.org


Source : wordfence.com

Vulnerability ID : CVE-2023-6470

First published on : 26-01-2024 21:15:08
Last modified on : 26-01-2024 21:15:08

Description :
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.

CVE ID : CVE-2023-6470
Source : security@wordfence.com
CVSS Score : /

References :


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.