Latest vulnerabilities [Monday, February 19, 2024 + weekend]

Latest vulnerabilities [Monday, February 19, 2024 + weekend]
{{titre}}

Last update performed on 02/19/2024 at 11:57:07 PM

(6) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Vulnerability ID : CVE-2024-1597

First published on : 19-02-2024 13:15:07
Last modified on : 19-02-2024 13:15:07

Description :
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

CVE ID : CVE-2024-1597
Source : f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
CVSS Score : 10.0

References :
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56 | source : f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Vulnerability : CWE-89


Source : wordfence.com

Vulnerability ID : CVE-2024-0610

First published on : 17-02-2024 08:15:07
Last modified on : 17-02-2024 08:15:07

Description :
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE ID : CVE-2024-0610
Source : security@wordfence.com
CVSS Score : 9.8

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035641%40woo-payment-gateway-for-piraeus-bank&new=3035641%40woo-payment-gateway-for-piraeus-bank&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f17c4748-2a95-495c-ad3b-86b272855791?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1512

First published on : 17-02-2024 08:15:08
Last modified on : 17-02-2024 08:15:08

Description :
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE ID : CVE-2024-1512
Source : security@wordfence.com
CVSS Score : 9.8

References :
https://plugins.trac.wordpress.org/changeset/3036794/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6b6d824-51d3-4da9-a39a-b957368df4dc?source=cve | source : security@wordfence.com


Source : github.com

Vulnerability ID : CVE-2023-50257

First published on : 19-02-2024 20:15:45
Last modified on : 19-02-2024 20:15:45

Description :
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7.

CVE ID : CVE-2023-50257
Source : security-advisories@github.com
CVSS Score : 9.6

References :
https://github.com/eProsima/Fast-DDS/commit/072cbc9d6a71d869a5cbed1873c0cdd6cf67cda4 | source : security-advisories@github.com
https://github.com/eProsima/Fast-DDS/commit/e1869863c06db7fbb366ae53760fbe6e754be026 | source : security-advisories@github.com
https://github.com/eProsima/Fast-DDS/commit/f07a0213e655202188840b864be4438ae1067a13 | source : security-advisories@github.com
https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86 | source : security-advisories@github.com
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98 | source : security-advisories@github.com

Vulnerability : CWE-284


Source : rockwellautomation.com

Vulnerability ID : CVE-2024-21915

First published on : 16-02-2024 19:15:08
Last modified on : 16-02-2024 19:26:55

Description :
A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.

CVE ID : CVE-2024-21915
Source : PSIRT@rockwellautomation.com
CVSS Score : 9.0

References :
https://www.rockwellautomation.com/en-us/support/advisory.SD1662.html | source : PSIRT@rockwellautomation.com

Vulnerability : CWE-732


Source : 57dba5dd-1a03-47f6-8b36-e84e47d335d8

Vulnerability ID : CVE-2023-6260

First published on : 19-02-2024 22:15:48
Last modified on : 19-02-2024 22:15:48

Description :
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Brivo ACS100, ACS300 allows OS Command Injection, Bypassing Physical Security.This issue affects ACS100 (Network Adjacent Access), ACS300 (Physical Access): from 5.2.4 before 6.2.4.3.

CVE ID : CVE-2023-6260
Source : 57dba5dd-1a03-47f6-8b36-e84e47d335d8
CVSS Score : 9.0

References :
https://sra.io/advisories/ | source : 57dba5dd-1a03-47f6-8b36-e84e47d335d8

Vulnerability : CWE-78


(25) HIGH VULNERABILITIES [7.0, 8.9]

Source : oracle.com

Vulnerability ID : CVE-2024-20953

First published on : 17-02-2024 02:15:49
Last modified on : 17-02-2024 02:15:49

Description :
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVE ID : CVE-2024-20953
Source : secalert_us@oracle.com
CVSS Score : 8.8

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20927

First published on : 17-02-2024 02:15:47
Last modified on : 17-02-2024 02:15:47

Description :
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 8.6 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).

CVE ID : CVE-2024-20927
Source : secalert_us@oracle.com
CVSS Score : 8.6

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20909

First published on : 17-02-2024 02:15:45
Last modified on : 17-02-2024 02:15:45

Description :
Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Audit Vault and Database Firewall. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Audit Vault and Database Firewall accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE ID : CVE-2024-20909
Source : secalert_us@oracle.com
CVSS Score : 7.5

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20917

First published on : 17-02-2024 02:15:46
Last modified on : 17-02-2024 02:15:46

Description :
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Log Management). The supported version that is affected is 13.5.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L).

CVE ID : CVE-2024-20917
Source : secalert_us@oracle.com
CVSS Score : 7.5

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20931

First published on : 17-02-2024 02:15:47
Last modified on : 17-02-2024 02:15:47

Description :
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVE ID : CVE-2024-20931
Source : secalert_us@oracle.com
CVSS Score : 7.5

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20956

First published on : 17-02-2024 02:15:49
Last modified on : 17-02-2024 02:15:49

Description :
Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Installation). Supported versions that are affected are Prior to 6.2.4.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile Product Lifecycle Management for Process accessible data as well as unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

CVE ID : CVE-2024-20956
Source : secalert_us@oracle.com
CVSS Score : 7.3

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Source : github.com

Vulnerability ID : CVE-2024-25626

First published on : 19-02-2024 20:15:45
Last modified on : 19-02-2024 20:15:45

Description :
Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server's shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2.

CVE ID : CVE-2024-25626
Source : security-advisories@github.com
CVSS Score : 8.8

References :
https://github.com/yoctoproject/poky/security/advisories/GHSA-75xw-78mm-72r4 | source : security-advisories@github.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-25635

First published on : 19-02-2024 20:15:45
Last modified on : 19-02-2024 20:15:45

Description :
alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the provided user ID. This may also expose the API KEY in the username of the user. Version 2.0-M4-2402 fixes this issue.

CVE ID : CVE-2024-25635
Source : security-advisories@github.com
CVSS Score : 8.8

References :
https://github.com/alfio-event/alf.io/security/advisories/GHSA-ffr5-g3qg-gp4f | source : security-advisories@github.com

Vulnerability : CWE-612


Vulnerability ID : CVE-2024-25623

First published on : 19-02-2024 16:15:51
Last modified on : 19-02-2024 16:15:51

Description :
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.

CVE ID : CVE-2024-25623
Source : security-advisories@github.com
CVSS Score : 8.5

References :
https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022 | source : security-advisories@github.com
https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36 | source : security-advisories@github.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2024-25625

First published on : 19-02-2024 16:15:52
Last modified on : 19-02-2024 16:15:52

Description :
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input. The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker's domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application's domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.

CVE ID : CVE-2024-25625
Source : security-advisories@github.com
CVSS Score : 8.1

References :
https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82 | source : security-advisories@github.com
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx | source : security-advisories@github.com

Vulnerability : CWE-74


Vulnerability ID : CVE-2024-25628

First published on : 16-02-2024 21:15:08
Last modified on : 16-02-2024 21:39:50

Description :
Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-25628
Source : security-advisories@github.com
CVSS Score : 7.6

References :
https://github.com/alfio-event/alf.io/security/advisories/GHSA-8p6m-mm22-q893 | source : security-advisories@github.com

Vulnerability : CWE-613


Vulnerability ID : CVE-2024-25634

First published on : 19-02-2024 20:15:45
Last modified on : 19-02-2024 20:15:45

Description :
alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, an attacker can access data from other organizers. The attacker can use a specially crafted request to receive the e-mail log sent by other events. Version 2.0-M4-2402 fixes this issue.

CVE ID : CVE-2024-25634
Source : security-advisories@github.com
CVSS Score : 7.2

References :
https://github.com/alfio-event/alf.io/security/advisories/GHSA-5wcv-pjc6-mxvv | source : security-advisories@github.com

Vulnerability : CWE-497


Vulnerability ID : CVE-2024-25636

First published on : 19-02-2024 20:15:46
Last modified on : 19-02-2024 20:15:46

Description :
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.

CVE ID : CVE-2024-25636
Source : security-advisories@github.com
CVSS Score : 7.1

References :
https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119 | source : security-advisories@github.com
https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308 | source : security-advisories@github.com
https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143 | source : security-advisories@github.com
https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a | source : security-advisories@github.com
https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32 | source : security-advisories@github.com

Vulnerability : CWE-434


Source : themissinglink.com.au

Vulnerability ID : CVE-2023-6451

First published on : 16-02-2024 04:15:08
Last modified on : 16-02-2024 13:37:51

Description :
Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms.

CVE ID : CVE-2023-6451
Source : vdp@themissinglink.com.au
CVSS Score : 8.6

References :
https://www.themissinglink.com.au/security-advisories/cve-2023-6451 | source : vdp@themissinglink.com.au

Vulnerability : CWE-1394


Source : 0fc0942c-577d-436f-ae8e-945763c79b02

Vulnerability ID : CVE-2024-21775

First published on : 16-02-2024 15:15:08
Last modified on : 16-02-2024 19:26:55

Description :
Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

CVE ID : CVE-2024-21775
Source : 0fc0942c-577d-436f-ae8e-945763c79b02
CVSS Score : 8.3

References :
https://www.manageengine.com/products/exchange-reports/advisory/CVE-2024-21775.html | source : 0fc0942c-577d-436f-ae8e-945763c79b02


Source : zephyrproject.org

Vulnerability ID : CVE-2024-1638

First published on : 19-02-2024 22:15:48
Last modified on : 19-02-2024 22:15:48

Description :
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read.

CVE ID : CVE-2024-1638
Source : vulnerabilities@zephyrproject.org
CVSS Score : 8.2

References :
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p6f3-f63q-5mc2 | source : vulnerabilities@zephyrproject.org

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-6749

First published on : 18-02-2024 07:15:10
Last modified on : 18-02-2024 07:15:10

Description :
Unchecked length coming from user input in settings shell

CVE ID : CVE-2023-6749
Source : vulnerabilities@zephyrproject.org
CVSS Score : 8.0

References :
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-757h-rw37-66hw | source : vulnerabilities@zephyrproject.org

Vulnerability : CWE-121


Vulnerability ID : CVE-2023-6249

First published on : 18-02-2024 08:15:07
Last modified on : 18-02-2024 08:15:07

Description :
Signed to unsigned conversion esp32_ipm_send

CVE ID : CVE-2023-6249
Source : vulnerabilities@zephyrproject.org
CVSS Score : 8.0

References :
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-32f5-3p9h-2rqc | source : vulnerabilities@zephyrproject.org

Vulnerability : CWE-704


Source : apache.org

Vulnerability ID : CVE-2024-25710

First published on : 19-02-2024 09:15:37
Last modified on : 19-02-2024 11:15:09

Description :
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

CVE ID : CVE-2024-25710
Source : security@apache.org
CVSS Score : 8.1

References :
http://www.openwall.com/lists/oss-security/2024/02/19/1 | source : security@apache.org
https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf | source : security@apache.org

Vulnerability : CWE-835


Source : 57dba5dd-1a03-47f6-8b36-e84e47d335d8

Vulnerability ID : CVE-2023-6259

First published on : 19-02-2024 22:15:48
Last modified on : 19-02-2024 22:15:48

Description :
Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3.

CVE ID : CVE-2023-6259
Source : 57dba5dd-1a03-47f6-8b36-e84e47d335d8
CVSS Score : 7.6

References :
https://sra.io/advisories/ | source : 57dba5dd-1a03-47f6-8b36-e84e47d335d8

Vulnerability : CWE-284
Vulnerability : CWE-522


Source : us.ibm.com

Vulnerability ID : CVE-2022-41738

First published on : 17-02-2024 17:15:07
Last modified on : 17-02-2024 17:15:07

Description :
IBM Storage Scale Container Native Storage Access 5.1.2.1 -through 5.1.7.0 could allow an attacker to initiate connections to containers from external networks. IBM X-Force ID: 237812.

CVE ID : CVE-2022-41738
Source : psirt@us.ibm.com
CVSS Score : 7.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/237812 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7095312 | source : psirt@us.ibm.com

Vulnerability : CWE-287


Vulnerability ID : CVE-2022-41737

First published on : 17-02-2024 17:15:07
Last modified on : 17-02-2024 17:15:07

Description :
IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.7.0 could allow a local attacker to initiate connections from a container outside the current namespace. IBM X-Force ID: 237811.

CVE ID : CVE-2022-41737
Source : psirt@us.ibm.com
CVSS Score : 7.1

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/237811 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7095312 | source : psirt@us.ibm.com

Vulnerability : CWE-287


Source : puiterwijk.org

Vulnerability ID : CVE-2024-25978

First published on : 19-02-2024 17:15:08
Last modified on : 19-02-2024 17:15:08

Description :
Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

CVE ID : CVE-2024-25978
Source : patrick@puiterwijk.org
CVSS Score : 7.5

References :
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74641 | source : patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2264074 | source : patrick@puiterwijk.org
https://moodle.org/mod/forum/discuss.php?d=455634 | source : patrick@puiterwijk.org

Vulnerability : CWE-400


Source : redhat.com

Vulnerability ID : CVE-2024-1635

First published on : 19-02-2024 22:15:48
Last modified on : 19-02-2024 22:15:48

Description :
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.

CVE ID : CVE-2024-1635
Source : secalert@redhat.com
CVSS Score : 7.5

References :
https://access.redhat.com/security/cve/CVE-2024-1635 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2264928 | source : secalert@redhat.com

Vulnerability : CWE-400


Source : emc.com

Vulnerability ID : CVE-2024-22426

First published on : 16-02-2024 12:15:08
Last modified on : 16-02-2024 13:37:51

Description :
Dell RecoverPoint for Virtual Machines 5.3.x contains an OS Command injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, which will get executed in the context of the root user, resulting in a complete system compromise.

CVE ID : CVE-2024-22426
Source : security_alert@emc.com
CVSS Score : 7.2

References :
https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-434


(65) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : incibe.es

Vulnerability ID : CVE-2024-1344

First published on : 19-02-2024 12:15:44
Last modified on : 19-02-2024 12:15:44

Description :
Encrypted database credentials in LaborOfficeFree affecting version 19.10. This vulnerability allows an attacker to read and extract the username and password from the database of 'LOF_service.exe' and 'LaborOfficeFree.exe' located in the '%programfiles(x86)%\LaborOfficeFree\' directory. This user can log in remotely and has root-like privileges.

CVE ID : CVE-2024-1344
Source : cve-coordination@incibe.es
CVSS Score : 6.8

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-laborofficefree | source : cve-coordination@incibe.es

Vulnerability : CWE-798


Vulnerability ID : CVE-2024-1345

First published on : 19-02-2024 12:15:44
Last modified on : 19-02-2024 12:15:44

Description :
Weak MySQL database root password in LaborOfficeFree affects version 19.10. This vulnerability allows an attacker to perform a brute force attack and easily discover the root password.

CVE ID : CVE-2024-1345
Source : cve-coordination@incibe.es
CVSS Score : 6.8

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-laborofficefree | source : cve-coordination@incibe.es

Vulnerability : CWE-521


Vulnerability ID : CVE-2024-1346

First published on : 19-02-2024 12:15:45
Last modified on : 19-02-2024 12:15:45

Description :
Weak MySQL database root password in LaborOfficeFree affects version 19.10. This vulnerability allows an attacker to calculate the root password of the MySQL database used by LaborOfficeFree using two constants.

CVE ID : CVE-2024-1346
Source : cve-coordination@incibe.es
CVSS Score : 6.8

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-laborofficefree | source : cve-coordination@incibe.es

Vulnerability : CWE-521


Vulnerability ID : CVE-2024-1343

First published on : 19-02-2024 12:15:44
Last modified on : 19-02-2024 12:15:44

Description :
A weak permission was found in the backup directory in LaborOfficeFree affecting version 19.10. This vulnerability allows any authenticated user to read backup files in the directory '%programfiles(x86)% LaborOfficeFree BackUp'.

CVE ID : CVE-2024-1343
Source : cve-coordination@incibe.es
CVSS Score : 4.7

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-laborofficefree | source : cve-coordination@incibe.es

Vulnerability : CWE-284


Source : emc.com

Vulnerability ID : CVE-2024-22425

First published on : 16-02-2024 12:15:07
Last modified on : 16-02-2024 13:37:51

Description :
Dell RecoverPoint for Virtual Machines 5.3.x contains a brute force/dictionary attack vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to launch a brute force attack or a dictionary attack against the RecoverPoint login form. This allows attackers to brute-force the password of valid users in an automated manner.

CVE ID : CVE-2024-22425
Source : security_alert@emc.com
CVSS Score : 6.5

References :
https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-307


Source : github.com

Vulnerability ID : CVE-2024-24750

First published on : 16-02-2024 22:15:07
Last modified on : 16-02-2024 22:15:07

Description :
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

CVE ID : CVE-2024-24750
Source : security-advisories@github.com
CVSS Score : 6.5

References :
https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 | source : security-advisories@github.com
https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw | source : security-advisories@github.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2024-26129

First published on : 19-02-2024 22:15:49
Last modified on : 19-02-2024 22:15:49

Description :
PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.

CVE ID : CVE-2024-26129
Source : security-advisories@github.com
CVSS Score : 5.8

References :
https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5 | source : security-advisories@github.com
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr | source : security-advisories@github.com
https://owasp.org/www-community/attacks/Full_Path_Disclosure | source : security-advisories@github.com

Vulnerability : CWE-22


Vulnerability ID : CVE-2024-25640

First published on : 19-02-2024 20:15:46
Last modified on : 19-02-2024 20:15:46

Description :
Iris is a web collaborative platform that helps incident responders share technical details during investigations. A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.4.0. The vulnerability may allow an attacker to inject malicious scripts into the application, which could then be executed when a user visits the affected locations. This could lead to unauthorized access, data theft, or other related malicious activities. An attacker need to be authenticated on the application to exploit this vulnerability. The issue is fixed in version v2.4.0 of iris-web. No workarounds are available.

CVE ID : CVE-2024-25640
Source : security-advisories@github.com
CVSS Score : 4.6

References :
https://github.com/dfir-iris/iris-web/security/advisories/GHSA-2xq6-qc74-w5vp | source : security-advisories@github.com

Vulnerability : CWE-87


Source : netapp.com

Vulnerability ID : CVE-2024-21983

First published on : 16-02-2024 23:15:07
Last modified on : 16-02-2024 23:15:07

Description :
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 are susceptible to a Denial of Service (DoS) vulnerability. Successful exploit by an authenticated attacker could lead to an out of memory condition or node reboot.

CVE ID : CVE-2024-21983
Source : security-alert@netapp.com
CVSS Score : 6.5

References :
https://security.netapp.com/advisory/ntap-20240216-0012/ | source : security-alert@netapp.com

Vulnerability : CWE-248


Vulnerability ID : CVE-2024-21984

First published on : 16-02-2024 23:15:08
Last modified on : 16-02-2024 23:15:08

Description :
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 are susceptible to a difficult to exploit Reflected Cross-Site Scripting (XSS) vulnerability. Successful exploit requires the attacker to know specific information about the target instance and trick a privileged user into clicking a specially crafted link. This could allow the attacker to view or modify configuration settings or add or modify user accounts.

CVE ID : CVE-2024-21984
Source : security-alert@netapp.com
CVSS Score : 5.9

References :
https://security.netapp.com/advisory/ntap-20240216-0013/ | source : security-alert@netapp.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-21987

First published on : 16-02-2024 21:15:08
Last modified on : 16-02-2024 21:39:50

Description :
SnapCenter versions 4.8 prior to 5.0 are susceptible to a vulnerability which could allow an authenticated SnapCenter Server user to modify system logging configuration settings

CVE ID : CVE-2024-21987
Source : security-alert@netapp.com
CVSS Score : 5.4

References :
https://security.netapp.com/advisory/ntap-20240216-0001/ | source : security-alert@netapp.com

Vulnerability : CWE-285


Source : oracle.com

Vulnerability ID : CVE-2024-20903

First published on : 17-02-2024 02:15:45
Last modified on : 17-02-2024 02:15:45

Description :
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.21 and 21.3-21.12. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

CVE ID : CVE-2024-20903
Source : secalert_us@oracle.com
CVSS Score : 6.5

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20929

First published on : 17-02-2024 02:15:47
Last modified on : 17-02-2024 02:15:47

Description :
Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: DB Privileges). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data as well as unauthorized read access to a subset of Oracle Application Object Library accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVE ID : CVE-2024-20929
Source : secalert_us@oracle.com
CVSS Score : 6.5

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20960

First published on : 17-02-2024 02:15:50
Last modified on : 17-02-2024 02:15:50

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: RAPID). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20960
Source : secalert_us@oracle.com
CVSS Score : 6.5

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20962

First published on : 17-02-2024 02:15:50
Last modified on : 17-02-2024 02:15:50

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20962
Source : secalert_us@oracle.com
CVSS Score : 6.5

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20907

First published on : 17-02-2024 02:15:45
Last modified on : 17-02-2024 02:15:45

Description :
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: File download). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Web Applications Desktop Integrator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Web Applications Desktop Integrator accessible data as well as unauthorized read access to a subset of Oracle Web Applications Desktop Integrator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20907
Source : secalert_us@oracle.com
CVSS Score : 6.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20933

First published on : 17-02-2024 02:15:47
Last modified on : 17-02-2024 02:15:47

Description :
Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20933
Source : secalert_us@oracle.com
CVSS Score : 6.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20935

First published on : 17-02-2024 02:15:48
Last modified on : 17-02-2024 02:15:48

Description :
Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20935
Source : secalert_us@oracle.com
CVSS Score : 6.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20941

First published on : 17-02-2024 02:15:48
Last modified on : 17-02-2024 02:15:48

Description :
Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: HTML UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20941
Source : secalert_us@oracle.com
CVSS Score : 6.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20949

First published on : 17-02-2024 02:15:49
Last modified on : 17-02-2024 02:15:49

Description :
Vulnerability in the Oracle Customer Interaction History product of Oracle E-Business Suite (component: Outcome-Result). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Customer Interaction History, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20949
Source : secalert_us@oracle.com
CVSS Score : 6.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20951

First published on : 17-02-2024 02:15:49
Last modified on : 17-02-2024 02:15:49

Description :
Vulnerability in the Oracle Customer Interaction History product of Oracle E-Business Suite (component: Outcome-Result). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Customer Interaction History, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20951
Source : secalert_us@oracle.com
CVSS Score : 6.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20986

First published on : 17-02-2024 02:15:52
Last modified on : 17-02-2024 02:15:52

Description :
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20986
Source : secalert_us@oracle.com
CVSS Score : 6.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20919

First published on : 17-02-2024 02:15:46
Last modified on : 17-02-2024 02:15:46

Description :
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE ID : CVE-2024-20919
Source : secalert_us@oracle.com
CVSS Score : 5.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20921

First published on : 17-02-2024 02:15:46
Last modified on : 17-02-2024 02:15:46

Description :
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVE ID : CVE-2024-20921
Source : secalert_us@oracle.com
CVSS Score : 5.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20913

First published on : 17-02-2024 02:15:46
Last modified on : 17-02-2024 02:15:46

Description :
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: BI Platform Security). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20913
Source : secalert_us@oracle.com
CVSS Score : 5.4

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20943

First published on : 17-02-2024 02:15:48
Last modified on : 17-02-2024 02:15:48

Description :
Vulnerability in the Oracle Knowledge Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Knowledge Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Knowledge Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Knowledge Management accessible data as well as unauthorized read access to a subset of Oracle Knowledge Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20943
Source : secalert_us@oracle.com
CVSS Score : 5.4

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20947

First published on : 17-02-2024 02:15:49
Last modified on : 17-02-2024 02:15:49

Description :
Vulnerability in the Oracle Common Applications product of Oracle E-Business Suite (component: CRM User Management Framework). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Common Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Common Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Common Applications accessible data as well as unauthorized read access to a subset of Oracle Common Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20947
Source : secalert_us@oracle.com
CVSS Score : 5.4

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20958

First published on : 17-02-2024 02:15:49
Last modified on : 17-02-2024 02:15:49

Description :
Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20958
Source : secalert_us@oracle.com
CVSS Score : 5.4

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20980

First published on : 17-02-2024 02:15:51
Last modified on : 17-02-2024 02:15:51

Description :
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE ID : CVE-2024-20980
Source : secalert_us@oracle.com
CVSS Score : 5.4

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20915

First published on : 17-02-2024 02:15:46
Last modified on : 17-02-2024 02:15:46

Description :
Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Login - SSO). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Object Library. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE ID : CVE-2024-20915
Source : secalert_us@oracle.com
CVSS Score : 5.3

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20964

First published on : 17-02-2024 02:15:50
Last modified on : 17-02-2024 02:15:50

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20964
Source : secalert_us@oracle.com
CVSS Score : 5.3

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20966

First published on : 17-02-2024 02:15:50
Last modified on : 17-02-2024 02:15:50

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20966
Source : secalert_us@oracle.com
CVSS Score : 4.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20970

First published on : 17-02-2024 02:15:50
Last modified on : 17-02-2024 02:15:50

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20970
Source : secalert_us@oracle.com
CVSS Score : 4.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20972

First published on : 17-02-2024 02:15:50
Last modified on : 17-02-2024 02:15:50

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20972
Source : secalert_us@oracle.com
CVSS Score : 4.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20974

First published on : 17-02-2024 02:15:51
Last modified on : 17-02-2024 02:15:51

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20974
Source : secalert_us@oracle.com
CVSS Score : 4.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20976

First published on : 17-02-2024 02:15:51
Last modified on : 17-02-2024 02:15:51

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20976
Source : secalert_us@oracle.com
CVSS Score : 4.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20978

First published on : 17-02-2024 02:15:51
Last modified on : 17-02-2024 02:15:51

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20978
Source : secalert_us@oracle.com
CVSS Score : 4.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20982

First published on : 17-02-2024 02:15:51
Last modified on : 17-02-2024 02:15:51

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20982
Source : secalert_us@oracle.com
CVSS Score : 4.9

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20945

First published on : 17-02-2024 02:15:48
Last modified on : 17-02-2024 02:15:48

Description :
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVE ID : CVE-2024-20945
Source : secalert_us@oracle.com
CVSS Score : 4.7

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20968

First published on : 17-02-2024 02:15:50
Last modified on : 17-02-2024 02:15:50

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20968
Source : secalert_us@oracle.com
CVSS Score : 4.4

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20984

First published on : 17-02-2024 02:15:51
Last modified on : 17-02-2024 02:15:51

Description :
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server : Security : Firewall). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE ID : CVE-2024-20984
Source : secalert_us@oracle.com
CVSS Score : 4.4

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2023-21833

First published on : 17-02-2024 02:15:45
Last modified on : 17-02-2024 02:15:45

Description :
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Object Store). The supported version that is affected is 8.8. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE ID : CVE-2023-21833
Source : secalert_us@oracle.com
CVSS Score : 4.3

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20937

First published on : 17-02-2024 02:15:48
Last modified on : 17-02-2024 02:15:48

Description :
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.8.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE ID : CVE-2024-20937
Source : secalert_us@oracle.com
CVSS Score : 4.3

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20939

First published on : 17-02-2024 02:15:48
Last modified on : 17-02-2024 02:15:48

Description :
Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Admin Console). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle CRM Technical Foundation. CVSS 3.1 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

CVE ID : CVE-2024-20939
Source : secalert_us@oracle.com
CVSS Score : 4.3

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Source : snyk.io

Vulnerability ID : CVE-2024-21495

First published on : 17-02-2024 05:15:09
Last modified on : 17-02-2024 05:15:09

Description :
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

CVE ID : CVE-2024-21495
Source : report@snyk.io
CVSS Score : 6.5

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/265 | source : report@snyk.io
https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275 | source : report@snyk.io

Vulnerability : CWE-330


Vulnerability ID : CVE-2024-21496

First published on : 17-02-2024 05:15:09
Last modified on : 17-02-2024 05:15:09

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting (XSS) via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of malicious scripts in the context of the target user’s browser, compromising user sessions.

CVE ID : CVE-2024-21496
Source : report@snyk.io
CVSS Score : 6.1

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/267 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249860 | source : report@snyk.io

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-21494

First published on : 17-02-2024 05:15:09
Last modified on : 17-02-2024 05:15:09

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address.

CVE ID : CVE-2024-21494
Source : report@snyk.io
CVSS Score : 5.4

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/266 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859 | source : report@snyk.io

Vulnerability : CWE-290


Vulnerability ID : CVE-2024-21497

First published on : 17-02-2024 05:15:09
Last modified on : 17-02-2024 05:15:09

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser’s back button, to trigger the redirection.

CVE ID : CVE-2024-21497
Source : report@snyk.io
CVSS Score : 5.4

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/268 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861 | source : report@snyk.io

Vulnerability : CWE-601


Vulnerability ID : CVE-2024-21493

First published on : 17-02-2024 05:15:08
Last modified on : 17-02-2024 05:15:08

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.

CVE ID : CVE-2024-21493
Source : report@snyk.io
CVSS Score : 5.3

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/263 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078 | source : report@snyk.io

Vulnerability : CWE-129


Vulnerability ID : CVE-2024-21498

First published on : 17-02-2024 05:15:10
Last modified on : 17-02-2024 05:15:10

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery (SSRF) via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by exploiting this vulnerability.

CVE ID : CVE-2024-21498
Source : report@snyk.io
CVSS Score : 5.3

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/269 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249862 | source : report@snyk.io

Vulnerability : CWE-918


Vulnerability ID : CVE-2024-21492

First published on : 17-02-2024 05:15:08
Last modified on : 17-02-2024 05:15:08

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.

CVE ID : CVE-2024-21492
Source : report@snyk.io
CVSS Score : 4.8

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/272 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787 | source : report@snyk.io

Vulnerability : CWE-613


Vulnerability ID : CVE-2024-21500

First published on : 17-02-2024 05:15:10
Last modified on : 17-02-2024 05:15:10

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.

CVE ID : CVE-2024-21500
Source : report@snyk.io
CVSS Score : 4.8

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/271 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864 | source : report@snyk.io

Vulnerability : CWE-307


Vulnerability ID : CVE-2024-21499

First published on : 17-02-2024 05:15:10
Last modified on : 17-02-2024 05:15:10

Description :
All versions of the package github.com/greenpau/caddy-security are vulnerable to HTTP Header Injection via the X-Forwarded-Proto header due to redirecting to the injected protocol.Exploiting this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS.

CVE ID : CVE-2024-21499
Source : report@snyk.io
CVSS Score : 4.3

References :
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ | source : report@snyk.io
https://github.com/greenpau/caddy-security/issues/270 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249863 | source : report@snyk.io

Vulnerability : CWE-644


Source : mitre.org

Vulnerability ID : CVE-2024-25083

First published on : 16-02-2024 21:15:08
Last modified on : 16-02-2024 21:39:50

Description :
An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges.

CVE ID : CVE-2024-25083
Source : cve@mitre.org
CVSS Score : 6.3

References :
https://www.beyondtrust.com/trust-center/security-advisories/bt24-01 | source : cve@mitre.org


Source : google.com

Vulnerability ID : CVE-2024-1580

First published on : 19-02-2024 11:15:08
Last modified on : 19-02-2024 11:15:08

Description :
An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.

CVE ID : CVE-2024-1580
Source : cve-coordination@google.com
CVSS Score : 5.9

References :
https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS | source : cve-coordination@google.com
https://code.videolan.org/videolan/dav1d/-/releases/1.4.0 | source : cve-coordination@google.com

Vulnerability : CWE-190


Source : redhat.com

Vulnerability ID : CVE-2024-1342

First published on : 16-02-2024 16:15:57
Last modified on : 16-02-2024 19:26:55

Description :
A flaw was found in OpenShift. The existing Cross-Site Request Forgery (CSRF) protections in place do not properly protect GET requests, allowing for the creation of WebSockets via CSRF.

CVE ID : CVE-2024-1342
Source : secalert@redhat.com
CVSS Score : 5.4

References :
https://access.redhat.com/security/cve/CVE-2024-1342 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2259960 | source : secalert@redhat.com

Vulnerability : CWE-352


Source : puiterwijk.org

Vulnerability ID : CVE-2024-25979

First published on : 19-02-2024 17:15:08
Last modified on : 19-02-2024 17:15:08

Description :
The URL parameters accepted by forum search were not limited to the allowed parameters.

CVE ID : CVE-2024-25979
Source : patrick@puiterwijk.org
CVSS Score : 5.3

References :
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69774 | source : patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2264095 | source : patrick@puiterwijk.org
https://moodle.org/mod/forum/discuss.php?d=455635 | source : patrick@puiterwijk.org

Vulnerability : CWE-233


Vulnerability ID : CVE-2024-25980

First published on : 19-02-2024 17:15:09
Last modified on : 19-02-2024 17:15:09

Description :
Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

CVE ID : CVE-2024-25980
Source : patrick@puiterwijk.org
CVSS Score : 4.3

References :
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501 | source : patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2264096 | source : patrick@puiterwijk.org
https://moodle.org/mod/forum/discuss.php?d=455636 | source : patrick@puiterwijk.org

Vulnerability : CWE-284


Vulnerability ID : CVE-2024-25981

First published on : 19-02-2024 17:15:09
Last modified on : 19-02-2024 17:15:09

Description :
Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

CVE ID : CVE-2024-25981
Source : patrick@puiterwijk.org
CVSS Score : 4.3

References :
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80504 | source : patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2264097 | source : patrick@puiterwijk.org
https://moodle.org/mod/forum/discuss.php?d=455637 | source : patrick@puiterwijk.org

Vulnerability : CWE-284


Vulnerability ID : CVE-2024-25982

First published on : 19-02-2024 17:15:09
Last modified on : 19-02-2024 17:15:09

Description :
The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

CVE ID : CVE-2024-25982
Source : patrick@puiterwijk.org
CVSS Score : 4.3

References :
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54749 | source : patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2264098 | source : patrick@puiterwijk.org
https://moodle.org/mod/forum/discuss.php?d=455638 | source : patrick@puiterwijk.org

Vulnerability : CWE-352


Source : us.ibm.com

Vulnerability ID : CVE-2024-22335

First published on : 17-02-2024 16:15:47
Last modified on : 17-02-2024 16:15:47

Description :
IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279975.

CVE ID : CVE-2024-22335
Source : psirt@us.ibm.com
CVSS Score : 5.1

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/279975 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7118642 | source : psirt@us.ibm.com

Vulnerability : CWE-532


Vulnerability ID : CVE-2024-22336

First published on : 17-02-2024 16:15:47
Last modified on : 17-02-2024 16:15:47

Description :
IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279976.

CVE ID : CVE-2024-22336
Source : psirt@us.ibm.com
CVSS Score : 5.1

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/279976 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7118642 | source : psirt@us.ibm.com

Vulnerability : CWE-532


Vulnerability ID : CVE-2024-22337

First published on : 17-02-2024 16:15:47
Last modified on : 17-02-2024 16:15:47

Description :
IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279977.

CVE ID : CVE-2024-22337
Source : psirt@us.ibm.com
CVSS Score : 5.1

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/279977 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7118642 | source : psirt@us.ibm.com

Vulnerability : CWE-532


Vulnerability ID : CVE-2023-50951

First published on : 17-02-2024 16:15:46
Last modified on : 17-02-2024 16:15:46

Description :
IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 in some circumstances will log some sensitive information about invalid authorization attempts. IBM X-Force ID: 275747.

CVE ID : CVE-2023-50951
Source : psirt@us.ibm.com
CVSS Score : 4.0

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/275747 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7118604 | source : psirt@us.ibm.com

Vulnerability : CWE-532


Source : zephyrproject.org

Vulnerability ID : CVE-2023-5779

First published on : 18-02-2024 08:15:06
Last modified on : 18-02-2024 08:15:06

Description :
can: out of bounds in remove_rx_filter function

CVE ID : CVE-2023-5779
Source : vulnerabilities@zephyrproject.org
CVSS Score : 4.4

References :
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7cmj-963q-jj47 | source : vulnerabilities@zephyrproject.org

Vulnerability : CWE-787


(11) LOW VULNERABILITIES [0.1, 3.9]

Source : github.com

Vulnerability ID : CVE-2024-24758

First published on : 16-02-2024 22:15:08
Last modified on : 16-02-2024 22:15:08

Description :
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-24758
Source : security-advisories@github.com
CVSS Score : 3.9

References :
https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef | source : security-advisories@github.com
https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 | source : security-advisories@github.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-25627

First published on : 16-02-2024 21:15:08
Last modified on : 16-02-2024 21:39:50

Description :
Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-25627
Source : security-advisories@github.com
CVSS Score : 3.5

References :
https://github.com/alfio-event/alf.io/security/advisories/GHSA-gpmg-8f92-37cf | source : security-advisories@github.com

Vulnerability : CWE-434
Vulnerability : CWE-79


Source : puiterwijk.org

Vulnerability ID : CVE-2024-25983

First published on : 19-02-2024 17:15:09
Last modified on : 19-02-2024 17:15:09

Description :
Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

CVE ID : CVE-2024-25983
Source : patrick@puiterwijk.org
CVSS Score : 3.5

References :
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300 | source : patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2264099 | source : patrick@puiterwijk.org
https://moodle.org/mod/forum/discuss.php?d=455641 | source : patrick@puiterwijk.org

Vulnerability : CWE-639


Source : 13061848-ea10-403d-bd75-c83a022c2891

Vulnerability ID : CVE-2024-1591

First published on : 16-02-2024 19:15:08
Last modified on : 16-02-2024 19:26:55

Description :
Prior to version 24.1, a local authenticated attacker can view Sysvol when Privilege Management for Windows is configured to use a GPO policy. This allows them to view the policy and potentially find configuration issues.

CVE ID : CVE-2024-1591
Source : 13061848-ea10-403d-bd75-c83a022c2891
CVSS Score : 3.3

References :
https://www.beyondtrust.com/trust-center/security-advisories/bt24-02 | source : 13061848-ea10-403d-bd75-c83a022c2891

Vulnerability : CWE-200


Source : oracle.com

Vulnerability ID : CVE-2024-20923

First published on : 17-02-2024 02:15:47
Last modified on : 17-02-2024 02:15:47

Description :
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

CVE ID : CVE-2024-20923
Source : secalert_us@oracle.com
CVSS Score : 3.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20925

First published on : 17-02-2024 02:15:47
Last modified on : 17-02-2024 02:15:47

Description :
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVE ID : CVE-2024-20925
Source : secalert_us@oracle.com
CVSS Score : 3.1

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20905

First published on : 17-02-2024 02:15:45
Last modified on : 17-02-2024 02:15:45

Description :
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure SEC). Supported versions that are affected are Prior to 9.2.8.0. Easily exploitable vulnerability allows high privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVE ID : CVE-2024-20905
Source : secalert_us@oracle.com
CVSS Score : 2.7

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Vulnerability ID : CVE-2024-20911

First published on : 17-02-2024 02:15:46
Last modified on : 17-02-2024 02:15:46

Description :
Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Difficult to exploit vulnerability allows high privileged attacker with network access via Oracle Net to compromise Oracle Audit Vault and Database Firewall. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Audit Vault and Database Firewall, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Audit Vault and Database Firewall accessible data. CVSS 3.1 Base Score 2.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N).

CVE ID : CVE-2024-20911
Source : secalert_us@oracle.com
CVSS Score : 2.6

References :
https://www.oracle.com/security-alerts/cpujan2024.html | source : secalert_us@oracle.com


Source : us.ibm.com

Vulnerability ID : CVE-2022-42443

First published on : 17-02-2024 17:15:07
Last modified on : 17-02-2024 17:15:07

Description :
An undisclosed issue in Trusteer iOS SDK for mobile versions prior to 5.7 and Trusteer Android SDK for mobile versions prior to 5.7 may allow uploading of files. IBM X-Force ID: 238535.

CVE ID : CVE-2022-42443
Source : psirt@us.ibm.com
CVSS Score : 2.2

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/238535 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6967785 | source : psirt@us.ibm.com

Vulnerability : CWE-434


Source : lenovo.com

Vulnerability ID : CVE-2024-23591

First published on : 16-02-2024 17:15:08
Last modified on : 16-02-2024 19:26:55

Description :
ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode which could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware integrity, SPS security, and other SPS configuration setting.

CVE ID : CVE-2024-23591
Source : psirt@lenovo.com
CVSS Score : 2.0

References :
https://https://support.lenovo.com/us/en/product_security/LEN-150020 | source : psirt@lenovo.com

Vulnerability : CWE-1269


Source : asrg.io

Vulnerability ID : CVE-2024-1633

First published on : 19-02-2024 17:15:08
Last modified on : 19-02-2024 17:15:08

Description :
During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot. Affected git version from c2f286820471ed276c57e603762bd831873e5a17 until (not

CVE ID : CVE-2024-1633
Source : cve@asrg.io
CVSS Score : 2.0

References :
https://asrg.io/security-advisories/CVE-2024-1633/ | source : cve@asrg.io

Vulnerability : CWE-190


(77) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : android.com

Vulnerability ID : CVE-2023-40093

First published on : 16-02-2024 02:15:49
Last modified on : 16-02-2024 13:37:55

Description :
In multiple files, there is a possible way that trimmed content could be included in PDF output due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2023-40093
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/cts/+/a952c93009cc81c41a086d73a4030a83b7683a04 | source : security@android.com
https://android.googlesource.com/platform/external/pdfium/+/03925281cf25fec70318bf2225356d022b12b566 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2023-40122

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:55

Description :
In applyCustomDescription of SaveUi.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2023-40122
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/55fc00a0788ea0995fe0851616b9ac21710a2931 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0014

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:55

Description :
In startInstall of UpdateFetcher.java, there is a possible way to trigger a malicious config update due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0014
Source : security@android.com
CVSS Score : /

References :
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0029

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:55

Description :
In multiple files, there is a possible way to capture the device screen when disallowed by device policy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0029
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/9b10fd9718f4e6f6843adbfc14e46a93aab93aad | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0030

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:55

Description :
In btif_to_bta_response of btif_gatt_util.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0030
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/packages/modules/Bluetooth/+/57b823f4f758e2ef530909da07552b5aa80c6a7d | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0031

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:55

Description :
In attp_build_read_by_type_value_cmd of att_protocol.cc , there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0031
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/packages/modules/Bluetooth/+/de53890aaca2ae08b3ee2d6e3fd25f702fdfa661 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0032

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:55

Description :
In queryChildDocuments of FileSystemProvider.java, there is a possible way to request access to directories that should be hidden due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.

CVE ID : CVE-2024-0032
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/4af5db76f25348849252e0b8a08f4a517ef842b7 | source : security@android.com
https://android.googlesource.com/platform/packages/providers/DownloadProvider/+/5acd646e0cf63e2c9c0862da7e03531ef0074394 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0033

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:51

Description :
In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0033
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/native/+/aa98edf0ce9dde4886979658a459900ca987f193 | source : security@android.com
https://android.googlesource.com/platform/system/core/+/46d46dc46446f14f26fbe8fb102dd36c1dfc1229 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0034

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:51

Description :
In BackgroundLaunchProcessController, there is a possible way to launch arbitrary activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0034
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/653f7b0d234693309dc86161af01831b64033fe6 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0035

First published on : 16-02-2024 02:15:50
Last modified on : 16-02-2024 13:37:51

Description :
In onNullBinding of TileLifecycleManager.java, there is a possible way to launch an activity from the background due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0035
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/7b7fff1eb5014d12200a32ff9047da396c7ab6a4 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0036

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0036
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/3eaaa9687e90c65f51762deb343f18bef95d4e8e | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0037

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
In applyCustomDescription of SaveUi.java, there is a possible way to view images belonging to a different user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0037
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/55fc00a0788ea0995fe0851616b9ac21710a2931 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0038

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
In injectInputEventToInputFilter of AccessibilityManagerService.java, there is a possible arbitrary input event injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0038
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/3e88d987235f5a2acd50a9b6bad78dbbf39cb079 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0040

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
In setParameter of MtpPacket.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0040
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/av/+/2ca6c27dc0336fd98f47cfb96dc514efa98e8864 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2024-0041

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
In removePersistentDot of SystemStatusAnimationSchedulerImpl.kt, there is a possible race condition due to a logic error in the code. This could lead to local escalation of privilege that fails to remove the persistent dot with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0041
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/d6f7188773409c8f5ad5fc7d3eea5b1751439e26 | source : security@android.com
https://source.android.com/security/bulletin/2024-02-01 | source : security@android.com


Vulnerability ID : CVE-2023-21165

First published on : 16-02-2024 19:15:08
Last modified on : 16-02-2024 20:15:47

Description :
In DevmemIntUnmapPMR of devicemem_server.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2023-21165
Source : security@android.com
CVSS Score : /

References :
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2023-40085

First published on : 16-02-2024 19:15:08
Last modified on : 16-02-2024 19:26:55

Description :
In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2023-40085
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/packages/modules/NeuralNetworks/+/ed6ee1f7eca7b33160e36ac6d730a9ef395ca4f1 | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0015

First published on : 16-02-2024 19:15:08
Last modified on : 16-02-2024 19:26:55

Description :
In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0015
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70 | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0016

First published on : 16-02-2024 20:15:47
Last modified on : 16-02-2024 21:39:50

Description :
In multiple locations, there is a possible out of bounds read due to a missing bounds check. This could lead to paired device information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0016
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/packages/modules/Bluetooth/+/1d7ba7c8a205522f384e8d5c7c9f26a421cab5f1 | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0017

First published on : 16-02-2024 20:15:47
Last modified on : 16-02-2024 21:39:50

Description :
In shouldUseNoOpLocation of CameraActivity.java, there is a possible confused deputy due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

CVE ID : CVE-2024-0017
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/packages/apps/Camera2/+/5c4c4b35754eef319dcd69c422f0b1ac0c823f6e | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0018

First published on : 16-02-2024 20:15:47
Last modified on : 16-02-2024 21:39:50

Description :
In convertYUV420Planar16ToY410 of ColorConverter.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0018
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/av/+/bf6406041919f67219fd1829438dda28845d4c23 | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0019

First published on : 16-02-2024 20:15:47
Last modified on : 16-02-2024 21:39:50

Description :
In setListening of AppOpsControllerImpl.java, there is a possible way to hide the microphone privacy indicator when restarting systemUI due to a missing check for active recordings. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.

CVE ID : CVE-2024-0019
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/base/+/707fc94ec3df4cf6b985e6d06c2588690d1a025a | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0020

First published on : 16-02-2024 20:15:47
Last modified on : 16-02-2024 21:39:50

Description :
In onActivityResult of NotificationSoundPreference.java, there is a possible way to hear audio files belonging to a different user due to a confused deputy. This could lead to local information disclosure across users of a device with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0020
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/packages/apps/Settings/+/87f791f2351e366f842a0fd6fcb744069160d9a1 | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0021

First published on : 16-02-2024 20:15:47
Last modified on : 16-02-2024 21:39:50

Description :
In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVE ID : CVE-2024-0021
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/packages/apps/Settings/+/53ea491d276f9a7c586c7983c08105a9bb7051f1 | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Vulnerability ID : CVE-2024-0023

First published on : 16-02-2024 20:15:47
Last modified on : 16-02-2024 21:39:50

Description :
In ConvertRGBToPlanarYUV of Codec2BufferUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE ID : CVE-2024-0023
Source : security@android.com
CVSS Score : /

References :
https://android.googlesource.com/platform/frameworks/av/+/30b1b34cfd5abfcfee759e7d13167d368ac6c268 | source : security@android.com
https://source.android.com/security/bulletin/2024-01-01 | source : security@android.com


Source : mitre.org

Vulnerability ID : CVE-2024-25413

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
A XSLT Server Side injection vulnerability in the Import Jobs function of FireBear Improved Import And Export v3.8.6 allows attackers to execute arbitrary commands via a crafted XSLT file.

CVE ID : CVE-2024-25413
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/capture0x/Magento-ver.-2.4.6 | source : cve@mitre.org
https://packetstormsecurity.com/files/175801/FireBear-Improved-Import-And-Export-3.8.6-XSLT-Server-Side-Injection.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25414

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file.

CVE ID : CVE-2024-25414
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/capture0x/CSZ_CMS | source : cve@mitre.org
https://packetstormsecurity.com/files/175889/CSZ-CMS-1.3.0-Shell-Upload.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25415

First published on : 16-02-2024 02:15:51
Last modified on : 16-02-2024 13:37:51

Description :
A remote code execution (RCE) vulnerability in /admin/define_language.php of CE Phoenix v1.0.8.20 allows attackers to execute arbitrary PHP code via injecting a crafted payload into the file english.php.

CVE ID : CVE-2024-25415
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/capture0x/Phoenix | source : cve@mitre.org
https://packetstormsecurity.com/files/175913/CE-Phoenix-1.0.8.20-Remote-Command-Execution.html | source : cve@mitre.org
https://vulners.com/zdt/1337DAY-ID-39172 | source : cve@mitre.org


Vulnerability ID : CVE-2023-49508

First published on : 16-02-2024 08:15:39
Last modified on : 16-02-2024 13:37:51

Description :
Directory Traversal vulnerability in YetiForceCompany YetiForceCRM versions 6.4.0 and before allows a remote authenticated attacker to obtain sensitive information via the license parameter in the LibraryLicense.php component.

CVE ID : CVE-2023-49508
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/YetiForceCompany/YetiForceCRM/commit/ba3a348aa6ecdf0a1d8b289cbb679bebcda7a132 | source : cve@mitre.org
https://github.com/c4v4r0n/Research/tree/main/CVE-2023-49508 | source : cve@mitre.org
https://huntr.com/bounties/29ed641d-eb03-4532-aed4-f96e11f78983/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-51931

First published on : 16-02-2024 09:15:08
Last modified on : 16-02-2024 13:37:51

Description :
An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function.

CVE ID : CVE-2023-51931
Source : cve@mitre.org
CVSS Score : /

References :
https://gist.github.com/6en6ar/c792d8337b63f095cbda907e834cb4ba | source : cve@mitre.org
https://github.com/alanclarke/urlite/issues/61 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22854

First published on : 16-02-2024 09:15:08
Last modified on : 16-02-2024 13:37:51

Description :
DOM-based HTML injection vulnerability in the main page of Darktrace Threat Visualizer version 6.1.27 (bundle version 61050) and before has been identified. A URL, crafted by a remote attacker and visited by an authenticated user, allows open redirect and potential credential stealing using an injected HTML form.

CVE ID : CVE-2024-22854
Source : cve@mitre.org
CVSS Score : /

References :
https://tomekwasiak.pl/cve-2024-22854/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-24377

First published on : 16-02-2024 09:15:08
Last modified on : 16-02-2024 13:37:51

Description :
An issue in idocv v.14.1.3_20231228 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script.

CVE ID : CVE-2024-24377
Source : cve@mitre.org
CVSS Score : /

References :
https://zhuabapa.top/2024/01/18/idocv_20231228_rce/#more | source : cve@mitre.org


Vulnerability ID : CVE-2024-25466

First published on : 16-02-2024 09:15:08
Last modified on : 16-02-2024 13:37:51

Description :
Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component.

CVE ID : CVE-2024-25466
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/FixedOctocat/CVE-2024-25466/tree/main | source : cve@mitre.org
https://github.com/rnmods/react-native-document-picker/blob/0be5a70c3b456e35c2454aaf4dc8c2d40eb2ab47/android/src/main/java/com/reactnativedocumentpicker/RNDocumentPickerModule.java | source : cve@mitre.org


Vulnerability ID : CVE-2023-45860

First published on : 16-02-2024 10:15:08
Last modified on : 16-02-2024 13:37:51

Description :
In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.

CVE ID : CVE-2023-45860
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/hazelcast/hazelcast/pull/25348 | source : cve@mitre.org
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-8h4x-xvjp-vf99 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25320

First published on : 16-02-2024 15:15:08
Last modified on : 16-02-2024 19:26:55

Description :
Tongda OA v2017 and up to v11.9 was discovered to contain a SQL injection vulnerability via the $AFF_ID parameter at /affair/delete.php.

CVE ID : CVE-2024-25320
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/cqliuke/cve/blob/main/sql.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-45918

First published on : 16-02-2024 22:15:07
Last modified on : 16-02-2024 22:15:07

Description :
ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

CVE ID : CVE-2023-45918
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-31728

First published on : 17-02-2024 04:15:07
Last modified on : 17-02-2024 04:15:07

Description :
Teltonika RUT240 devices with firmware before 07.04.2, when bridge mode is used, sometimes make SSH and HTTP services available on the IPv6 WAN interface even though the UI shows that they are only available on the LAN interface.

CVE ID : CVE-2023-31728
Source : cve@mitre.org
CVSS Score : /

References :
https://research.exoticsilicon.com/articles/lte_ethernet_bridge_bug_followup | source : cve@mitre.org
https://research.exoticsilicon.com/news | source : cve@mitre.org


Vulnerability ID : CVE-2024-22727

First published on : 17-02-2024 04:15:07
Last modified on : 17-02-2024 04:15:07

Description :
Teltonika TRB1-series devices with firmware before TRB1_R_00.07.05.2 allow attackers to exploit a firmware vulnerability via Ethernet LAN or USB.

CVE ID : CVE-2024-22727
Source : cve@mitre.org
CVSS Score : /

References :
https://teltonika-networks.com/newsroom/critical-security-update-for-trb1-series-gateways | source : cve@mitre.org


Vulnerability ID : CVE-2024-25297

First published on : 17-02-2024 06:15:53
Last modified on : 17-02-2024 06:15:53

Description :
Cross Site Scripting (XSS) vulnerability in Bludit CMS version 3.15, allows remote attackers to execute arbitrary code and obtain sensitive information via edit-content.php.

CVE ID : CVE-2024-25297
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/CpyRe/I-Find-CVE-2024/blob/main/BLUDIT%20Stored%20XSS.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25298

First published on : 17-02-2024 06:15:54
Last modified on : 17-02-2024 06:15:54

Description :
An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php.

CVE ID : CVE-2024-25298
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/CpyRe/I-Find-CVE-2024/blob/main/REDAXO%20RCE.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25468

First published on : 17-02-2024 06:15:54
Last modified on : 17-02-2024 06:15:54

Description :
An issue in TOTOLINK X5000R V.9.1.0u.6369_B20230113 allows a remote attacker to cause a denial of service via the host_time parameter of the NTPSyncWithHost component.

CVE ID : CVE-2024-25468
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/thKim0/totolink | source : cve@mitre.org


Vulnerability ID : CVE-2022-48624

First published on : 19-02-2024 01:15:48
Last modified on : 19-02-2024 01:15:48

Description :
close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.

CVE ID : CVE-2022-48624
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 | source : cve@mitre.org
https://github.com/gwsw/less/compare/v605...v606 | source : cve@mitre.org
https://greenwoodsoftware.com/less/ | source : cve@mitre.org


Vulnerability ID : CVE-2020-36774

First published on : 19-02-2024 02:15:47
Last modified on : 19-02-2024 02:15:47

Description :
plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service (application crash).

CVE ID : CVE-2020-36774
Source : cve@mitre.org
CVSS Score : /

References :
https://gitlab.gnome.org/GNOME/glade/-/commit/7acdd3c6f6934f47b8974ebc2190a59ea5d2ed17 | source : cve@mitre.org
https://gitlab.gnome.org/GNOME/glade/-/issues/479 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26318

First published on : 19-02-2024 04:15:07
Last modified on : 19-02-2024 04:15:07

Description :
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.

CVE ID : CVE-2024-26318
Source : cve@mitre.org
CVSS Score : /

References :
https://serenity.is/docs/release-notes/6.8.0 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26327

First published on : 19-02-2024 05:15:22
Last modified on : 19-02-2024 05:15:22

Description :
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations.

CVE ID : CVE-2024-26327
Source : cve@mitre.org
CVSS Score : /

References :
https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-26328

First published on : 19-02-2024 05:15:26
Last modified on : 19-02-2024 05:15:26

Description :
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus interaction with hw/nvme/ctrl.c is mishandled.

CVE ID : CVE-2024-26328
Source : cve@mitre.org
CVSS Score : /

References :
https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-24722

First published on : 19-02-2024 06:15:07
Last modified on : 19-02-2024 06:15:07

Description :
An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235.

CVE ID : CVE-2024-24722
Source : cve@mitre.org
CVSS Score : /

References :
https://files.12dsynergy.com/downloads/download.aspx | source : cve@mitre.org
https://help.12dsynergy.com/v1/docs/cve-2024-24722 | source : cve@mitre.org
https://www.12dsynergy.com/security-statement/ | source : cve@mitre.org


Source : wordfence.com

Vulnerability ID : CVE-2024-1444

First published on : 16-02-2024 17:15:08
Last modified on : 16-02-2024 17:15:08

Description :
Rejected reason: Erroneous assignment

CVE ID : CVE-2024-1444
Source : security@wordfence.com
CVSS Score : /

References :


Vulnerability ID : CVE-2024-1515

First published on : 16-02-2024 18:15:07
Last modified on : 16-02-2024 18:15:07

Description :
Rejected reason: Erroneous assignement

CVE ID : CVE-2024-1515
Source : security@wordfence.com
CVSS Score : /

References :


Source : github.com

Vulnerability ID : CVE-2024-25113

First published on : 17-02-2024 22:15:46
Last modified on : 17-02-2024 22:15:46

Description :
Rejected reason: This CVE was misassigned. See CVE-2023-47623 for the canonical reference.

CVE ID : CVE-2024-25113
Source : security-advisories@github.com
CVSS Score : /

References :


Source : huawei.com

Vulnerability ID : CVE-2023-52097

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Vulnerability of foreground service restrictions being bypassed in the NMS module.Successful exploitation of this vulnerability may affect service confidentiality.

CVE ID : CVE-2023-52097
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-52357

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Vulnerability of serialization/deserialization mismatch in the vibration framework.Successful exploitation of this vulnerability may affect availability.

CVE ID : CVE-2023-52357
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52358

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Vulnerability of configuration defects in some APIs of the audio module.Successful exploitation of this vulnerability may affect availability.

CVE ID : CVE-2023-52358
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52360

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Logic vulnerabilities in the baseband.Successful exploitation of this vulnerability may affect service integrity.

CVE ID : CVE-2023-52360
Source : psirt@huawei.com
CVSS Score : /

References :
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com
https://https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52361

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity.

CVE ID : CVE-2023-52361
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52362

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Permission management vulnerability in the lock screen module.Successful exploitation of this vulnerability may affect availability.

CVE ID : CVE-2023-52362
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52363

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Vulnerability of defects introduced in the design process in the Control Panel module.Successful exploitation of this vulnerability may cause app processes to be started by mistake.

CVE ID : CVE-2023-52363
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52365

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Out-of-bounds read vulnerability in the smart activity recognition module.Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE ID : CVE-2023-52365
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-52387

First published on : 18-02-2024 03:15:08
Last modified on : 18-02-2024 03:15:08

Description :
Resource reuse vulnerability in the GPU module. Successful exploitation of this vulnerability may affect service confidentiality.

CVE ID : CVE-2023-52387
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52366

First published on : 18-02-2024 04:15:07
Last modified on : 18-02-2024 04:15:07

Description :
Out-of-bounds read vulnerability in the smart activity recognition module.Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE ID : CVE-2023-52366
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-52367

First published on : 18-02-2024 04:15:07
Last modified on : 18-02-2024 04:15:07

Description :
Vulnerability of improper access control in the media library module.Successful exploitation of this vulnerability may affect service availability and integrity.

CVE ID : CVE-2023-52367
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52368

First published on : 18-02-2024 04:15:07
Last modified on : 18-02-2024 04:15:07

Description :
Input verification vulnerability in the account module.Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE ID : CVE-2023-52368
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-52369

First published on : 18-02-2024 04:15:07
Last modified on : 18-02-2024 04:15:07

Description :
Stack overflow vulnerability in the NFC module.Successful exploitation of this vulnerability may affect service availability and integrity.

CVE ID : CVE-2023-52369
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52370

First published on : 18-02-2024 04:15:07
Last modified on : 18-02-2024 04:15:07

Description :
Stack overflow vulnerability in the network acceleration module.Successful exploitation of this vulnerability may cause unauthorized file access.

CVE ID : CVE-2023-52370
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-52371

First published on : 18-02-2024 04:15:07
Last modified on : 18-02-2024 04:15:07

Description :
Vulnerability of null references in the motor module.Successful exploitation of this vulnerability may affect availability.

CVE ID : CVE-2023-52371
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-476


Vulnerability ID : CVE-2023-52372

First published on : 18-02-2024 04:15:07
Last modified on : 18-02-2024 04:15:07

Description :
Vulnerability of input parameter verification in the motor module.Successful exploitation of this vulnerability may affect availability.

CVE ID : CVE-2023-52372
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-52373

First published on : 18-02-2024 04:15:08
Last modified on : 18-02-2024 04:15:08

Description :
Vulnerability of permission verification in the content sharing pop-up module.Successful exploitation of this vulnerability may cause unauthorized file sharing.

CVE ID : CVE-2023-52373
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52374

First published on : 18-02-2024 04:15:08
Last modified on : 18-02-2024 04:15:08

Description :
Permission control vulnerability in the package management module.Successful exploitation of this vulnerability may affect service confidentiality.

CVE ID : CVE-2023-52374
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52375

First published on : 18-02-2024 06:15:07
Last modified on : 18-02-2024 06:15:07

Description :
Permission control vulnerability in the WindowManagerServices module.Successful exploitation of this vulnerability may affect availability.

CVE ID : CVE-2023-52375
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52376

First published on : 18-02-2024 06:15:08
Last modified on : 18-02-2024 06:15:08

Description :
Information management vulnerability in the Gallery module.Successful exploitation of this vulnerability may affect service confidentiality.

CVE ID : CVE-2023-52376
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52377

First published on : 18-02-2024 06:15:08
Last modified on : 18-02-2024 06:15:08

Description :
Vulnerability of input data not being verified in the cellular data module.Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE ID : CVE-2023-52377
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2022-48621

First published on : 18-02-2024 07:15:07
Last modified on : 18-02-2024 07:15:07

Description :
Vulnerability of missing authentication for critical functions in the Wi-Fi module.Successful exploitation of this vulnerability may affect service confidentiality.

CVE ID : CVE-2022-48621
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-306


Vulnerability ID : CVE-2023-52378

First published on : 18-02-2024 07:15:08
Last modified on : 18-02-2024 07:15:08

Description :
Vulnerability of incorrect service logic in the WindowManagerServices module.Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE ID : CVE-2023-52378
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52379

First published on : 18-02-2024 07:15:09
Last modified on : 18-02-2024 07:15:09

Description :
Permission control vulnerability in the calendarProvider module.Successful exploitation of this vulnerability may affect service confidentiality.

CVE ID : CVE-2023-52379
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52380

First published on : 18-02-2024 07:15:09
Last modified on : 18-02-2024 07:15:09

Description :
Vulnerability of improper access control in the email module.Successful exploitation of this vulnerability may affect service confidentiality.

CVE ID : CVE-2023-52380
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com


Vulnerability ID : CVE-2023-52381

First published on : 18-02-2024 07:15:09
Last modified on : 18-02-2024 07:15:09

Description :
Script injection vulnerability in the email module.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.

CVE ID : CVE-2023-52381
Source : psirt@huawei.com
CVSS Score : /

References :
https://consumer.huawei.com/en/support/bulletin/2024/2/ | source : psirt@huawei.com
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405 | source : psirt@huawei.com

Vulnerability : CWE-94


Source : apache.org

Vulnerability ID : CVE-2024-26308

First published on : 19-02-2024 09:15:38
Last modified on : 19-02-2024 11:15:09

Description :
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

CVE ID : CVE-2024-26308
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/19/2 | source : security@apache.org
https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg | source : security@apache.org

Vulnerability : CWE-770


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.