π¨ CVE-2024-10409
A vulnerability was found in code-projects Blood Bank Management 1.0 and classified as critical. This issue affects some unknown processing of the file /file/accept.php. The manipulation of the argument reqid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability was found in code-projects Blood Bank Management 1.0 and classified as critical. This issue affects some unknown processing of the file /file/accept.php. The manipulation of the argument reqid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
π¨ CVE-2022-23397
The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. NOTE: the vendor disputes this because the ado.im reference has "no clear steps of reproduction."
π@cveNotify
The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. NOTE: the vendor disputes this because the ado.im reference has "no clear steps of reproduction."
π@cveNotify
π¨ CVE-2022-20264
In Usage Stats Service, there is a possible way to determine whether an app is installed, without query permissions due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
In Usage Stats Service, there is a possible way to determine whether an app is installed, without query permissions due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
π¨ CVE-2024-25768
OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in /OpenDMARC/libopendmarc/opendmarc_policy.c.
π@cveNotify
OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in /OpenDMARC/libopendmarc/opendmarc_policy.c.
π@cveNotify
GitHub
OpenDMARC_defects/OpenDMARC_detect_1.md at main Β· LuMingYinDetect/OpenDMARC_defects
Contribute to LuMingYinDetect/OpenDMARC_defects development by creating an account on GitHub.
π¨ CVE-2024-25551
Cross Site Scripting (XSS) vulnerability in sourcecodester Simple Student Attendance System v1.0 allows attackers to execute arbitrary code via crafted GET request to web application URL.
π@cveNotify
Cross Site Scripting (XSS) vulnerability in sourcecodester Simple Student Attendance System v1.0 allows attackers to execute arbitrary code via crafted GET request to web application URL.
π@cveNotify
π¨ CVE-2024-20030
In da, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541741.
π@cveNotify
In da, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541741.
π@cveNotify
MediaTek
March 2024
π¨ CVE-2024-25614
There is an arbitrary file deletion vulnerability in the CLI used by ArubaOS. Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to denial-of-service conditions and impact the integrity of the controller.
π@cveNotify
There is an arbitrary file deletion vulnerability in the CLI used by ArubaOS. Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to denial-of-service conditions and impact the integrity of the controller.
π@cveNotify
π¨ CVE-2024-10228
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23
π@cveNotify
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23
π@cveNotify
HashiCorp Discuss
HCSEC-2024-25 - Vagrant VMWare Utility installation files vulnerable to modification by unprivileged user
Bulletin ID: HCSEC-2024-25 Affected Products / Versions: Vagrant VMWare utility <= 1.0.22, fixed in 1.0.23 Publication Date: October 29, 2024 Summary The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path thatβ¦
π¨ CVE-2024-10487
Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
π@cveNotify
Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 130.0.6723.91/.92 for Windows, Mac and 130.0.6723.91 for Linux which will roll out over the coming da...
π¨ CVE-2024-10488
Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 130.0.6723.91/.92 for Windows, Mac and 130.0.6723.91 for Linux which will roll out over the coming da...
π¨ CVE-2024-44080
In Jitsi Meet before 2.0.9779, the functionality to share an image using giphy was implemented in an insecure way, resulting in clients loading GIFs from any arbitrary URL if a message from another participant contains a URL encoded in the expected format.
π@cveNotify
In Jitsi Meet before 2.0.9779, the functionality to share an image using giphy was implemented in an insecure way, resulting in clients loading GIFs from any arbitrary URL if a message from another participant contains a URL encoded in the expected format.
π@cveNotify
GitHub
Comparing jitsi-meet_9672...jitsi-meet_9673 Β· jitsi/jitsi-meet
Jitsi Meet - Secure, Simple and Scalable Video Conferences that you use as a standalone app or embed in your web application. - Comparing jitsi-meet_9672...jitsi-meet_9673 Β· jitsi/jitsi-meet
π¨ CVE-2024-44081
In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another participant contains a URL encoded in the expected format.
π@cveNotify
In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another participant contains a URL encoded in the expected format.
π@cveNotify
GitHub
Comparing jitsi-meet_9672...jitsi-meet_9673 Β· jitsi/jitsi-meet
Jitsi Meet - Secure, Simple and Scalable Video Conferences that you use as a standalone app or embed in your web application. - Comparing jitsi-meet_9672...jitsi-meet_9673 Β· jitsi/jitsi-meet
π¨ CVE-2024-48138
A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.
π@cveNotify
A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.
π@cveNotify
GitHub
In PluXml v5.8.16 or lower, after logging in to the backend, there are any file modifications that can cause a Trojan to be writtenβ¦
Software Link :https://github.com/pluxml/PluXml Website : https://pluxml.org/After the installation is complete, log in as admin, open the page Here you can modify the theme code in the theme folde...
π¨ CVE-2024-44229
An information leakage was addressed with additional validation. This issue is fixed in visionOS 2.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, Safari 18.1. Private browsing may leak some browsing history.
π@cveNotify
An information leakage was addressed with additional validation. This issue is fixed in visionOS 2.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, Safari 18.1. Private browsing may leak some browsing history.
π@cveNotify
Apple Support
About the security content of iOS 18.1 and iPadOS 18.1 - Apple Support
This document describes the security content of iOS 18.1 and iPadOS 18.1.
π¨ CVE-2024-44244
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 18.1 and iPadOS 18.1, watchOS 11.1, visionOS 2.1, tvOS 18.1, macOS Sequoia 15.1, Safari 18.1. Processing maliciously crafted web content may lead to an unexpected process crash.
π@cveNotify
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 18.1 and iPadOS 18.1, watchOS 11.1, visionOS 2.1, tvOS 18.1, macOS Sequoia 15.1, Safari 18.1. Processing maliciously crafted web content may lead to an unexpected process crash.
π@cveNotify
Apple Support
About the security content of iOS 18.1 and iPadOS 18.1 - Apple Support
This document describes the security content of iOS 18.1 and iPadOS 18.1.
π¨ CVE-2024-44259
This issue was addressed through improved state management. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, Safari 18.1. An attacker may be able to misuse a trust relationship to download malicious content.
π@cveNotify
This issue was addressed through improved state management. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, Safari 18.1. An attacker may be able to misuse a trust relationship to download malicious content.
π@cveNotify
Apple Support
About the security content of iOS 18.1 and iPadOS 18.1 - Apple Support
This document describes the security content of iOS 18.1 and iPadOS 18.1.
π¨ CVE-2024-44296
The issue was addressed with improved checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, visionOS 2.1, macOS Sequoia 15.1, Safari 18.1. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
π@cveNotify
The issue was addressed with improved checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, visionOS 2.1, macOS Sequoia 15.1, Safari 18.1. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
π@cveNotify
Apple Support
About the security content of iOS 18.1 and iPadOS 18.1 - Apple Support
This document describes the security content of iOS 18.1 and iPadOS 18.1.
π¨ CVE-2024-50348
InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.
π@cveNotify
InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.
π@cveNotify
GitHub
GHSA-f6cf-jg84-fw29 Β· instantsoft/icms2@e02de2f
Self-hosted Site Management System. Contribute to instantsoft/icms2 development by creating an account on GitHub.
π¨ CVE-2024-51378
getresetstatus in dns/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
π@cveNotify
getresetstatus in dns/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
π@cveNotify
cwe.mitre.org
CWE -
CWE-420: Unprotected Alternate Channel (4.18)
CWE-420: Unprotected Alternate Channel (4.18)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
π¨ CVE-2024-51378
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
π@cveNotify
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
π@cveNotify
cwe.mitre.org
CWE -
CWE-420: Unprotected Alternate Channel (4.18)
CWE-420: Unprotected Alternate Channel (4.18)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
π¨ CVE-2024-10500
A vulnerability, which was classified as critical, has been found in ESAFENET CDG 5. Affected by this issue is some unknown functionality of the file /com/esafenet/servlet/policy/HookWhiteListService.java. The manipulation of the argument policyId leads to sql injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability, which was classified as critical, has been found in ESAFENET CDG 5. Affected by this issue is some unknown functionality of the file /com/esafenet/servlet/policy/HookWhiteListService.java. The manipulation of the argument policyId leads to sql injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
flowus.cn
ESAFENET CDG V5 HookWhiteList AddHookWhiteList interface has an SQL injection vulnerability in the policyId.
officialwebsite:https://www.esafenet.comproduct:https://www.esafenet.com/dzwdaqglxtAffectedversion:V5VulnerabilityPOCPla