Month: March 2024

alerts

Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094

Post author By admin
Post date March 29, 2024

CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA.

See the following advisory for more information:

Red Hat: Urgent security alert for Fedora 41 and Rawhide users

alerts

Apple Released Security Updates for Safari and macOS

Post author By admin
Post date March 27, 2024

Apple released security updates to address a vulnerability (CVE-2024-1580) in Safari and macOS. A cyber threat actor could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

alerts

Vulnerability Summary for the Week of March 18, 2024

Post author By admin
Post date March 26, 2024

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
N/A — N/A	Directory Traversal vulnerability in Devan-Kerman ARRP v.0.8.1 and before allows a remote attacker to execute arbitrary code via the dumpDirect in RuntimeResourcePackImpl component.	2024-03-19	8.8	CVE-2024-24042 cve@mitre.org cve@mitre.org
N/A — N/A	danielmiessler fabric through 1.3.0 allows installer/client/gui/static/js/index.js XSS because of innerHTML mishandling, such as in htmlToPlainText.	2024-03-18	7.4	CVE-2024-29154 cve@mitre.org
aam — advanced_access_manager	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in AAM Advanced Access Manager allows Reflected XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20.	2024-03-19	7.1	CVE-2024-29127 audit@patchstack.com
abast — scan_visio_edocument_suite_web_viewer	A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via “user” parameter.	2024-03-21	9.8	CVE-2024-29732 cve-coordination@incibe.es
acryldata — datahub-helm	datahub-helm provides the Kubernetes Helm charts for deploying Datahub and its dependencies on a Kubernetes cluster. Starting in version 0.1.143 and prior to version 0.2.182, due to configuration issues in the helm chart, if there was a successful initial deployment during a limited window of time, personal access tokens were possibly created with a default secret key. Since the secret key is a static, publicly available value, someone could inspect the algorithm used to generate personal access tokens and generate their own for an instance. Deploying with Metadata Service Authentication enabled would have been difficult during window of releases. If someone circumvented the helm settings and manually set Metadata Service Authentication to be enabled using environment variables directly, this would skip over the autogeneration logic for the Kubernetes Secrets and DataHub GMS would default to the signing key specified statically in the application.yml. Most deployments probably did not attempt to circumvent the helm settings to enable Metadata Service Authentication during this time, so impact is most likely limited. Any deployments with Metadata Service Authentication enabled should ensure that their secret values are properly randomized. Version 0.2.182 contains a patch for this issue. As a workaround, one may reset the token signing key to be a random value, which will invalidate active personal access tokens.	2024-03-20	9.1	CVE-2024-29037 security-advisories@github.com security-advisories@github.com
adobe — animate	Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	7.8	CVE-2024-20761 psirt@adobe.com
adobe — bridge	Bridge versions 13.0.5, 14.0.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	7.8	CVE-2024-20752 psirt@adobe.com
adobe — bridge	Bridge versions 13.0.5, 14.0.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	7.8	CVE-2024-20755 psirt@adobe.com
adobe — bridge	Bridge versions 13.0.5, 14.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	7.8	CVE-2024-20756 psirt@adobe.com
adobe — coldfusion	ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.	2024-03-18	8.2	CVE-2024-20767 psirt@adobe.com
adobe — lightroom_desktop	Lightroom Desktop versions 7.1.2 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	7.5	CVE-2024-20754 psirt@adobe.com
adobe — premiere_pro	Premiere Pro versions 24.1, 23.6.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	7.8	CVE-2024-20745 psirt@adobe.com
adobe — premiere_pro	Premiere Pro versions 24.1, 23.6.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	7.8	CVE-2024-20746 psirt@adobe.com
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/book/main/select_send.php, in the ‘sd_index’ parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2584 cve-coordination@incibe.es
amssplus — amss++	File upload restriction evasion vulnerability in AMSS++ version 4.31. This vulnerability could allow an authenticated user to potentially obtain RCE through webshell, compromising the entire infrastructure.	2024-03-18	9.9	CVE-2024-2599 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/book/main/select_send_2.php, in the ‘sd_index’ parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2585 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/index.php, in the ‘username’ parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2586 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/book/main/bookdetail_khet_person.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2587 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/admin/index.php, in the ‘id’ parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2588 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/book/main/bookdetail_school_person.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2589 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/mail/main/select_send.php, in the ‘sd_index’ parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2590 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/book/main/bookdetail_group.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2591 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/person/pic_show.php, in the ‘person_id’ parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.	2024-03-18	8.2	CVE-2024-2592 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/bookdetail_group.php, in the ‘b_id’ parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.	2024-03-18	7.1	CVE-2024-2593 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/admin/index.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.	2024-03-18	7.1	CVE-2024-2594 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/bookdetail_khet_person.php, in the ‘b_id’ parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.	2024-03-18	7.1	CVE-2024-2595 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/mail/main/select_send.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.	2024-03-18	7.1	CVE-2024-2596 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/bookdetail_school_person.php, in the ‘b_id’ parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.	2024-03-18	7.1	CVE-2024-2597 cve-coordination@incibe.es
amssplus — amss++	Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/select_send_2.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.	2024-03-18	7.1	CVE-2024-2598 cve-coordination@incibe.es
apollographql — router	The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size.	2024-03-21	7.5	CVE-2024-28101 security-advisories@github.com security-advisories@github.com
argoproj — argo_cd	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application’s brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.	2024-03-18	9.8	CVE-2024-21652 security-advisories@github.com
argoproj — argo_cd	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application’s code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.	2024-03-18	7.5	CVE-2024-21661 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
argoproj — argo_cd	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application’s weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application’s brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account’s failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch.	2024-03-18	7.5	CVE-2024-21662 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
astropy — astropy	Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.	2024-03-18	8.4	CVE-2023-41334 security-advisories@github.com security-advisories@github.com security-advisories@github.com
cegid — meta4_hr	An Unrestricted Upload of File vulnerability has been found on Cegid Meta4 HR, that allows an attacker to upload malicios files to the server via ‘/config/espanol/update_password.jsp’ file. Modifying the ‘M4_NEW_PASSWORD’ parameter, an attacker could store a malicious JSP file inside the file directory, to be executed the the file is loaded in the application.	2024-03-19	9	CVE-2024-2636 cve-coordination@incibe.es
cegid — meta4_hr	A Information Exposure Vulnerability has been found on Meta4 HR. This vulnerability allows an attacker to obtain a lot of information about the application such as the variables set in the process, the Tomcat versions, library versions and underlying operation system via HTTP GET ‘/sitetest/english/dumpenv.jsp’.	2024-03-19	7.5	CVE-2024-2632 cve-coordination@incibe.es
cegid — meta4_hr	The configuration pages available are not intended to be placed on an Internet facing web server, as they expose file paths to the client, who can be an attacker. Instead of rewriting these pages to avoid this vulnerability, they will be dismissed from future releases of Cegid Meta4 HR, as they do not offer product functionality	2024-03-19	7.3	CVE-2024-2635 cve-coordination@incibe.es
checkmk_gmbh — checkmk	Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.	2024-03-22	8.2	CVE-2024-0638 security@checkmk.com
checkmk_gmbh — checkmk	Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.	2024-03-22	8.8	CVE-2024-28824 security@checkmk.com
chirp_systems — chirp_access	Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access.	2024-03-20	9.1	CVE-2024-2197 ics-cert@hq.dhs.gov
ciges — cigesv2	SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the ‘id’ parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.	2024-03-22	9.8	CVE-2024-2722 cve-coordination@incibe.es
ciges — cigesv2	SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the ‘idServicio’ parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.	2024-03-22	9.8	CVE-2024-2723 cve-coordination@incibe.es
ciges — cigesv2	SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the ‘idServicio’ parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.	2024-03-22	9.8	CVE-2024-2724 cve-coordination@incibe.es
ciges — cigesv2	Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.	2024-03-22	7.5	CVE-2024-2725 cve-coordination@incibe.es
cilium — cilium	Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.9 and prior to versions 1.13.13, 1.14.8, and 1.15.2, Cilium’s HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped. This issue has been patched in Cilium 1.15.2, 1.14.8, and 1.13.13. There are no known workarounds for this issue.	2024-03-18	7.2	CVE-2024-28248 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
cimatti_consulting — contact_forms_by_cimatti	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Stored XSS.This issue affects Contact Forms by Cimatti: from n/a through 1.7.0.	2024-03-19	7.1	CVE-2024-29117 audit@patchstack.com
codekraft — antispam_for_contact_form_7	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Codekraft AntiSpam for Contact Form 7 allows Reflected XSS.This issue affects AntiSpam for Contact Form 7: from n/a through 0.6.0.	2024-03-17	7.1	CVE-2024-27961 audit@patchstack.com
coder — coder	Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder’s OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user’s email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider. Coder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting.	2024-03-21	8.2	CVE-2024-27918 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
dassault_syst-mes — solidworks_desktop	Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file.	2024-03-22	7.8	CVE-2024-1848 3DS.Information-Security@3ds.com
dell — poweredge_platform	Dell PowerEdge Server BIOS contains a heap-based buffer overflow vulnerability. A local high privileged attacker could potentially exploit this vulnerability to write to otherwise unauthorized memory.	2024-03-19	7.2	CVE-2024-22453 security_alert@emc.com
delta_electronics — diaenergie	SQL injection vulnerability exists in GetDIAE_unListParameters.	2024-03-21	8.8	CVE-2024-23494 ics-cert@hq.dhs.gov
delta_electronics — diaenergie	SQL injection vulnerability exists in GetDIAE_slogListParameters.	2024-03-21	8.8	CVE-2024-23975 ics-cert@hq.dhs.gov
delta_electronics — diaenergie	Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.	2024-03-21	8.1	CVE-2024-25567 ics-cert@hq.dhs.gov
delta_electronics — diaenergie	SQL injection vulnerability exists in the script DIAE_tagHandler.ashx.	2024-03-21	8.8	CVE-2024-25937 ics-cert@hq.dhs.gov
delta_electronics — diaenergie	Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.	2024-03-21	8.8	CVE-2024-28029 ics-cert@hq.dhs.gov
delta_electronics — diaenergie	SQL injection vulnerability exists in GetDIAE_astListParameters.	2024-03-21	8.8	CVE-2024-28040 ics-cert@hq.dhs.gov
delta_electronics — diaenergie	It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.	2024-03-21	8.1	CVE-2024-28171 ics-cert@hq.dhs.gov
delta_electronics — diaenergie	SQL injection vulnerability exists in the script Handler_CFG.ashx.	2024-03-21	8.8	CVE-2024-28891 ics-cert@hq.dhs.gov
denoland — deno	Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs. Version 1.39.1 fixes the bug.	2024-03-21	8.2	CVE-2024-27933 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
denoland — deno	Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue.	2024-03-21	8.4	CVE-2024-27934 security-advisories@github.com
denoland — deno	Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41 of the deno_runtime library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41 of the deno_runtime library contains a patch for the issue.	2024-03-21	8.8	CVE-2024-27936 security-advisories@github.com security-advisories@github.com security-advisories@github.com
denoland — deno	Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno’s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.	2024-03-21	7.2	CVE-2024-27935 security-advisories@github.com security-advisories@github.com security-advisories@github.com
dev_institute — restrict_user_access_-_membership_plugin_with_force	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in DEV Institute Restrict User Access – Membership Plugin with Force allows Reflected XSS.This issue affects Restrict User Access – Membership Plugin with Force: from n/a through 2.5.	2024-03-19	7.1	CVE-2024-29138 audit@patchstack.com
django-wiki — django-wiki	django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users.	2024-03-18	7.5	CVE-2024-28865 security-advisories@github.com security-advisories@github.com
dnesscarkey — wp_armour_-_honeypot_anti_spam	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Dnesscarkey WP Armour – Honeypot Anti Spam allows Reflected XSS.This issue affects WP Armour – Honeypot Anti Spam: from n/a through 2.1.13.	2024-03-19	7.1	CVE-2024-29091 audit@patchstack.com
elliot_sowersby,_relywp — coupon_affiliates	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Elliot Sowersby, RelyWP Coupon Affiliates allows Reflected XSS.This issue affects Coupon Affiliates: from n/a through 5.12.7.	2024-03-19	7.1	CVE-2024-29125 audit@patchstack.com
eprosima — fast_dds	eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA Submessage can cause a heap overflow error in the Fast-DDS process, causing the process to be terminated remotely. Additionally, the payload_size in the DATA Submessage packet is declared as uint32_t. When a negative number, such as -1, is input into this variable, it results in an Integer Overflow (for example, -1 gets converted to 0xFFFFFFFF). This eventually leads to a heap-buffer-overflow, causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8 contain a fix for this issue.	2024-03-20	9.6	CVE-2024-28231 security-advisories@github.com security-advisories@github.com
evergreen_content_poster — evergreen_content_poster	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Evergreen Content Poster allows Reflected XSS.This issue affects Evergreen Content Poster: from n/a through 1.4.1.	2024-03-19	7.1	CVE-2024-29099 audit@patchstack.com
firassaidi — woocommerce_license_manager	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Firassaidi WooCommerce License Manager allows Reflected XSS.This issue affects WooCommerce License Manager: from n/a through 5.3.1.	2024-03-19	7.1	CVE-2024-29121 audit@patchstack.com
firebirdsql — firebird	Firebird is a relational database. Versions 4.0.0 through 4.0.3 and version 5.0 beta1 are vulnerable to a server crash when a user uses a specific form of SET BIND statement. Any non-privileged user with minimum access to a server may type a statement with a long `CHAR` length, which causes the server to crash due to stack corruption. Versions 4.0.4.2981 and 5.0.0.117 contain fixes for this issue. No known workarounds are available.	2024-03-20	7.5	CVE-2023-41038 security-advisories@github.com security-advisories@github.com
florian_’fkrauthan’_krauthan — wp_mpdf	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Florian ‘fkrauthan’ Krauthan allows Reflected XSS.This issue affects wp-mpdf: from n/a through 3.7.1.	2024-03-21	7.1	CVE-2024-27962 audit@patchstack.com
franklin_fueling_system — evo_550	Franklin Fueling System EVO 550 and EVO 5000 are vulnerable to a Path Traversal vulnerability that could allow an attacker to access sensitive files on the system.	2024-03-19	7.5	CVE-2024-2442 ics-cert@hq.dhs.gov
frappe — frappe	Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.	2024-03-21	8.1	CVE-2024-27105 security-advisories@github.com
frappe — frappe	Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn’t have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.	2024-03-21	7.5	CVE-2024-24813 security-advisories@github.com
freescout-helpdesk — freescout	FreeScout is a self-hosted help desk and shared mailbox. Versions prior to 1.8.128 are vulnerable to OS Command Injection in the /public/tools.php source file. The value of the php_path parameter is being executed as an OS command by the shell_exec function, without validating it. This allows an adversary to execute malicious OS commands on the server. A practical demonstration of the successful command injection attack extracted the /etc/passwd file of the server. This represented the complete compromise of the server hosting the FreeScout application. This attack requires an attacker to know the `App_Key` of the application. This limitation makes the Attack Complexity to be High. If an attacker gets hold of the `App_Key`, the attacker can compromise the Complete server on which the application is deployed. Version 1.8.128 contains a patch for this issue.	2024-03-22	9	CVE-2024-29185 security-advisories@github.com
freescout-helpdesk — freescout	FreeScout is a self-hosted help desk and shared mailbox. A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application prior to version 1.8.128. Stored XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, the Support Agent User can inject malicious scripts into their signature, which will then be executed when viewed by the Administrator. The application protects users against XSS attacks by enforcing a CSP policy, the CSP Policy is: `script-src ‘self’ ‘nonce-abcd’ `. The CSP policy only allows the inclusion of JS files that are present on the application server and doesn’t allow any inline script or script other than nonce-abcd. The CSP policy was bypassed by uploading a JS file to the server by a POST request to /conversation/upload endpoint. After this, a working XSS payload was crafted by including the uploaded JS file link as the src of the script. This bypassed the CSP policy and XSS attacks became possible. The impact of this vulnerability is severe as it allows an attacker to compromise the FreeScout Application. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. Alternatively, the attacker can elevate the privileges of a low-privileged user to Administrator, further compromising the security of the application. Attackers can steal sensitive information such as login credentials, session tokens, personal identifiable information (PII), and financial data. The vulnerability can also lead to defacement of the Application. Version 1.8.128 contains a patch for this issue.	2024-03-22	8	CVE-2024-29184 security-advisories@github.com
friendsofsymfony1 — symfony1	Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue.	2024-03-22	9.8	CVE-2024-28861 security-advisories@github.com security-advisories@github.com
fujian_kelixin_communication — command_and_dispatch_platform	A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240313. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file api/client/get_extension_yl.php. The manipulation of the argument imei leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257065 was assigned to this vulnerability.	2024-03-17	7.3	CVE-2024-2566 cna@vuldb.com cna@vuldb.com cna@vuldb.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Administrator with access to the admin console to misconfigure the Global Settings for log file location to an arbitrary location. The admin console GeoServer Logs page provides a preview of these contents. As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not received a patch as of time of publication. As a workaround, a system administrator responsible for running GeoServer can use the `GEOSERVER_LOG_FILE` setting to override any configuration option provided by the Global Settings page. The `GEOSERVER_LOG_LOCATION` parameter can be set as system property, environment variables, or servlet context parameters.	2024-03-20	7.2	CVE-2023-41877 security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations which can lead to remote code execution. Coverage stores that are configured using relative paths use a GeoServer Resource implementation that has validation to prevent path traversal but coverage stores that are configured using absolute paths use a different Resource implementation that does not prevent path traversal. This vulnerability can lead to executing arbitrary code. An administrator with limited privileges could also potentially exploit this to overwrite GeoServer security files and obtain full administrator privileges. Versions 2.23.4 and 2.24.1 contain a fix for this issue.	2024-03-20	7.2	CVE-2023-51444 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
gesundheit_bewegt_gmbh — zippy	Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9.	2024-03-21	8.8	CVE-2024-27964 audit@patchstack.com
getgrav — grav	Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.	2024-03-21	8.8	CVE-2024-27921 security-advisories@github.com security-advisories@github.com
getgrav — grav	Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.	2024-03-21	8.8	CVE-2024-27923 security-advisories@github.com security-advisories@github.com
getgrav — grav	Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.	2024-03-21	8.8	CVE-2024-28116 security-advisories@github.com security-advisories@github.com
getgrav — grav	Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Upgrading to patched version 1.7.45 can mitigate this issue.	2024-03-21	8.8	CVE-2024-28117 security-advisories@github.com security-advisories@github.com
getgrav — grav	Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a fix for this issue.	2024-03-21	8.8	CVE-2024-28118 security-advisories@github.com security-advisories@github.com
getgrav — grav	Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.	2024-03-21	8.8	CVE-2024-28119 security-advisories@github.com security-advisories@github.com security-advisories@github.com
github — enterprise_server	An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.	2024-03-20	8	CVE-2024-2469 product-cna@github.com product-cna@github.com product-cna@github.com product-cna@github.com product-cna@github.com
github — github_enterprise_server	A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring GeoJSON settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.	2024-03-20	9.1	CVE-2024-2443 product-cna@github.com product-cna@github.com product-cna@github.com product-cna@github.com product-cna@github.com
glpi-project — glpi	GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.	2024-03-18	7.7	CVE-2024-27096 security-advisories@github.com security-advisories@github.com security-advisories@github.com
hasthemes — extensions_for_cf7	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in HasThemes Extensions For CF7 allows Stored XSS.This issue affects Extensions For CF7: from n/a through 3.0.6.	2024-03-19	7.1	CVE-2024-29102 audit@patchstack.com
hasthemes — ht_easy_ga4_(_google_analytics_4_)	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in HasThemes HT Easy GA4 ( Google Analytics 4 ) allows Stored XSS.This issue affects HT Easy GA4 ( Google Analytics 4 ): from n/a through 1.1.7.	2024-03-19	7.1	CVE-2024-29094 audit@patchstack.com
i_thirteen_web_solution — email_subscription_popup	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in I Thirteen Web Solution Email Subscription Popup allows Stored XSS.This issue affects Email Subscription Popup: from n/a through 1.2.20.	2024-03-17	7.1	CVE-2024-27960 audit@patchstack.com
ibm — cloud_pak_for_automation	IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.	2024-03-21	7	CVE-2023-35899 psirt@us.ibm.com psirt@us.ibm.com
iconicwp — woothumbs_for_woocommerce_by_iconic	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in IconicWP WooThumbs for WooCommerce by Iconic allows Reflected XSS.This issue affects WooThumbs for WooCommerce by Iconic: from n/a through 5.5.3.	2024-03-19	7.1	CVE-2024-29116 audit@patchstack.com
israelb1 — management_app_for_woocommerce_-_order_notifications,_order_management,_lead_management,_uptime_monitoring	The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.	2024-03-20	8.8	CVE-2024-1205 security@wordfence.com security@wordfence.com security@wordfence.com
jens-maus — raspberrymatic	RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.	2024-03-18	10	CVE-2024-24578 security-advisories@github.com
jhpyle — docassemble	Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.	2024-03-21	7.5	CVE-2024-27292 security-advisories@github.com security-advisories@github.com
jose_mortellaro — specific_content_for_mobile_-_customize_the_mobile_version_without_redirections	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Jose Mortellaro Specific Content For Mobile – Customize the mobile version without redirections allows Reflected XSS.This issue affects Specific Content For Mobile – Customize the mobile version without redirections: from n/a through 0.1.9.5.	2024-03-19	7.1	CVE-2024-29126 audit@patchstack.com
jupyterhub — jupyter-server-proxy	Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.	2024-03-20	9	CVE-2024-28179 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
jupyterhub — oauthenticator	OAuthenticator provides plugins for JupyterHub to use common OAuth providers, as well as base classes for writing one’s own Authenticators with any OAuth 2.0 provider. `GoogleOAuthenticator.hosted_domain` is used to restrict what Google accounts can be authorized access to a JupyterHub. The restriction is intented to be to Google accounts part of one or more Google organization verified to control specified domain(s). Prior to version 16.3.0, the actual restriction has been to Google accounts with emails ending with the domain. Such accounts could have been created by anyone which at one time was able to read an email associated with the domain. This was described by Dylan Ayrey (@dxa4481) in this [blog post] from 15th December 2023). OAuthenticator 16.3.0 contains a patch for this issue. As a workaround, restrict who can login another way, such as `allowed_users` or `allowed_google_groups`.	2024-03-20	7.5	CVE-2024-29033 security-advisories@github.com security-advisories@github.com security-advisories@github.com
kiloview — ndi	Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .	2024-03-21	9.8	CVE-2024-2161 vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch
kiloview — ndi	An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges. This issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .	2024-03-21	8.8	CVE-2024-2162 vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch vulnerability@ncsc.ch
ldapaccountmanager — lam	LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM’s log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM’s master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.	2024-03-18	7.9	CVE-2024-23333 security-advisories@github.com security-advisories@github.com
maciej_bis — permalink_manager_lite	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.This issue affects Permalink Manager Lite: from n/a through 2.4.3.	2024-03-19	7.1	CVE-2024-29092 audit@patchstack.com
mark_tilly — mycurator_content_curation	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Mark Tilly MyCurator Content Curation allows Reflected XSS.This issue affects MyCurator Content Curation: from n/a through 3.76.	2024-03-19	7.1	CVE-2024-29139 audit@patchstack.com
mediavine — create_by_mediavine	The Create by Mediavine plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.9.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-20	9.8	CVE-2024-1711 security@wordfence.com security@wordfence.com
meshery — meshery	Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue.	2024-03-21	7.5	CVE-2024-29031 security-advisories@github.com security-advisories@github.com security-advisories@github.com
metagauss — eventprime	Missing Authorization vulnerability in Metagauss EventPrime.This issue affects EventPrime: from n/a through 3.3.9.	2024-03-23	8.2	CVE-2024-24832 audit@patchstack.com
metagauss — registrationmagic	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through 5.2.5.9.	2024-03-19	7.1	CVE-2024-29113 audit@patchstack.com
microsoft — microsoft_.net_framework_4.8	.NET Framework Information Disclosure Vulnerability	2024-03-23	7.5	CVE-2024-29059 secure@microsoft.com
microsoft — xbox_gaming_services	Xbox Gaming Services Elevation of Privilege Vulnerability	2024-03-21	8.8	CVE-2024-28916 secure@microsoft.com
mndpsingh287 — file_manager	The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the ‘lang’ parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.	2024-03-21	8.8	CVE-2024-1538 security@wordfence.com security@wordfence.com
mobsf — mobile-security-framework-mobsf	Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-side request forgery. An attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. Commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 has a hotfix for this issue.	2024-03-22	7.5	CVE-2024-29190 security-advisories@github.com security-advisories@github.com security-advisories@github.com
n/a — golang-fips/openssl	A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the “return nil, nil, fail(…)” pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.	2024-03-21	7.5	CVE-2024-1394 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com
n/a — libdwarf	A double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.	2024-03-18	7.5	CVE-2024-2002 secalert@redhat.com secalert@redhat.com secalert@redhat.com
n/a — podman	A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.	2024-03-18	8.6	CVE-2024-1753 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com
n/a — spring_security	In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.	2024-03-18	8.2	CVE-2024-22257 security@vmware.com
n/a — tourfic	Unrestricted Upload of File with Dangerous Type vulnerability in Tourfic.This issue affects Tourfic: from n/a through 2.11.15.	2024-03-19	9.9	CVE-2024-29135 audit@patchstack.com
n/a — unixodbc	An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.	2024-03-18	7.1	CVE-2024-1013 secalert@redhat.com secalert@redhat.com secalert@redhat.com
n/a — xnio	A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).	2024-03-22	7.5	CVE-2023-5685 secalert@redhat.com secalert@redhat.com
netentsec — ns-asg_application_security_gateway	A vulnerability, which was classified as critical, has been found in Netentsec NS-ASG Application Security Gateway 6.3. This issue affects some unknown processing of the file /admin/singlelogin.php. The manipulation of the argument loginId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257285 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	7.3	CVE-2024-2647 cna@vuldb.com cna@vuldb.com cna@vuldb.com
ninjateam — database_for_contact_form_7	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in NinjaTeam Database for Contact Form 7 allows Stored XSS.This issue affects Database for Contact Form 7: from n/a through 3.0.6.	2024-03-19	7.1	CVE-2024-29103 audit@patchstack.com
olive_themes — olive_one_click_demo_import	Missing Authorization vulnerability in Olive Themes Olive One Click Demo Import allows importing settings and data, ultimately leading to XSS.This issue affects Olive One Click Demo Import: from n/a through 1.1.1.	2024-03-20	8.2	CVE-2024-2702 audit@patchstack.com
openeuler — aops_ceres	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in openEuler aops-ceres on Linux allows Command Injection. This vulnerability is associated with program files ceres/function/util.Py. This issue affects aops-ceres: from 1.3.0 through 1.4.1.	2024-03-23	7.3	CVE-2021-33633 securities@openeuler.org securities@openeuler.org securities@openeuler.org
opentext — arcsight_platform	A potential vulnerability has been identified in OpenText ArcSight Platform. The vulnerability could be remotely exploited.	2024-03-20	9.8	CVE-2024-1811 security@opentext.com
opentext — pvcs_version_manager	Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files.	2024-03-21	9.8	CVE-2024-1147 security@opentext.com
opentext — pvcs_version_manager	Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files.	2024-03-21	9.8	CVE-2024-1148 security@opentext.com
optimole — super_page_cache_for_cloudflare	Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.	2024-03-21	7.1	CVE-2024-27968 audit@patchstack.com
owncast — owncast	Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.	2024-03-20	8.2	CVE-2024-29026 security-advisories@github.com security-advisories@github.com security-advisories@github.com
panabit — panalog	A vulnerability classified as critical was found in Panabit Panalog 202103080942. This vulnerability affects unknown code of the file /Maintain/sprog_upstatus.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255268. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-21	7.3	CVE-2024-2014 cna@vuldb.com cna@vuldb.com cna@vuldb.com
pandora_fms — pandora_fms	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Pandora FMS on all allows SQL Injection. This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through <776.	2024-03-19	7.5	CVE-2023-44091 security@pandorafms.com
pandora_fms — pandora_fms	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from 700 through <776.	2024-03-19	7.6	CVE-2023-44092 security@pandorafms.com
parse-community — parse_server	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.	2024-03-19	9	CVE-2024-29027 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
pauple — table_&_contact_form_7_database_-_tablesome	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Pauple Table & Contact Form 7 Database – Tablesome allows Reflected XSS.This issue affects Table & Contact Form 7 Database – Tablesome: from n/a through 1.0.27.	2024-03-19	7.1	CVE-2024-29110 audit@patchstack.com
pie_register — pie_register	Unrestricted Upload of File with Dangerous Type vulnerability in Pie Register.This issue affects Pie Register: from n/a through 3.8.3.1.	2024-03-17	10	CVE-2024-27957 audit@patchstack.com
post_smtp — post_smtp	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Post SMTP POST SMTP allows Reflected XSS.This issue affects POST SMTP: from n/a through 2.8.6.	2024-03-19	7.1	CVE-2024-29128 audit@patchstack.com
progress_software — loadmaster	An OS command injection vulnerability has been identified in LoadMaster. An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection.	2024-03-22	8.4	CVE-2024-2448 security@progress.com security@progress.com
progress_software — loadmaster	A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.	2024-03-22	7.5	CVE-2024-2449 security@progress.com security@progress.com
progress_software_corporation — telerik_report_server	In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.	2024-03-20	9.9	CVE-2024-1800 security@progress.com security@progress.com
progress_software_corporation — telerik_reporting	In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.	2024-03-20	8.5	CVE-2024-1856 security@progress.com security@progress.com
progress_software_corporation — telerik_reporting	In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.	2024-03-20	7.7	CVE-2024-1801 security@progress.com security@progress.com
python_software_foundation — cpython	An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.	2024-03-19	7.8	CVE-2023-6597 cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org
rubengc — gamipress_-_the_#1_gamification_plugin_to_reward_points_achievements_badges_&_ranks_in_wordpress	The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘achievement_types’ attribute of the gamipress_earnings shortcode in all versions up to, and including, 6.8.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-20	8.8	CVE-2024-1799 security@wordfence.com security@wordfence.com
ruijie — rg-nbs2009g-p	A vulnerability was found in Ruijie RG-NBS2009G-P up to 20240305. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /EXCU_SHELL. The manipulation of the argument Command1 leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257281 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	7.3	CVE-2024-2642 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sailpoint — identityiq	This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.	2024-03-22	10	CVE-2024-2227 psirt@sailpoint.com
sailpoint — identityiq	This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population.	2024-03-22	7.1	CVE-2024-2228 psirt@sailpoint.com
schneider_electric — easergy_t200_(modbus)_models:_t200i_t200e_t200p_t200s_t200h	CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form.	2024-03-18	9.8	CVE-2024-2051 cybersecurity@se.com
schneider_electric — easergy_t200_(modbus)_models:_t200i_t200e_t200p_t200s_t200h	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an attacker injects then executes arbitrary malicious JavaScript code within the context of the product.	2024-03-18	8.2	CVE-2024-2050 cybersecurity@se.com
schneider_electric — easergy_t200_(modbus)_models:_t200i_t200e_t200p_t200s_t200h	CWE-552: Files or Directories Accessible to External Parties vulnerability exists that could allow unauthenticated files and logs exfiltration and download of files when an attacker modifies the URL to download to a different location.	2024-03-18	7.5	CVE-2024-2052 cybersecurity@se.com
schneider_electric — ecostruxure_power_design_-_ecodial	CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user.	2024-03-18	7.8	CVE-2024-2229 cybersecurity@se.com
scott_paterson — contact_form_7_-_paypal_&_stripe_add-on	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on allows Reflected XSS.This issue affects Contact Form 7 – PayPal & Stripe Add-on: from n/a through 2.0.	2024-03-19	7.1	CVE-2024-29130 audit@patchstack.com
sentrifugo — sentrifugo	SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, ‘business_id’ parameter./sentrifugo/index.php/index/getdepartments/format/html, ‘business_id’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.	2024-03-21	9.8	CVE-2024-29870 cve-coordination@incibe.es
sentrifugo — sentrifugo	SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, ‘id’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.	2024-03-21	9.8	CVE-2024-29871 cve-coordination@incibe.es
sentrifugo — sentrifugo	SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, ‘agencyids’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.	2024-03-21	9.8	CVE-2024-29872 cve-coordination@incibe.es
sentrifugo — sentrifugo	SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, ‘bunitname’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.	2024-03-21	9.8	CVE-2024-29873 cve-coordination@incibe.es
sentrifugo — sentrifugo	SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, ‘sort_name’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.	2024-03-21	9.8	CVE-2024-29874 cve-coordination@incibe.es
sentrifugo — sentrifugo	SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, ‘sort_name’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.	2024-03-21	9.8	CVE-2024-29875 cve-coordination@incibe.es
sentrifugo — sentrifugo	SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, ‘sortby’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.	2024-03-21	9.8	CVE-2024-29876 cve-coordination@incibe.es
sentrifugo — sentrifugo	Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, ‘expense_category_name’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.	2024-03-21	7.1	CVE-2024-29877 cve-coordination@incibe.es
sentrifugo — sentrifugo	Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, ‘description’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.	2024-03-21	7.1	CVE-2024-29878 cve-coordination@incibe.es
sentrifugo — sentrifugo	Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, ‘business_id’ parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.	2024-03-21	7.1	CVE-2024-29879 cve-coordination@incibe.es
social_media_share_buttons_by_sygnoos — social_media_share_buttons	Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0.	2024-03-20	8.2	CVE-2024-2721 audit@patchstack.com
sourcecodester — employee_task_management_system	A vulnerability was found in SourceCodester Employee Task Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin-manage-user.php. The manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257072.	2024-03-18	7.3	CVE-2024-2569 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been classified as critical. This affects an unknown part of the file /edit-task.php. The manipulation leads to execution after redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257073 was assigned to this vulnerability.	2024-03-18	7.3	CVE-2024-2570 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /manage-admin.php. The manipulation leads to execution after redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257074 is the identifier assigned to this vulnerability.	2024-03-18	7.3	CVE-2024-2571 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /task-details.php. The manipulation leads to execution after redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257075.	2024-03-18	7.3	CVE-2024-2572 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability classified as critical has been found in SourceCodester Employee Task Management System 1.0. Affected is an unknown function of the file /task-info.php. The manipulation leads to execution after redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257076.	2024-03-18	7.3	CVE-2024-2573 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability classified as critical was found in SourceCodester Employee Task Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-task.php. The manipulation of the argument task_id leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257077 was assigned to this vulnerability.	2024-03-18	7.3	CVE-2024-2574 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability, which was classified as critical, has been found in SourceCodester Employee Task Management System 1.0. Affected by this issue is some unknown functionality of the file /task-details.php. The manipulation of the argument task_id leads to authorization bypass. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257078 is the identifier assigned to this vulnerability.	2024-03-18	7.3	CVE-2024-2575 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability, which was classified as critical, was found in SourceCodester Employee Task Management System 1.0. This affects an unknown part of the file /update-admin.php. The manipulation of the argument admin_id leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257079.	2024-03-18	7.3	CVE-2024-2576 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability has been found in SourceCodester Employee Task Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /update-employee.php. The manipulation of the argument admin_id leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257080.	2024-03-18	7.3	CVE-2024-2577 cna@vuldb.com cna@vuldb.com cna@vuldb.com
stacklok — minder	Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user – as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.	2024-03-21	7.1	CVE-2024-27916 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
svenl77 — buddypress_woocommerce_my_account_integration_create_woocommerce_member_pages	The “BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages” plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the get_simple_request function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-23	8.8	CVE-2024-2025 security@wordfence.com security@wordfence.com
tenable — nessus_agent	As a part of Tenable’s vulnerability disclosure program, a vulnerability in a Nessus plugin was identified and reported. This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.	2024-03-18	7.8	CVE-2024-2390 vulnreport@tenable.com
tenda — ac10	A vulnerability was found in Tenda AC10 16.03.10.13 and classified as critical. This issue affects the function fromSetRouteStatic of the file /goform/SetStaticRouteCfg. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257081 was assigned to this vulnerability.	2024-03-18	8.8	CVE-2024-2581 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability was found in Tenda AC10U 15.03.06.48. It has been rated as critical. Affected by this issue is the function addWifiMacFilter of the file /goform/addWifiMacFilter. The manipulation of the argument deviceMac leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257462 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2711 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability classified as critical has been found in Tenda AC10U 15.03.06.49. Affected is the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument mac leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257454 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2703 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49. Affected by this vulnerability is the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257455. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2704 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability, which was classified as critical, has been found in Tenda AC10U 1.0/15.03.06.49. Affected by this issue is the function formSetQosBand of the file /goform/SetNetControlList. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257456. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2705 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.49. This affects the function formWifiWpsStart of the file /goform/WifiWpsStart. The manipulation of the argument index leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257457 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2706 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability was found in Tenda AC10U 15.03.06.49 and classified as critical. This issue affects the function formexeCommand of the file /goform/execCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257459. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2708 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability was found in Tenda AC10U 15.03.06.49. It has been classified as critical. Affected is the function fromSetRouteStatic of the file /goform/SetStaticRouteCfg. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257460. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2709 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability was found in Tenda AC10U 15.03.06.49. It has been declared as critical. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257461 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	8.8	CVE-2024-2710 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.48. Affected by this issue is the function formSetCfm of the file goform/setcfm. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257600. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-21	8.8	CVE-2024-2763 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac10u	A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.48. This affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument endIP leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257601 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-21	8.8	CVE-2024-2764 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability was found in Tenda AC15 15.03.20_multi. It has been declared as critical. This vulnerability affects the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257668. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2813 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability was found in Tenda AC15 15.03.20_multi. It has been rated as critical. This issue affects the function fromDhcpListClient of the file /goform/DhcpListClient. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257669 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2814 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability classified as critical has been found in Tenda AC15 15.03.20_multi. Affected is the function R7WebsSecurityHandler of the file /goform/execCommand of the component Cookie Handler. The manipulation of the argument password leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257670 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2815 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been rated as critical. Affected by this issue is the function formSetSpeedWan of the file /goform/SetSpeedWan. The manipulation of the argument speed_dir leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257660. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2805 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability classified as critical has been found in Tenda AC15 15.03.05.18/15.03.20_multi. This affects the function addWifiMacFilter of the file /goform/addWifiMacFilter. The manipulation of the argument deviceId/deviceMac leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257661 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2806 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability classified as critical was found in Tenda AC15 15.03.05.18/15.03.20_multi. This vulnerability affects the function formExpandDlnaFile of the file /goform/expandDlnaFile. The manipulation of the argument filePath leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257662 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2807 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability, which was classified as critical, has been found in Tenda AC15 15.03.05.18/15.03.20_multi. This issue affects the function formQuickIndex of the file /goform/QuickIndex. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257663. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2808 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability, which was classified as critical, was found in Tenda AC15 15.03.05.18/15.03.20_multi. Affected is the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257664. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2809 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability has been found in Tenda AC15 15.03.05.18/15.03.20_multi and classified as critical. Affected by this vulnerability is the function formWifiWpsOOB of the file /goform/WifiWpsOOB. The manipulation of the argument index leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257665 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2810 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability was found in Tenda AC15 15.03.20_multi and classified as critical. Affected by this issue is the function formWifiWpsStart of the file /goform/WifiWpsStart. The manipulation of the argument index leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257666 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	8.8	CVE-2024-2811 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability has been found in Tenda AC18 15.13.07.09 and classified as critical. Affected by this vulnerability is the function fromSetWirelessRepeat. The manipulation of the argument wpapsk_crypto5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256999. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	8.8	CVE-2024-2546 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability was found in Tenda AC18 15.03.05.05 and classified as critical. Affected by this issue is the function R7WebsSecurityHandler. The manipulation of the argument password leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257000. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	8.8	CVE-2024-2547 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability was found in Tenda AC18 15.03.05.05. It has been rated as critical. This issue affects the function formexeCommand of the file /goform/execCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257057 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	8.8	CVE-2024-2558 cna@vuldb.com cna@vuldb.com cna@vuldb.com
themefic — tourfic	Deserialization of Untrusted Data vulnerability in Themefic Tourfic.This issue affects Tourfic: from n/a through 2.11.17.	2024-03-19	8.5	CVE-2024-29136 audit@patchstack.com
themefic — tourfic	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themefic Tourfic allows Reflected XSS.This issue affects Tourfic: from n/a through 2.11.7.	2024-03-19	7.1	CVE-2024-29137 audit@patchstack.com
themeisle — visualizer	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themeisle Visualizer allows Reflected XSS.This issue affects Visualizer: from n/a through 3.10.5.	2024-03-17	7.1	CVE-2024-27958 audit@patchstack.com
tomphttp — bare-server-node	TOMP Bare Server implements the TompHTTP bare server. A vulnerability in versions prior to 2.0.2 relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use. The problem has been patched in version 2.0.2. As of time of publication, no specific workaround strategies have been disclosed.	2024-03-21	9.8	CVE-2024-27922 security-advisories@github.com
typps — calendarista_basic_edition	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Typps Calendarista Basic Edition.This issue affects Calendarista Basic Edition: from n/a through 3.0.2.	2024-03-21	7.1	CVE-2024-27993 audit@patchstack.com
ukrsolution — barcode_scanner_with_inventory_&_order_manager	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager allows Reflected XSS.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.3.	2024-03-19	7.1	CVE-2024-27998 audit@patchstack.com
unitronics_ — unistream_unilogic	CWE-287: Improper Authentication may allow Authentication Bypass	2024-03-18	10	CVE-2024-27767 cna@cyber.gov.il
unitronics_ — unistream_unilogic	Unitronics Unistream Unilogic – Versions prior to 1.35.227 – CWE-22: ‘Path Traversal’ may allow RCE	2024-03-18	9.8	CVE-2024-27768 cna@cyber.gov.il cna@cyber.gov.il
unitronics_ — unistream_unilogic	Unitronics Unistream Unilogic – Versions prior to 1.35.227 – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor may allow Taking Ownership Over Devices	2024-03-18	8.8	CVE-2024-27769 cna@cyber.gov.il cna@cyber.gov.il
unitronics_ — unistream_unilogic	Unitronics Unistream Unilogic – Versions prior to 1.35.227 – CWE-23: Relative Path Traversal	2024-03-18	8.8	CVE-2024-27770 cna@cyber.gov.il cna@cyber.gov.il
unitronics_ — unistream_unilogic	Unitronics Unistream Unilogic – Versions prior to 1.35.227 – CWE-22: ‘Path Traversal’ may allow RCE	2024-03-18	8.8	CVE-2024-27771 cna@cyber.gov.il cna@cyber.gov.il
unitronics_ — unistream_unilogic	Unitronics Unistream Unilogic – Versions prior to 1.35.227 – CWE-78: ‘OS Command Injection’ may allow RCE	2024-03-18	8.8	CVE-2024-27772 cna@cyber.gov.il cna@cyber.gov.il
unitronics_ — unistream_unilogic	Unitronics Unistream Unilogic – Versions prior to 1.35.227 – CWE-348: Use of Less Trusted Source may allow RCE	2024-03-18	8.8	CVE-2024-27773 cna@cyber.gov.il cna@cyber.gov.il
unitronics_ — unistream_unilogic	Unitronics Unistream Unilogic – Versions prior to 1.35.227 – CWE-259: Use of Hard-coded Password may allow disclosing Sensitive Information Embedded inside Device’s Firmware	2024-03-18	7.5	CVE-2024-27774 cna@cyber.gov.il cna@cyber.gov.il
valvepress — automatic	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.	2024-03-21	9.9	CVE-2024-27956 audit@patchstack.com
wasmi-labs — wasmi	Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn’t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1.	2024-03-21	7.3	CVE-2024-28123 security-advisories@github.com security-advisories@github.com security-advisories@github.com
webberzone — better_search_-_relevant_search_results_for_wordpress	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WebberZone Better Search – Relevant search results for WordPress allows Stored XSS.This issue affects Better Search – Relevant search results for WordPress: from n/a through 3.3.0.	2024-03-19	7.1	CVE-2024-29142 audit@patchstack.com
webpack — webpack-dev-middleware	Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer’s machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the `unsecaped` path suffix is appended to the `outputPath`. As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use `%2e` and `%2f` sequences to perform path traversal attack. Developers using `webpack-dev-server` or `webpack-dev-middleware` are affected by the issue. When the project is started, an attacker might access any file on the developer’s machine and exfiltrate the content. If the development server is listening on a public IP address (or `0.0.0.0`), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.	2024-03-21	7.4	CVE-2024-29180 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
wpexpertsio — wc_shop_sync_-_integrate_square_and_woocommerce_for_seamless_shop_management	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Wpexpertsio WC Shop Sync – Integrate Square and WooCommerce for Seamless Shop Management allows Reflected XSS.This issue affects WC Shop Sync – Integrate Square and WooCommerce for Seamless Shop Management: from n/a through 4.2.9.	2024-03-17	7.1	CVE-2024-27959 audit@patchstack.com
wplit_pty_ltd — oxyextras	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPLIT Pty Ltd OxyExtras allows Reflected XSS.This issue affects OxyExtras: from n/a through 1.4.4.	2024-03-19	7.1	CVE-2024-29129 audit@patchstack.com
wpvncom — ux_flat	The UX Flat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘button’ shortcode in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	7.4	CVE-2024-2459 security@wordfence.com security@wordfence.com
xpodas — octopod	Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1. NOTE: The vendor was contacted and it was learned that the product is not supported.	2024-03-21	9.8	CVE-2024-1202 iletisim@usom.gov.tr
yannick_lefebvre — link_library	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Yannick Lefebvre Link Library allows Reflected XSS.This issue affects Link Library: from n/a through 7.6.	2024-03-19	7.1	CVE-2024-29123 audit@patchstack.com
yith — yith_woocommerce_product_add-ons	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in YITH YITH WooCommerce Product Add-Ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.5.0.	2024-03-21	7.1	CVE-2024-27994 audit@patchstack.com
zitadel — zitadel	ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.	2024-03-18	8.1	CVE-2024-28855 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com

Medium Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
3uu — shariff_wrapper	The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘shariff’ shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as ‘secondarycolor’ and ‘maincolor’. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-21	6.4	CVE-2023-6500 security@wordfence.com security@wordfence.com
3uu — shariff_wrapper	The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘shariff’ shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like ‘info_text’. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks the information icon.	2024-03-21	6.4	CVE-2024-0966 security@wordfence.com security@wordfence.com security@wordfence.com
3uu — shariff_wrapper	The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘shariff’ shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as ‘align’. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-21	6.4	CVE-2024-1450 security@wordfence.com security@wordfence.com security@wordfence.com
N/A — N/A	Directory Traversal vulnerability in Speedy11CZ MCRPX v.1.4.0 and before allows a local attacker to execute arbitrary code via a crafted file.	2024-03-19	5.5	CVE-2024-24043 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	The SolarEdge mySolarEdge application before 2.20.1 for Android has a certificate verification issue that allows a Machine-in-the-middle (MitM) attacker to read and alter all network traffic between the application and the server.	2024-03-21	5.9	CVE-2024-28756 cve@mitre.org cve@mitre.org
aam — advanced_access_manager	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in AAM Advanced Access Manager allows Stored XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20.	2024-03-19	5.9	CVE-2024-29124 audit@patchstack.com
aankit — easy_maintenance_mode	The Easy Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2 via the REST API. This makes it possible for authenticated attackers to obtain post and page content via REST API thus bypassign the protection provided by the plugin.	2024-03-20	5.3	CVE-2024-1477 security@wordfence.com security@wordfence.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-20760 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-20768 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26028 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26030 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26031 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable web pages. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable script. This could result in arbitrary code execution in the context of the victim’s browser. Exploitation of this issue requires user interaction.	2024-03-18	5.4	CVE-2024-26032 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26033 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26034 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26035 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26038 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26040 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26041 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable web pages. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable script. This could result in arbitrary code execution in the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26042 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26043 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into a webpage. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable script. This could result in arbitrary code execution in the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26044 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26045 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26052 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26056 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26059 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26061 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26062 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by an Information Exposure vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain unauthorized access to sensitive information, potentially bypassing security measures. Exploitation of this issue does not require user interaction.	2024-03-18	5.3	CVE-2024-26063 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into a webpage. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable script. This could result in arbitrary code execution in the context of the victim’s browser. Exploitation of this issue requires user interaction.	2024-03-18	5.4	CVE-2024-26064 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26065 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26067 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26069 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26073 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable web pages. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable script.	2024-03-18	5.4	CVE-2024-26080 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26094 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26096 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26101 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26102 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26103 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26104 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26105 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26106 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26107 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser.	2024-03-18	5.4	CVE-2024-26118 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.	2024-03-18	5.3	CVE-2024-26119 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26120 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26124 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	5.4	CVE-2024-26125 psirt@adobe.com
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	4.8	CVE-2024-26050 psirt@adobe.com
adobe — animate	Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	5.5	CVE-2024-20762 psirt@adobe.com
adobe — animate	Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	5.5	CVE-2024-20763 psirt@adobe.com
adobe — animate	Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	5.5	CVE-2024-20764 psirt@adobe.com
adobe — bridge	Bridge versions 13.0.5, 14.0.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.	2024-03-18	5.5	CVE-2024-20757 psirt@adobe.com
advantech — webaccess/scada	There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database.	2024-03-21	6.4	CVE-2024-2453 ics-cert@hq.dhs.gov
anshuln90 — animated_headline	The Animated Headline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘animated-headline’ shortcode in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.4	CVE-2024-2304 security@wordfence.com security@wordfence.com
axis_communications_ab — axis_os	Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.	2024-03-19	6.5	CVE-2024-0054 product-security@axis.com
axis_communications_ab — axis_os	Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.	2024-03-19	6.5	CVE-2024-0055 product-security@axis.com
bdtask — wholesale_inventory_management_system	A vulnerability was found in Bdtask Wholesale Inventory Management System up to 20240311. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to session fixiation. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	4.3	CVE-2024-2639 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdthemes — element_pack_elementor_addons	Missing Authorization vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through 5.4.11.	2024-03-23	4.3	CVE-2024-24840 audit@patchstack.com
benjamin_rojas — wp_editor	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Benjamin Rojas WP Editor.This issue affects WP Editor: from n/a through 1.2.7.	2024-03-17	5.3	CVE-2024-25591 audit@patchstack.com
bmc — control-m	Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.	2024-03-18	6.4	CVE-2024-1604 cvd@cert.pl cvd@cert.pl cvd@cert.pl
bmc — control-m	BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application’s privileges. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.	2024-03-18	6.6	CVE-2024-1605 cvd@cert.pl cvd@cert.pl cvd@cert.pl
bmc — control-m	Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.	2024-03-18	4.6	CVE-2024-1606 cvd@cert.pl cvd@cert.pl cvd@cert.pl
brefphp — bref	Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed. In the parsing process, the `Content-Type` header of each part is read using the `Riverline/multipart-parser` library. The library, in the `StreamedPart::parseHeaderContent` function, performs slow multi-byte string operations on the header value. Precisely, the `mb_convert_encoding` function is used with the first (`$string`) and third (`$from_encoding`) parameters read from the header value. An attacker could send specifically crafted requests which would force the server into performing long operations with a consequent long billed duration. The attack has the following requirements and limitations: The Lambda should use the Event-Driven Function runtime and the `RequestHandlerInterface` handler and should implement at least an endpoint accepting POST requests; the attacker can send requests up to 6MB long (this is enough to cause a billed duration between 400ms and 500ms with the default 1024MB RAM Lambda image of Bref); and if the Lambda uses a PHP runtime <= php-82, the impact is higher as the billed duration in the default 1024MB RAM Lambda image of Bref could be brought to more than 900ms for each request. Notice that the vulnerability applies only to headers read from the request body as the request header has a limitation which allows a total maximum size of ~10KB. Version 2.1.17 contains a fix for this issue.	2024-03-22	5.3	CVE-2024-29186 security-advisories@github.com security-advisories@github.com
calameo — wp_calameo	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Calameo WP Calameo allows Stored XSS.This issue affects WP Calameo: from n/a through 2.1.7.	2024-03-19	6.5	CVE-2024-29098 audit@patchstack.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability has been found in Campcodes Complete Online Beauty Parlor Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/index.php. The manipulation of the argument username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257602 is the identifier assigned to this vulnerability.	2024-03-21	6.3	CVE-2024-2766 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability was found in Campcodes Complete Online Beauty Parlor Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/forgot-password.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257603.	2024-03-21	6.3	CVE-2024-2767 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability was found in Campcodes Complete Online Beauty Parlor Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/edit-services.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257604.	2024-03-21	6.3	CVE-2024-2768 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability was found in Campcodes Complete Online Beauty Parlor Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257605 was assigned to this vulnerability.	2024-03-21	6.3	CVE-2024-2769 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability was found in Campcodes Complete Online Beauty Parlor Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/contact-us.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257606 is the identifier assigned to this vulnerability.	2024-03-21	6.3	CVE-2024-2770 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability classified as critical was found in Campcodes Online Marriage Registration System 1.0. This vulnerability affects unknown code of the file /user/search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257608.	2024-03-21	6.3	CVE-2024-2774 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability, which was classified as critical, was found in Campcodes Online Marriage Registration System 1.0. Affected is an unknown function of the file /admin/search.php. The manipulation of the argument searchdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257610 is the identifier assigned to this vulnerability.	2024-03-22	6.3	CVE-2024-2776 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_beauty_parlor_management_system	A vulnerability has been found in Campcodes Online Marriage Registration System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/application-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257611.	2024-03-22	6.3	CVE-2024-2777 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability, which was classified as critical, has been found in Campcodes Complete Online DJ Booking System 1.0. This issue affects some unknown processing of the file /admin/user-search.php. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257465 was assigned to this vulnerability.	2024-03-21	6.3	CVE-2024-2712 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability, which was classified as critical, was found in Campcodes Complete Online DJ Booking System 1.0. Affected is an unknown function of the file /admin/booking-search.php. The manipulation of the argument searchdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257466 is the identifier assigned to this vulnerability.	2024-03-21	6.3	CVE-2024-2713 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability has been found in Campcodes Complete Online DJ Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/booking-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257467.	2024-03-20	6.3	CVE-2024-2714 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability has been found in Campcodes Online Job Finder System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/vacancy/controller.php. The manipulation of the argument id/CATEGORY leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257368.	2024-03-20	6.3	CVE-2024-2668 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/employee/controller.php of the component GET Parameter Handler. The manipulation of the argument EMPLOYEEID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257369 was assigned to this vulnerability.	2024-03-20	6.3	CVE-2024-2669 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/vacancy/index.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257370 is the identifier assigned to this vulnerability.	2024-03-20	6.3	CVE-2024-2670 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/user/index.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257371.	2024-03-20	6.3	CVE-2024-2671 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/user/controller.php. The manipulation of the argument UESRID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257372.	2024-03-20	6.3	CVE-2024-2672 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability classified as critical has been found in Campcodes Online Job Finder System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument user_email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257373 was assigned to this vulnerability.	2024-03-20	6.3	CVE-2024-2673 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability classified as critical was found in Campcodes Online Job Finder System 1.0. This vulnerability affects unknown code of the file /admin/employee/index.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257374 is the identifier assigned to this vulnerability.	2024-03-20	6.3	CVE-2024-2674 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability, which was classified as critical, has been found in Campcodes Online Job Finder System 1.0. This issue affects some unknown processing of the file /admin/company/index.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257375.	2024-03-20	6.3	CVE-2024-2675 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability, which was classified as critical, was found in Campcodes Online Job Finder System 1.0. Affected is an unknown function of the file /admin/company/controller.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257376.	2024-03-20	6.3	CVE-2024-2676 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability has been found in Campcodes Online Job Finder System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/category/controller.php. The manipulation of the argument CATEGORYID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257377 was assigned to this vulnerability.	2024-03-20	6.3	CVE-2024-2677 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/applicants/controller.php. The manipulation of the argument JOBREGID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257378 is the identifier assigned to this vulnerability.	2024-03-20	6.3	CVE-2024-2678 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/applicants/index.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257387.	2024-03-20	6.3	CVE-2024-2687 cna@vuldb.com cna@vuldb.com cna@vuldb.com
cegid — meta4_hr	A Cross-Site Scripting Vulnerability has been found on Meta4 HR affecting version 819.001.022 and earlier. The endpoint ‘/sitetest/english/dumpenv.jsp’ is vulnerable to XSS attack by ‘lang’ query, i.e. ‘/sitetest/english/dumpenv.jsp?snoop=yes&lang=%27%3Cimg%20src/onerror=alert(1)%3E&params’.	2024-03-19	6.1	CVE-2024-2633 cve-coordination@incibe.es
cegid — meta4_hr	A Cross-Site Scripting Vulnerability has been found on Meta4 HR affecting version 819.001.022 and earlier. The endpoint ‘/sse_generico/generico_login.jsp’ is vulnerable to XSS attack via ‘lang’ query, i.e. ‘/sse_generico/generico_login.jsp?lang=%27%3balert(%27BLEUSS%27)%2f%2f&params=’.	2024-03-19	6.1	CVE-2024-2634 cve-coordination@incibe.es
ciges — cigesv2	Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.	2024-03-22	6.1	CVE-2024-2726 cve-coordination@incibe.es
ciges — cigesv2	HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.	2024-03-22	6.1	CVE-2024-2727 cve-coordination@incibe.es
ciges — cigesv2	Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.	2024-03-22	4.1	CVE-2024-2728 cve-coordination@incibe.es
cilium — cilium	Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node’s Envoy proxy and pods on other nodes is sent unencrypted and IPsec-eligible traffic between a node’s DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.15.2, 1.14.8, and 1.13.13. There is no known workaround for this issue.	2024-03-18	6.1	CVE-2024-28249 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
cilium — cilium	Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node’s Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node’s DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue.	2024-03-18	6.1	CVE-2024-28250 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
colorlibplugins — coming_soon_&_maintenance_mode_by_colorlib	The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mode protection provided by the plugin.	2024-03-20	5.3	CVE-2024-1473 security@wordfence.com security@wordfence.com
cozmoslabs,_sareiodata — passwordless_login	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Cozmoslabs, sareiodata Passwordless Login passwordless-login allows Stored XSS.This issue affects Passwordless Login: from n/a through 1.1.2.	2024-03-19	6.5	CVE-2024-29143 audit@patchstack.com
creativethemeshq — blocksy_companion	The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-22	6.5	CVE-2024-2392 security@wordfence.com security@wordfence.com
crisp — crisp	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Crisp allows Stored XSS.This issue affects Crisp: from n/a through 0.44.	2024-03-21	6.5	CVE-2024-27963 audit@patchstack.com
data443 — tracking_code_manager	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Data443 Tracking Code Manager.This issue affects Tracking Code Manager: from n/a through 2.0.16.	2024-03-21	5.9	CVE-2024-2579 audit@patchstack.com
dazzlersoft — coming_soon_under_construction_&_maintenance_mode_by_dazzler	The Coming Soon, Under Construction & Maintenance Mode By Dazzler plugin for WordPress is vulnerable to maintenance mode bypass in all versions up to, and including, 2.1.2. This is due to the plugin relying on the REQUEST_URI to determine if the page being accesses is an admin area. This makes it possible for unauthenticated attackers to bypass maintenance mode and access the site which may be considered confidential when in maintenance mode.	2024-03-20	5.3	CVE-2024-1181 security@wordfence.com security@wordfence.com
delabon — live_sales_notification_for_woocommerce_-_woomotiv	The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on the ‘ajax_cancel_review’ function. This makes it possible for unauthenticated attackers to reset the site’s review count via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-20	4.3	CVE-2024-1325 security@wordfence.com security@wordfence.com security@wordfence.com
dell — poweredge_platform	Dell PowerEdge Server BIOS contains an Improper SMM communication buffer verification vulnerability. A physical high privileged attacker could potentially exploit this vulnerability leading to arbitrary writes to SMRAM.	2024-03-19	4.4	CVE-2024-25942 security_alert@emc.com
delta_electronics — diaenergie	Improper neutralization of input within the affected product could lead to cross-site scripting.	2024-03-21	4.6	CVE-2024-28045 ics-cert@hq.dhs.gov
denoland — deno	Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier’s hostname is equal to or a child of a token’s hostname, which can cause tokens to be sent to servers they shouldn’t be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue	2024-03-21	4.6	CVE-2024-27932 security-advisories@github.com security-advisories@github.com security-advisories@github.com
devklan — alma_blog	Improper access control vulnerability in Devklan’s Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an unauthenticated user to access the application’s functionalities without the need for credentials.	2024-03-19	6.5	CVE-2024-1144 cve-coordination@incibe.es
devklan — alma_blog	User enumeration vulnerability in Devklan’s Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow a remote user to retrieve all valid users registered in the application just by looking at the request response.	2024-03-19	5.3	CVE-2024-1145 cve-coordination@incibe.es
devklan — alma_blog	Cross-Site Scripting vulnerability in Devklan’s Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an attacker to store a malicious JavaScript payload within the application by adding the payload to ‘Community Description’ or ‘Community Rules’.	2024-03-19	5.8	CVE-2024-1146 cve-coordination@incibe.es
diygod — rsshub	RSSHub is an open source RSS feed generator. Starting in version 1.0.0-master.cbbd829 and prior to version 1.0.0-master.d8ca915, ahen the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. This vulnerability was fixed in version 1.0.0-master.d8ca915. No known workarounds are available.	2024-03-21	6.1	CVE-2024-27926 security-advisories@github.com security-advisories@github.com
diygod — rsshub	RSSHub is an open source RSS feed generator. Prior to version 1.0.0-master.a429472, RSSHub allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks. The attacker can send malicious requests to a RSSHub server, to make the server send HTTP GET requests to arbitrary destinations and see partial responses. This may lead to leak the server IP address, which could be hidden behind a CDN; retrieving information in the internal network, e.g. which addresses/ports are accessible, the titles and meta descriptions of HTML pages; and denial of service amplification. The attacker could request the server to download some large files, or chain several SSRF requests in a single attacker request.	2024-03-21	6.5	CVE-2024-27927 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
espocrm — espocrm	EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in “Password Change” page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.	2024-03-21	5.9	CVE-2024-24818 security-advisories@github.com security-advisories@github.com
five_star_plugins — five_star_restaurant_menu	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Five Star Plugins Five Star Restaurant Menu allows Stored XSS.This issue affects Five Star Restaurant Menu: from n/a through 2.4.14.	2024-03-19	6.5	CVE-2024-29089 audit@patchstack.com
folio — spring_module_core	A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation leads to sql injection. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is d374a5f77e6b58e36f0e0e4419be18b95edcd7ff. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-257516.	2024-03-21	5.5	CVE-2022-4963 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com
foliovision:_making_the_web_work_for_you — fv_flowplayer_video_player	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Foliovision: Making the web work for you FV Flowplayer Video Player allows Stored XSS.This issue affects FV Flowplayer Video Player: from n/a through 7.5.41.7212.	2024-03-19	6.5	CVE-2024-29122 audit@patchstack.com
franciscop — translate	Translate is a package that allows users to convert text to different languages on Node.js and the browser. Prior to version 3.0.0, an attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users. The `opt.id` parameter allows the overwriting of the cache key. If an attacker sets the `id` variable to the cache key that would be generated by another user, they can choose the response that user gets served. Version 3.0.0 fixes this issue.	2024-03-22	5.3	CVE-2024-29042 security-advisories@github.com security-advisories@github.com security-advisories@github.com
fujian_kelixin_communication — command_and_dispatch_platform	A vulnerability has been found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318 and classified as critical. Affected by this vulnerability is an unknown functionality of the file api/client/down_file.php. The manipulation of the argument uuid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257197 was assigned to this vulnerability.	2024-03-19	6.3	CVE-2024-2620 cna@vuldb.com cna@vuldb.com cna@vuldb.com
fujian_kelixin_communication — command_and_dispatch_platform	A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318 and classified as critical. Affected by this issue is some unknown functionality of the file api/client/user/pwd_update.php. The manipulation of the argument uuid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257198 is the identifier assigned to this vulnerability.	2024-03-19	6.3	CVE-2024-2621 cna@vuldb.com cna@vuldb.com cna@vuldb.com
fujian_kelixin_communication — command_and_dispatch_platform	A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318. It has been classified as critical. This affects an unknown part of the file /api/client/editemedia.php. The manipulation of the argument number/enterprise_uuid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257199.	2024-03-19	6.3	CVE-2024-2622 cna@vuldb.com cna@vuldb.com cna@vuldb.com
funnelkit — automation_by_autonami	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in FunnelKit Automation By Autonami allows Stored XSS.This issue affects Automation By Autonami: from n/a through 2.8.2.	2024-03-21	6.5	CVE-2024-2580 audit@patchstack.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in `.zip`. Store file uploads rename zip files to have a `.zip` extension if it doesn’t already have one before unzipping the file. This is fine for file and url upload methods where the files will be in a specific subdirectory of the data directory but, when using the external upload method, this allows arbitrary files and directories to be renamed. Renaming GeoServer files will most likely result in a denial of service, either completely preventing GeoServer from running or effectively deleting specific resources (such as a workspace, layer or style). In some cases, renaming GeoServer files could revert to the default settings for that file which could be relatively harmless like removing contact information or have more serious consequences like allowing users to make OGC requests that the customized settings would have prevented them from making. The impact of renaming non-GeoServer files depends on the specific environment although some sort of denial of service is a likely outcome. Versions 2.23.5 and 2.24.2 contain a fix for this issue.	2024-03-20	6	CVE-2024-23634 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources that will execute in the context of another administrator’s browser when viewed in the REST Resources API. Access to the REST Resources API is limited to full administrators by default and granting non-administrators access to this endpoint should be carefully considered as it may allow access to files containing sensitive information. Versions 2.23.3 and 2.24.0 contain a patch for this issue.	2024-03-20	4.8	CVE-2023-51445 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources or in a specially crafted datastore file that will execute in the context of another user’s browser when viewed in the Style Publisher. Access to the Style Publisher is available to all users although data security may limit users’ ability to trigger the XSS. Versions 2.23.3 and 2.24.0 contain a fix for this issue.	2024-03-20	4.8	CVE-2024-23640 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user’s browser when viewed in the WMS GetMap SVG Output Format when the Simple SVG renderer is enabled. Access to the WMS SVG Format is available to all users by default although data and service security may limit users’ ability to trigger the XSS. Versions 2.23.4 and 2.24.1 contain a fix for this issue.	2024-03-20	4.8	CVE-2024-23642 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.2 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another administrator’s browser when viewed in the GWC Seed Form. Access to the GWC Seed Form is limited to full administrators by default and granting non-administrators access to this endpoint is not recommended. Versions 2.23.2 and 2.24.1 contain a fix for this issue.	2024-03-20	4.8	CVE-2024-23643 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user’s browser when viewed in the WMS GetMap OpenLayers Output Format. Access to the WMS OpenLayers Format is available to all users by default although data and service security may limit users’ ability to trigger the XSS. Versions 2.23.3 and 2.24.1 contain a patch for this issue.	2024-03-20	4.8	CVE-2024-23818 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user’s browser when viewed in the MapML HTML Page. The MapML extension must be installed and access to the MapML HTML Page is available to all users although data security may limit users’ ability to trigger the XSS. Versions 2.23.4 and 2.24.1 contain a patch for this issue.	2024-03-20	4.8	CVE-2024-23819 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
geoserver — geoserver	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user’s browser when viewed in the GWC Demos Page. Access to the GWC Demos Page is available to all users although data security may limit users’ ability to trigger the XSS. Versions 2.23.4 and 2.24.1 contain a patch for this issue.	2024-03-20	4.8	CVE-2024-23821 security-advisories@github.com security-advisories@github.com security-advisories@github.com
github — enterprise_server	An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use the Enterprise Actions GitHub Connect download token to fetch private repository data. An attacker would require an account on the server instance with non-default settings for GitHub Connect. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.16, 3.9.11, 3.10.8, and 3.11.6. This vulnerability was reported via the GitHub Bug Bounty program.	2024-03-21	6.3	CVE-2024-1908 product-cna@github.com product-cna@github.com product-cna@github.com product-cna@github.com
github_ — enterprise_server	A Cross Site Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker to execute unauthorized actions on behalf of an unsuspecting user. A mitigating factor is that user interaction is required. This vulnerability affected GitHub Enterprise Server 3.12.0 and was fixed in versions 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.	2024-03-21	4.3	CVE-2024-2748 product-cna@github.com
glpi-project — glpi	GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.	2024-03-18	6.4	CVE-2024-27098 security-advisories@github.com security-advisories@github.com security-advisories@github.com
glpi-project — glpi	GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.	2024-03-18	6.5	CVE-2024-27930 security-advisories@github.com security-advisories@github.com security-advisories@github.com
glpi-project — glpi	GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.	2024-03-18	6.5	CVE-2024-27937 security-advisories@github.com security-advisories@github.com security-advisories@github.com
glpi-project — glpi	GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.	2024-03-18	5.3	CVE-2024-27914 security-advisories@github.com security-advisories@github.com security-advisories@github.com
glpi-project — glpi	GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.	2024-03-18	4.5	CVE-2024-27104 security-advisories@github.com security-advisories@github.com security-advisories@github.com
godaddy — page_builder_gutenberg_blocks_-_coblocks	The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Icon Widget’s in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping on the link value. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-23	6.4	CVE-2024-1049 security@wordfence.com security@wordfence.com
gpriday — page_builder_by_siteorigin	The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image widget in all versions up to, and including, 2.29.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-23	6.4	CVE-2024-2202 security@wordfence.com security@wordfence.com security@wordfence.com
heyewei — jfinalcms	A vulnerability has been found in heyewei JFinalCMS 5.0.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/div_data/delete?divId=9 of the component Custom Data Page. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257071.	2024-03-17	4.7	CVE-2024-2568 cna@vuldb.com cna@vuldb.com cna@vuldb.com
ibm — infosphere_information_server	IBM InfoSphere Information Server 11.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 280361.	2024-03-21	6.5	CVE-2024-22352 psirt@us.ibm.com psirt@us.ibm.com
ibm — mq	IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS and 9.3 CD is vulnerable to a denial-of-service attack due to an error within the MQ clustering logic. IBM X-Force ID: 268066.	2024-03-20	5.3	CVE-2023-45177 psirt@us.ibm.com psirt@us.ibm.com
ibm — security_verify_directory	IBM Security Verify Directory 10.0.0 could disclose sensitive server information that could be used in further attacks against the system. IBM X-Force ID: 228437.	2024-03-22	5.3	CVE-2022-32751 psirt@us.ibm.com psirt@us.ibm.com
ibm — security_verify_directory	IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228444.	2024-03-22	4.5	CVE-2022-32753 psirt@us.ibm.com psirt@us.ibm.com
ibm — security_verify_directory	IBM Security Verify Directory 10.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228445.	2024-03-22	4.8	CVE-2022-32754 psirt@us.ibm.com psirt@us.ibm.com
ibm — security_verify_governance	IBM Security Verify Governance 10.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 258375.	2024-03-20	5.9	CVE-2023-35888 psirt@us.ibm.com psirt@us.ibm.com
ibm — storage_protect_plus_server	The private key for the IBM Storage Protect Plus Server 10.1.0 through 10.1.16 certificate can be disclosed, undermining the security of the certificate. IBM X-Force ID: 285205.	2024-03-21	6.2	CVE-2024-27277 psirt@us.ibm.com psirt@us.ibm.com
ibm — storage_protect_plus_server	IBM Storage Protect Plus Server 10.1.0 through 10.1.16 could allow an authenticated user with read-only permissions to add or delete entries from an existing HyperVisor configuration. IBM X-Force ID: 271538.	2024-03-21	4.3	CVE-2023-47715 psirt@us.ibm.com psirt@us.ibm.com
inc2734 — smart_custom_fields	The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above, to retrieve post content that is password protected and/or private.	2024-03-20	4.3	CVE-2024-1995 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
infosatech — revivepress_-_keep_your_old_content_evergreen	The RevivePress – Keep your Old Content Evergreen plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the import_data and copy_data functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access or higher, to overwrite plugin settings and view them.	2024-03-20	4.3	CVE-2024-1844 security@wordfence.com security@wordfence.com security@wordfence.com
isaacs — node-tar	node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.	2024-03-21	6.5	CVE-2024-28863 security-advisories@github.com security-advisories@github.com
jan-peter_lambeck_&_3uu — shariff_wrapper	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Jan-Peter Lambeck & 3UU Shariff Wrapper allows Stored XSS.This issue affects Shariff Wrapper: from n/a through 4.6.10.	2024-03-19	6.5	CVE-2024-29109 audit@patchstack.com
jean-david_daviet — download_media	Missing Authorization vulnerability in Jean-David Daviet Download Media.This issue affects Download Media: from n/a through 1.4.2.	2024-03-21	4.3	CVE-2024-27190 audit@patchstack.com
jegtheme — jeg_elementor_kit	The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tag attributes in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-21	6.4	CVE-2024-1326 security@wordfence.com security@wordfence.com security@wordfence.com
jegtheme — jeg_elementor_kit	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Jegtheme Jeg Elementor Kit allows Stored XSS.This issue affects Jeg Elementor Kit: from n/a through 2.6.2.	2024-03-19	6.5	CVE-2024-29101 audit@patchstack.com
jetbrains — teamcity	In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process	2024-03-21	4.2	CVE-2024-29880 cve@jetbrains.com
jhpyle — docassemble	Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user’s name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.	2024-03-21	6.1	CVE-2024-27290 security-advisories@github.com security-advisories@github.com
jhpyle — docassemble	Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.	2024-03-21	6.1	CVE-2024-27291 security-advisories@github.com security-advisories@github.com
jp2112 — standout_color_boxes_and_buttons	The Standout Color Boxes and Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘color-button’ shortcode in all versions up to, and including, 0.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.4	CVE-2024-2474 security@wordfence.com security@wordfence.com
kilbot — woocommerce_pos	The WooCommerce POS plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.4.11. This is due to the plugin not properly verifying the authentication and authorization of the current user This makes it possible for authenticated attackers, with customer-level access and above, to view potentially sensitive information about other users by leveraging their order id	2024-03-20	4.3	CVE-2024-2384 security@wordfence.com security@wordfence.com
kishor-23 — food_waste_management_system	A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257056. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	5.3	CVE-2024-2557 cna@vuldb.com cna@vuldb.com cna@vuldb.com
lakernote — easyadmin	A vulnerability classified as critical has been found in lakernote EasyAdmin up to 20240315. This affects an unknown part of the file /ureport/designer/saveReportFile. The manipulation of the argument file leads to path traversal: ‘../filedir’. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257715.	2024-03-22	6.3	CVE-2024-2825 cna@vuldb.com cna@vuldb.com cna@vuldb.com
lakernote — easyadmin	A vulnerability classified as problematic was found in lakernote EasyAdmin up to 20240315. This vulnerability affects unknown code of the file /ureport/designer/saveReportFile. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257716.	2024-03-22	6.3	CVE-2024-2826 cna@vuldb.com cna@vuldb.com cna@vuldb.com
lakernote — easyadmin	A vulnerability, which was classified as critical, has been found in lakernote EasyAdmin up to 20240315. This issue affects some unknown processing of the file /ureport/designer/saveReportFile. The manipulation leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257717 was assigned to this vulnerability.	2024-03-22	6.3	CVE-2024-2827 cna@vuldb.com cna@vuldb.com cna@vuldb.com
lakernote — easyadmin	A vulnerability, which was classified as critical, was found in lakernote EasyAdmin up to 20240315. Affected is the function thumbnail of the file src/main/java/com/laker/admin/module/sys/controller/IndexController.java. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 23165d8cb569048c531150f194fea39f8800b8d5. It is recommended to apply a patch to fix this issue. VDB-257718 is the identifier assigned to this vulnerability.	2024-03-22	6.3	CVE-2024-2828 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com
latchset — jwcrypto	JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.	2024-03-21	6.8	CVE-2024-28102 security-advisories@github.com security-advisories@github.com
leap13 — premium_addons_for_elementor	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Leap13 Premium Addons for Elementor allows Stored XSS.This issue affects Premium Addons for Elementor: from n/a through 4.10.16.	2024-03-19	6.5	CVE-2024-29106 audit@patchstack.com
leevio — happy_addons_for_elementor	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Leevio Happy Addons for Elementor allows Stored XSS.This issue affects Happy Addons for Elementor: from n/a through 3.10.1.	2024-03-19	6.5	CVE-2024-29108 audit@patchstack.com
liquidpoll — liquidpoll_-_polls,_surveys,_nps_and_feedback_reviews	The LiquidPoll – Polls, Surveys, NPS and Feedback Reviews plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.76 via the poller_list shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to extract information from polls that may be private.	2024-03-22	4.3	CVE-2024-2080 security@wordfence.com security@wordfence.com
magenet — website_article_monetization_by_magenet	The Website Article Monetization By MageNet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘abp_auth_key’ parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping and a missing authorization check. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.1	CVE-2024-1379 security@wordfence.com security@wordfence.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability, which was classified as critical, was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This affects an unknown part of the file /admin/users.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256971. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	6.3	CVE-2024-2534 cna@vuldb.com cna@vuldb.com cna@vuldb.com
matt_manning — mjm_clinic	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Matt Manning MJM Clinic.This issue affects MJM Clinic: from n/a through 1.1.22.	2024-03-19	6.5	CVE-2024-29096 audit@patchstack.com
matt_manning — mjm_clinic	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Matt Manning MJM Clinic allows Stored XSS.This issue affects MJM Clinic: from n/a through 1.1.22.	2024-03-19	5.9	CVE-2024-29140 audit@patchstack.com
matthias-wandel — jhead	A vulnerability was found in Matthias-Wandel jhead 3.08 and classified as critical. This issue affects the function PrintFormatNumber of the file exif.c. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257711.	2024-03-22	6.3	CVE-2024-2824 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com
mbis — permalink_manager_pro	The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘ajax_save_permalink’ function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.	2024-03-20	5.4	CVE-2024-2538 security@wordfence.com security@wordfence.com security@wordfence.com
melapress — wp_2fa	Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0.	2024-03-21	5.3	CVE-2022-44595 audit@patchstack.com
microsoft — microsoft_edge_(chromium-based)	Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability	2024-03-22	4.7	CVE-2024-26247 secure@microsoft.com
microsoft — microsoft_edge_(chromium-based)	Microsoft Edge (Chromium-based) Spoofing Vulnerability	2024-03-22	4.3	CVE-2024-29057 secure@microsoft.com
microsoft — microsoft_edge_for_android	Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability	2024-03-21	4.3	CVE-2024-26196 secure@microsoft.com
moby — moby	Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby’s networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `–internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel’s various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container’s network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host’s configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace’s normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container’s network namespace.	2024-03-20	5.9	CVE-2024-29018 security-advisories@github.com security-advisories@github.com
moveaddons — move_addons_for_elementor	The Move Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s infobox and button widget in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-23	6.4	CVE-2024-2131 security@wordfence.com security@wordfence.com
n-media — frontend_file_manager	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in N-Media Frontend File Manager.This issue affects Frontend File Manager: from n/a through 22.7.	2024-03-17	5.3	CVE-2024-25903 audit@patchstack.com
n/a — 74cms	A vulnerability, which was classified as critical, has been found in 74CMS 3.28.0. Affected by this issue is the function sendCompanyLogo of the file /controller/company/Index.php#sendCompanyLogo of the component Company Logo Handler. The manipulation of the argument imgBase64 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257060.	2024-03-17	6.3	CVE-2024-2561 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — black	Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.	2024-03-19	5.3	CVE-2024-21503 report@snyk.io report@snyk.io report@snyk.io
n/a — dedecms	A vulnerability classified as problematic was found in DedeCMS 5.7. Affected by this vulnerability is an unknown functionality of the file /src/dede/baidunews.php. The manipulation of the argument filename leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257707. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	4.3	CVE-2024-2820 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — dedecms	A vulnerability, which was classified as problematic, has been found in DedeCMS 5.7. Affected by this issue is some unknown functionality of the file /src/dede/friendlink_edit.php. The manipulation of the argument id leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257708. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	4.3	CVE-2024-2821 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — dedecms	A vulnerability, which was classified as problematic, was found in DedeCMS 5.7. This affects an unknown part of the file /src/dede/vote_edit.php. The manipulation of the argument aid leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257709 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	4.3	CVE-2024-2822 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — dedecms	A vulnerability has been found in DedeCMS 5.7 and classified as problematic. This vulnerability affects unknown code of the file /src/dede/mda_main.php. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257710 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	4.3	CVE-2024-2823 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — gnutls	A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.	2024-03-21	5.3	CVE-2024-28834 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com
n/a — gnutls	A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the “certtool –verify-chain” command.	2024-03-21	5	CVE-2024-28835 secalert@redhat.com secalert@redhat.com secalert@redhat.com
n/a — iperf	A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.	2024-03-18	5.3	CVE-2023-7250 secalert@redhat.com secalert@redhat.com
n/a — libvirt	A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.	2024-03-21	6.2	CVE-2024-2494 secalert@redhat.com secalert@redhat.com secalert@redhat.com
n/a — libvirt	A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash.	2024-03-18	5	CVE-2024-2496 secalert@redhat.com secalert@redhat.com
n/a — livewire/livewire	Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user’s browser session by crafting a malicious link and convincing the user to click on it.	2024-03-19	6.1	CVE-2024-21504 report@snyk.io report@snyk.io report@snyk.io report@snyk.io
n/a — osbuild-composer	A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.	2024-03-19	6.1	CVE-2024-2307 secalert@redhat.com secalert@redhat.com
n/a — zhicms	A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255269 was assigned to this vulnerability.	2024-03-21	6.3	CVE-2024-2015 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — zhicms	A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255270 is the identifier assigned to this vulnerability.	2024-03-21	6.3	CVE-2024-2016 cna@vuldb.com cna@vuldb.com cna@vuldb.com
nasirahmed — advanced_form_integration_-_connect_woocommerce_and_contact_form_7_to_google_sheets_and_other_platforms	The Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms plugin for WordPress is vulnerable to SQL Injection via the ‘integration_id’ parameter in all versions up to, and including, 1.82.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries and subsequently inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-20	6.1	CVE-2024-2387 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
netentsec — ns-asg_application_security_gateway	A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been rated as critical. Affected by this issue is some unknown functionality of the file /protocol/firewall/addfirewall.php. The manipulation of the argument FireWallTableArray leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	6.3	CVE-2024-2644 cna@vuldb.com cna@vuldb.com cna@vuldb.com
netentsec — ns-asg_application_security_gateway	A vulnerability classified as critical was found in Netentsec NS-ASG Application Security Gateway 6.3. This vulnerability affects unknown code of the file /vpnweb/index.php?para=index. The manipulation of the argument check_VirtualSiteId leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257284. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	6.3	CVE-2024-2646 cna@vuldb.com cna@vuldb.com cna@vuldb.com
netentsec — ns-asg_application_security_gateway	A vulnerability has been found in Netentsec NS-ASG Application Security Gateway 6.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /protocol/iscdevicestatus/deleteonlineuser.php. The manipulation of the argument messagecontent leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257287. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	6.3	CVE-2024-2649 cna@vuldb.com cna@vuldb.com cna@vuldb.com
netentsec — ns-asg_application_security_gateway	A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /vpnweb/resetpwd/resetpwd.php. The manipulation of the argument UserId leads to improper neutralization of data within xpath expressions. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257283. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	4.3	CVE-2024-2645 cna@vuldb.com cna@vuldb.com cna@vuldb.com
netentsec — ns-asg_application_security_gateway	A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of the argument username leads to improper neutralization of data within xpath expressions. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257286 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	4.3	CVE-2024-2648 cna@vuldb.com cna@vuldb.com cna@vuldb.com
octoprint — octoprint	OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the “Test” button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.	2024-03-18	4	CVE-2024-28237 security-advisories@github.com security-advisories@github.com
openbmb — xagent	A vulnerability was found in OpenBMB XAgent 1.0.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Privileged Mode. The manipulation leads to sandbox issue. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier VDB-255265 was assigned to this vulnerability.	2024-03-21	5.3	CVE-2024-2007 cna@vuldb.com cna@vuldb.com cna@vuldb.com
opentext — service_management_automation_x_(smax)	Insufficient Granularity of Access Control vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11; and Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11.	2024-03-19	6.5	CVE-2023-32259 security@opentext.com
opentext — service_management_automation_x_(smax)	Misinterpretation of Input vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX), and OpenText™ Hybrid Cloud Management X (HCMX) products. The vulnerability could allow Input data manipulation.This issue affects Service Management Automation X (SMAX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; Asset Management X (AMX) versions: 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; and Hybrid Cloud Management X (HCMX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05.	2024-03-19	6.5	CVE-2023-32260 security@opentext.com
openzeppelin — openzeppelin-contracts	OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.	2024-03-21	6.5	CVE-2024-27094 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
osamaesh — wp_visitor_statistics_(real_time_traffic)	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Osamaesh WP Visitor Statistics (Real Time Traffic).This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 6.9.4.	2024-03-17	5.3	CVE-2024-24867 audit@patchstack.com
pandaxgo — pandax	A vulnerability, which was classified as critical, was found in PandaXGO PandaX up to 20240310. This affects the function InsertRole of the file /apps/system/services/role_menu.go. The manipulation of the argument roleKey leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257061 was assigned to this vulnerability.	2024-03-17	6.3	CVE-2024-2562 cna@vuldb.com cna@vuldb.com cna@vuldb.com
pandaxgo — pandax	A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal: ‘../filedir’. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257063.	2024-03-17	6.3	CVE-2024-2564 cna@vuldb.com cna@vuldb.com cna@vuldb.com
pandaxgo — pandax	A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257064.	2024-03-17	6.3	CVE-2024-2565 cna@vuldb.com cna@vuldb.com cna@vuldb.com
pandaxgo — pandax	A vulnerability has been found in PandaXGO PandaX up to 20240310 and classified as critical. This vulnerability affects the function DeleteImage of the file /apps/system/router/upload.go. The manipulation of the argument fileName with the input ../../../../../../../../../tmp/1.txt leads to path traversal: ‘../filedir’. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257062 is the identifier assigned to this vulnerability.	2024-03-17	5.4	CVE-2024-2563 cna@vuldb.com cna@vuldb.com cna@vuldb.com
pandora_fms — pandora_fms	: Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776.	2024-03-19	6.7	CVE-2023-41793 security@pandorafms.com
pandora_fms — pandora_fms	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through <776.	2024-03-19	6.8	CVE-2023-44090 security@pandorafms.com
paul_ryley — site_reviews	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Paul Ryley Site Reviews allows Stored XSS.This issue affects Site Reviews: from n/a through 6.11.6.	2024-03-19	5.9	CVE-2024-29095 audit@patchstack.com
pdf_embedder — pdf_embedder	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PDF Embedder allows Stored XSS.This issue affects PDF Embedder: from n/a through 4.6.4.	2024-03-19	6.5	CVE-2024-29141 audit@patchstack.com
pepro_dev._group — peprodev_ultimate_invoice	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pepro Dev. Group PeproDev Ultimate Invoice.This issue affects PeproDev Ultimate Invoice: from n/a through 1.9.7.	2024-03-17	5.3	CVE-2024-25933 audit@patchstack.com
pickplugins — user_profile	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PickPlugins User profile allows Stored XSS.This issue affects User profile: from n/a through 2.0.20.	2024-03-19	6.3	CVE-2024-29097 audit@patchstack.com
progress_software — moveit_transfer	In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.	2024-03-20	4.3	CVE-2024-2291 security@progress.com security@progress.com
python_software_foundation — cpython	An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.	2024-03-19	6.2	CVE-2024-0450 cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org cna@python.org
qiskit — qiskit-ibm-runtime	Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using `qiskit_ibm_runtime.RuntimeDecoder` can lead to arbitrary code execution given a correctly formatted input string. Version 0.21.2 contains a fix for this issue.	2024-03-20	5.3	CVE-2024-29032 security-advisories@github.com security-advisories@github.com security-advisories@github.com
railmedia — order_tip_for_woocommerce	The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_tips_to_csv() function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin’s order fees.	2024-03-20	5.3	CVE-2024-1119 security@wordfence.com security@wordfence.com security@wordfence.com
realmag777 — bear	Missing Authorization vulnerability in realmag777 BEAR.This issue affects BEAR: from n/a through 1.1.4.	2024-03-23	4.3	CVE-2024-24835 audit@patchstack.com
remyb92 — translate_wordpress_and_go_multilingual_-_weglot	The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widget/block in all versions up to, and including, 4.2.5 due to insufficient input sanitization and output escaping on user supplied attributes such as ‘className’. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.4	CVE-2024-2124 security@wordfence.com security@wordfence.com security@wordfence.com
repute_infosystems — armember_-_membership_plugin_content_restriction_member_levels_user_profile_&_user_signup	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup allows Stored XSS.This issue affects ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup: from n/a through 4.0.23.	2024-03-21	5.9	CVE-2024-27995 audit@patchstack.com
rewardsfuel — contests_by_rewards_fuel	The Contests by Rewards Fuel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_rewards_fuel_api_key’ parameter in all versions up to, and including, 2.0.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.4	CVE-2024-1787 security@wordfence.com security@wordfence.com
rewardsfuel — contests_by_rewards_fuel	The Contests by Rewards Fuel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.62. This is due to missing or incorrect nonce validation on the ajax_handler() function. This makes it possible for unauthenticated attackers to update the plugin’s settings and inject malicious JavaScript via a forged request granted they can trick a site’s user with the edit_posts capability into performing an action such as clicking on a link.	2024-03-20	5.4	CVE-2024-1785 security@wordfence.com security@wordfence.com
rubengc — gamipress_-_button	The GamiPress – Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘gamipress_button’ shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.4	CVE-2024-2460 security@wordfence.com security@wordfence.com
ruijie — rg-nbs2009g-p	A vulnerability was found in Ruijie RG-NBS2009G-P up to 20240305. It has been classified as critical. Affected is an unknown function of the file /system/passwdManage.htm of the component Password Handler. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257280. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-19	5.3	CVE-2024-2641 cna@vuldb.com cna@vuldb.com cna@vuldb.com
saleor — storefront	Saleor Storefront is software for building e-commerce experiences. Prior to commit 579241e75a5eb332ccf26e0bcdd54befa33f4783, when any user authenticates in the storefront, anonymous users are able to access their data. The session is leaked through cache and can be accessed by anyone. Users should upgrade to a version that incorporates commit 579241e75a5eb332ccf26e0bcdd54befa33f4783 or later to receive a patch. A possible workaround is to temporarily disable authentication by changing the usage of `createSaleorAuthClient()`.	2024-03-20	4.3	CVE-2024-29036 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
save_as_pdf_plugin_by_pdfcrowd — word_replacer_pro	Missing Authorization vulnerability in Save as PDF plugin by Pdfcrowd Word Replacer Pro.This issue affects Word Replacer Pro: from n/a through 1.0.	2024-03-20	6.5	CVE-2023-52229 audit@patchstack.com
scrollsequence — scrollsequence	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Scrollsequence allows Stored XSS.This issue affects Scrollsequence: from n/a through 1.5.4.	2024-03-19	6.5	CVE-2024-29118 audit@patchstack.com
sjaved — easy_social_feed_-_social_photos_gallery_-_post_feed_-_like_box	The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘efb_likebox’ shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-21	6.4	CVE-2024-1278 security@wordfence.com security@wordfence.com
sjaved — easy_social_feed_-_social_photos_gallery_-_post_feed_-_like_box	The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esf_insta_save_access_token and efbl_save_facebook_access_token functions. This makes it possible for unauthenticated attackers to connect their facebook and instagram pages to the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-21	5.4	CVE-2024-1213 security@wordfence.com security@wordfence.com
sjaved — easy_social_feed_-_social_photos_gallery_-_post_feed_-_like_box	The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the save_groups_list function. This makes it possible for unauthenticated attackers to disconnect a site’s facebook or instagram page/group connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-21	4.3	CVE-2024-1214 security@wordfence.com security@wordfence.com
sonatype — iq_server	Path Traversal in Sonatype IQ Server from version 143 allows remote authenticated attackers to overwrite or delete files via a specially crafted request. Version 171 fixes this issue.	2024-03-21	5.4	CVE-2024-1142 103e4ec9-0a87-450b-af77-479448ddef11
sourcecodester — complete_e-commerce_site	A vulnerability classified as critical has been found in SourceCodester Complete E-Commerce Site 1.0. Affected is an unknown function of the file /admin/users_photo.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257544.	2024-03-21	4.7	CVE-2024-2754 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability has been found in SourceCodester Employee Task Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file update-employee.php. The manipulation of the argument admin_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257053 was assigned to this vulnerability.	2024-03-17	6.3	CVE-2024-2554 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability was found in SourceCodester Employee Task Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file update-admin.php. The manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257054 is the identifier assigned to this vulnerability.	2024-03-17	6.3	CVE-2024-2555 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — employee_task_management_system	A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been classified as critical. This affects an unknown part of the file attendance-info.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257055.	2024-03-17	6.3	CVE-2024-2556 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — file_manager_app	A vulnerability was found in SourceCodester File Manager App 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/update-file.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257182 is the identifier assigned to this vulnerability.	2024-03-18	6.3	CVE-2024-2604 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_discussion_forum_site	A vulnerability was found in SourceCodester Online Discussion Forum Site 1.0. It has been classified as critical. Affected is an unknown function of the file /uupdate.php. The manipulation of the argument ima leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257388.	2024-03-20	6.3	CVE-2024-2690 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — simple_file_manager	A vulnerability classified as critical was found in SourceCodester Simple File Manager 1.0. This vulnerability affects unknown code. The manipulation of the argument photo leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257770 is the identifier assigned to this vulnerability.	2024-03-23	6.3	CVE-2024-2849 cna@vuldb.com cna@vuldb.com cna@vuldb.com
spring — spring	Spring Authorization Server versions 1.0.0 – 1.0.5, 1.1.0 – 1.1.5, 1.2.0 – 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.	2024-03-20	6.1	CVE-2024-22258 security@vmware.com
supercleanse — pretty_links_-_affiliate_links_link_branding_link_tracking_&_marketing_plugin	The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin’s configuration including stripe integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-23	4.3	CVE-2024-2326 security@wordfence.com security@wordfence.com
survey_maker_team — survey_maker	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Survey Maker team Survey Maker allows Stored XSS.This issue affects Survey Maker: from n/a through 4.0.5.	2024-03-19	5.9	CVE-2024-27996 audit@patchstack.com
tenda — ac10u	A vulnerability has been found in Tenda AC10U 15.03.06.49 and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257458 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-20	6.3	CVE-2024-2707 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257667. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	6.3	CVE-2024-2812 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability classified as problematic was found in Tenda AC15 15.03.05.18. Affected by this vulnerability is the function fromSysToolReboot of the file /goform/SysToolReboot. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257671. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	4.3	CVE-2024-2816 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac15	A vulnerability, which was classified as problematic, has been found in Tenda AC15 15.03.05.18. Affected by this issue is the function fromSysToolRestoreSet of the file /goform/SysToolRestoreSet. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257672. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-22	4.3	CVE-2024-2817 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability classified as problematic has been found in Tenda AC18 15.03.05.05. Affected is the function fromSysToolReboot of the file /goform/SysToolReboot. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257058 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	4.3	CVE-2024-2559 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability classified as problematic was found in Tenda AC18 15.03.05.05. Affected by this vulnerability is the function fromSysToolRestoreSet of the file /goform/SysToolRestoreSet. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257059. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	4.3	CVE-2024-2560 cna@vuldb.com cna@vuldb.com cna@vuldb.com
themefic — tourfic	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themefic Tourfic allows Stored XSS.This issue affects Tourfic: from n/a through 2.11.8.	2024-03-19	6.5	CVE-2024-29134 audit@patchstack.com
themegrill — colormag	The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user’s Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-22	6.4	CVE-2024-2500 security@wordfence.com security@wordfence.com security@wordfence.com
themelocation — custom_woocommerce_checkout_fields_editor	The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the save_wcfe_options function in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-23	6.4	CVE-2024-1697 security@wordfence.com security@wordfence.com security@wordfence.com
themeum — tutor_lms_-_elearning_and_online_course_solution	The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.	2024-03-21	5.4	CVE-2024-1502 security@wordfence.com security@wordfence.com
themeum — tutor_lms_-_elearning_and_online_course_solution	The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the “Erase upon uninstallation” option to be enabled.	2024-03-21	4.3	CVE-2024-1503 security@wordfence.com security@wordfence.com
timersys — wp_popups	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Timersys WP Popups allows Stored XSS.This issue affects WP Popups: from n/a through 2.1.5.5.	2024-03-19	5.9	CVE-2024-29105 audit@patchstack.com
tobias_conrad — builder_for_woocommerce_reviews_shortcodes_-_reviewshort	Cross-Site Request Forgery (CSRF) vulnerability in Tobias Conrad Builder for WooCommerce reviews shortcodes – ReviewShort.This issue affects Builder for WooCommerce reviews shortcodes – ReviewShort: from n/a through 1.01.3.	2024-03-19	4.3	CVE-2024-29093 audit@patchstack.com
visualcomposer — visual_composer_website_builder	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Visualcomposer Visual Composer Website Builder allows Stored XSS.This issue affects Visual Composer Website Builder: from n/a through 45.6.0.	2024-03-19	5.9	CVE-2024-27997 audit@patchstack.com
w3_eden_inc — download_manager	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in W3 Eden, Inc. Download Manager allows Stored XSS.This issue affects Download Manager: from n/a through 3.2.84.	2024-03-19	6.5	CVE-2024-29114 audit@patchstack.com
webtoffee — woocommerce_pdf_invoices_packing_slips_delivery_notes_and_shipping_labels	The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Customer Notes field in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected invoice for printing.	2024-03-22	6.1	CVE-2024-0957 security@wordfence.com security@wordfence.com
webvitaly — sitekit	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Webvitaly Sitekit allows Stored XSS.This issue affects Sitekit: from n/a through 1.6.	2024-03-19	6.5	CVE-2024-29111 audit@patchstack.com
wp_marketing_robot — woocommerce_google_feed_manager	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Marketing Robot WooCommerce Google Feed Manager allows Stored XSS.This issue affects WooCommerce Google Feed Manager: from n/a through 2.2.0.	2024-03-19	5.9	CVE-2024-29112 audit@patchstack.com
wpbits — wpbits_addons_for_elementor_page_builder	The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s heading widget in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.4	CVE-2024-2129 security@wordfence.com security@wordfence.com
wpcoder — wp_coder	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPCoder WP Coder allows Stored XSS.This issue affects WP Coder: from n/a through 3.5.	2024-03-21	5.9	CVE-2024-2578 audit@patchstack.com
wpdevteam — embedpress_-_embed_pdf_google_docs_vimeo_wistia_embed_youtube_videos_audios_maps_&_embed_any_documents_in_gutenberg_&_elemento	The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the EmbedPress document widget in all versions up to, and including, 3.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-23	5.4	CVE-2024-2688 security@wordfence.com security@wordfence.com
wpdevteam — embedpress_-_embed_pdf_google_docs_vimeo_wistia_embed_youtube_videos_audios_maps_&_embed_any_documents_in_gutenberg_&_elementor	The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the EmbedPress widget ’embedpress_pro_twitch_theme ‘ attribute in all versions up to, and including, 3.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-23	6.4	CVE-2024-2468 security@wordfence.com security@wordfence.com
wpdevteam — essential_blocks_-_page_builder_gutenberg_blocks-patterns_&_templates	The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widgets in all versions up to, and including, 4.5.2 due to insufficient input sanitization and output escaping on user supplied attributes such as listStyle. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-20	6.4	CVE-2024-2255 security@wordfence.com security@wordfence.com security@wordfence.com
wpfunnels_team — wpfunnels	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPFunnels Team WPFunnels allows Stored XSS.This issue affects WPFunnels: from n/a through 3.0.6.	2024-03-21	5.9	CVE-2024-27965 audit@patchstack.com
wpvibes — elementor_addon_elements	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPVibes Elementor Addon Elements allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through 1.12.10.	2024-03-19	6.5	CVE-2024-29107 audit@patchstack.com
zaytech — smart_online_order_for_clover	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Zaytech Smart Online Order for Clover allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through 1.5.5.	2024-03-19	6.5	CVE-2024-29115 audit@patchstack.com
zimma_ltd. — ticket_tailor	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Zimma Ltd. Ticket Tailor allows Stored XSS.This issue affects Ticket Tailor: from n/a through 1.10.	2024-03-19	6.5	CVE-2024-29104 audit@patchstack.com
zulip — zulip	Zulip is an open-source team collaboration. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a public stream to a private stream, Zulip would successfully move the message, — but active users who did not have access to the private stream, but whose client had already received the message, would continue to see the message in the public stream until they reloaded their client. Additionally, Zulip did not remove view permissions on the message from recently-active users, allowing the message to show up in the “All messages” view or in search results, but not in “Inbox” or “Recent conversations” views. While the bug has been present since moving messages between streams was first introduced in version 3.0, this option became much more common starting in Zulip 8.0, when the default option in the picker for moving the very last message in a conversation was changed. This issue is fixed in Zulip Server 8.3. No known workarounds are available.	2024-03-20	6.5	CVE-2024-27286 security-advisories@github.com security-advisories@github.com

Low Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
adobe — adobe_experience_manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.	2024-03-18	3.4	CVE-2024-26051 psirt@adobe.com
campcodes — complete_online_dj_booking_system	A vulnerability was found in Campcodes Complete Online DJ Booking System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/user-search.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257468.	2024-03-20	3.5	CVE-2024-2715 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability was found in Campcodes Complete Online DJ Booking System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/contactus.php. The manipulation of the argument email leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257469 was assigned to this vulnerability.	2024-03-20	3.5	CVE-2024-2716 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability was found in Campcodes Complete Online DJ Booking System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/booking-search.php. The manipulation of the argument searchdata leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257470 is the identifier assigned to this vulnerability.	2024-03-20	3.5	CVE-2024-2717 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability was found in Campcodes Complete Online DJ Booking System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/booking-bwdates-reports-details.php. The manipulation of the argument fromdate leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257471.	2024-03-20	3.5	CVE-2024-2718 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability classified as problematic has been found in Campcodes Complete Online DJ Booking System 1.0. Affected is an unknown function of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257472.	2024-03-20	3.5	CVE-2024-2719 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — complete_online_dj_booking_system	A vulnerability classified as problematic was found in Campcodes Complete Online DJ Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/aboutus.php. The manipulation of the argument pagetitle leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257473 was assigned to this vulnerability.	2024-03-20	3.5	CVE-2024-2720 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/vacancy/index.php. The manipulation of the argument view leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257379.	2024-03-20	3.5	CVE-2024-2679 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/user/index.php. The manipulation of the argument view leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257380.	2024-03-20	3.5	CVE-2024-2680 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/employee/index.php. The manipulation of the argument view leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257381 was assigned to this vulnerability.	2024-03-20	3.5	CVE-2024-2681 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability classified as problematic has been found in Campcodes Online Job Finder System 1.0. Affected is an unknown function of the file /admin/employee/controller.php. The manipulation of the argument EMPLOYEEID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257382 is the identifier assigned to this vulnerability.	2024-03-20	3.5	CVE-2024-2682 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability classified as problematic was found in Campcodes Online Job Finder System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/company/index.php. The manipulation of the argument view leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257383.	2024-03-20	3.5	CVE-2024-2683 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability, which was classified as problematic, has been found in Campcodes Online Job Finder System 1.0. Affected by this issue is some unknown functionality of the file /admin/category/index.php. The manipulation of the argument view leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257384.	2024-03-20	3.5	CVE-2024-2684 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability, which was classified as problematic, was found in Campcodes Online Job Finder System 1.0. This affects an unknown part of the file /admin/applicants/index.php. The manipulation of the argument view leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257385 was assigned to this vulnerability.	2024-03-20	3.5	CVE-2024-2685 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_job_finder_system	A vulnerability has been found in Campcodes Online Job Finder System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/applicants/controller.php. The manipulation of the argument JOBREGID leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257386 is the identifier assigned to this vulnerability.	2024-03-20	3.5	CVE-2024-2686 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_marriage_registration_system	A vulnerability classified as problematic has been found in Campcodes Online Marriage Registration System 1.0. This affects an unknown part of the file /user/search.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257607.	2024-03-21	3.5	CVE-2024-2773 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_marriage_registration_system	A vulnerability, which was classified as problematic, has been found in Campcodes Online Marriage Registration System 1.0. This issue affects some unknown processing of the file /user/user-profile.php. The manipulation of the argument lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257609 was assigned to this vulnerability.	2024-03-21	3.5	CVE-2024-2775 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_marriage_registration_system	A vulnerability was found in Campcodes Online Marriage Registration System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/search.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257612.	2024-03-22	3.5	CVE-2024-2778 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_marriage_registration_system	A vulnerability was found in Campcodes Online Marriage Registration System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/application-bwdates-reports-details.php. The manipulation of the argument fromdate leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257613 was assigned to this vulnerability.	2024-03-22	3.5	CVE-2024-2779 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_marriage_registration_system	A vulnerability was found in Campcodes Online Marriage Registration System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257614 is the identifier assigned to this vulnerability.	2024-03-22	3.5	CVE-2024-2780 cna@vuldb.com cna@vuldb.com cna@vuldb.com
campcodes — online_shopping_system	A vulnerability classified as problematic was found in Campcodes Online Shopping System 1.0. This vulnerability affects unknown code of the file /offersmail.php. The manipulation of the argument email leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257752.	2024-03-23	3.5	CVE-2024-2832 cna@vuldb.com cna@vuldb.com cna@vuldb.com
checkmk_gmbh — checkmk	Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list.	2024-03-22	3.8	CVE-2024-1742 security@checkmk.com
clickhouse — clickhouse	ClickHouse is an open-source column-oriented database management system. A bug exists in the cloud ClickHouse offering prior to version 24.0.2.54535 and in github.com/clickhouse/clickhouse version 23.1. Query caching bypasses the role based access controls and the policies being enforced on roles. In affected versions, the query cache only respects separate users, however this is not documented and not expected behavior. People relying on ClickHouse roles can have their access control lists bypassed if they are using query caching. Attackers who have control of a role could guess queries and see data they shouldn’t have access to. Version 24.1 of ClickHouse and version 24.0.2.54535 of ClickHouse Cloud contain a patch for this issue. Based on the documentation, role based access control should be enforced regardless if query caching is enabled or not.	2024-03-18	2.4	CVE-2024-22412 security-advisories@github.com security-advisories@github.com security-advisories@github.com
ibm — security_verify_directory	IBM Security Verify Directory 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 228507.	2024-03-22	2.7	CVE-2022-32756 psirt@us.ibm.com psirt@us.ibm.com
ilicmiljan — secure-props	SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with `NullEncoder` and passed to `TagAwareCipher`, and contains special characters such as `n`. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement `TagAwareCipher` with any base cipher that has `NullEncoder` (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default `Base64Encoder` with the base cipher decorated with `TagAwareCipher` to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since `TagAwareCipher` uses `NullEncoder` by default.	2024-03-18	2.6	CVE-2024-28864 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
kaspersky — kaspersky_password_manager_for_windows	Kaspersky has fixed a security issue in Kaspersky Password Manager (KPM) for Windows that allowed a local user to recover the auto-filled credentials from a memory dump when the KPM extension for Google Chrome is used. To exploit the issue, an attacker must trick a user into visiting a login form of a website with the saved credentials, and the KPM extension must autofill these credentials. The attacker must then launch a malware module to steal those specific credentials.	2024-03-22	2.2	CVE-2023-23349 vulnerability@kaspersky.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/users.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256972. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-17	3.5	CVE-2024-2535 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — product_review_rating_system	A vulnerability, which was classified as problematic, was found in SourceCodester Product Review Rating System 1.0. Affected is an unknown function of the component Rate Product Handler. The manipulation of the argument Your Name/Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257052.	2024-03-17	3.5	CVE-2024-2553 cna@vuldb.com cna@vuldb.com cna@vuldb.com
umbraco — umbraco-cms	Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins.	2024-03-20	3.7	CVE-2024-28868 security-advisories@github.com security-advisories@github.com

Severity Not Yet Assigned

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
N/A — N/A	In the CryptX module before 0.062 for Perl, gcm_decrypt_verify() and chacha20poly1305_decrypt_verify() do not verify the tag.	2024-03-18	not yet calculated	CVE-2018-25099 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary password for the admin account.	2024-03-21	not yet calculated	CVE-2020-26942 cve@mitre.org
N/A — N/A	The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.	2024-03-18	not yet calculated	CVE-2021-47154 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.	2024-03-18	not yet calculated	CVE-2021-47155 cve@mitre.org cve@mitre.org
N/A — N/A	The Net::IPAddress::Util module before 5.000 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.	2024-03-18	not yet calculated	CVE-2021-47156 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	The Kossy module before 0.60 for Perl allows JSON hijacking because of X-Requested-With mishandling.	2024-03-18	not yet calculated	CVE-2021-47157 cve@mitre.org cve@mitre.org
N/A — N/A	Siklu TG Terragraph devices before approximately 2.1.1 have a hardcoded root password that has been revealed via a brute force attack on an MD5 hash. It can be used for “debug login” by an admin. NOTE: the vulnerability is not fixed by the 2.1.1 firmware; instead, it is fixed in newer hardware, which would typically be used with firmware 2.1.1 or later.	2024-03-18	not yet calculated	CVE-2022-47036 cve@mitre.org
N/A — N/A	Siklu TG Terragraph devices before 2.1.1 allow attackers to discover valid, randomly generated credentials via GetCredentials.	2024-03-18	not yet calculated	CVE-2022-47037 cve@mitre.org
N/A — N/A	SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php.	2024-03-21	not yet calculated	CVE-2023-38825 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to _common/search/searchByAjax/patientslistShow.jsp.	2024-03-19	not yet calculated	CVE-2023-40275 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in OpenClinic GA 5.247.01. An Unauthenticated File Download vulnerability has been discovered in pharmacy/exportFile.jsp.	2024-03-19	not yet calculated	CVE-2023-40276 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in OpenClinic GA 5.247.01. A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in the login.jsp message parameter.	2024-03-19	not yet calculated	CVE-2023-40277 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in OpenClinic GA 5.247.01. An Information Disclosure vulnerability has been identified in the printAppointmentPdf.jsp component of OpenClinic GA. By changing the AppointmentUid parameter, an attacker can determine whether a specific appointment exists based on the error message.	2024-03-19	not yet calculated	CVE-2023-40278 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in OpenClinic GA 5.247.01. An attacker can perform a directory path traversal via the Page parameter in a GET request to main.do.	2024-03-19	not yet calculated	CVE-2023-40279 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in OpenClinic GA 5.247.01. An attacker can perform a directory path traversal via the Page parameter in a GET request to popup.jsp.	2024-03-19	not yet calculated	CVE-2023-40280 cve@mitre.org cve@mitre.org
N/A — N/A	In the Windows installer in Atos Eviden CardOS API before 5.5.5.2811, Local Privilege Escalation can occur.(from a regular user to SYSTEM).	2024-03-22	not yet calculated	CVE-2023-41099 cve@mitre.org
N/A — N/A	A SQL injection vulnerability in tramyardg Autoexpress version 1.3.0, allows remote unauthenticated attackers to execute arbitrary SQL commands via the parameter “id” within the getPhotosByCarId function call in details.php.	2024-03-21	not yet calculated	CVE-2023-48901 cve@mitre.org
N/A — N/A	An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.	2024-03-21	not yet calculated	CVE-2023-48902 cve@mitre.org
N/A — N/A	Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter “imgType” via in uploadCarImages.php.	2024-03-21	not yet calculated	CVE-2023-48903 cve@mitre.org
N/A — N/A	Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators.	2024-03-21	not yet calculated	CVE-2023-49978 cve@mitre.org cve@mitre.org
N/A — N/A	A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.	2024-03-21	not yet calculated	CVE-2023-49979 cve@mitre.org cve@mitre.org
N/A — N/A	A directory listing vulnerability in Best Student Result Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.	2024-03-21	not yet calculated	CVE-2023-49980 cve@mitre.org cve@mitre.org
N/A — N/A	A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.	2024-03-21	not yet calculated	CVE-2023-49981 cve@mitre.org cve@mitre.org
N/A — N/A	Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts.	2024-03-21	not yet calculated	CVE-2023-49982 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.	2024-03-21	not yet calculated	CVE-2023-49983 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in the component /management/settings of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.	2024-03-21	not yet calculated	CVE-2023-49984 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cname parameter.	2024-03-21	not yet calculated	CVE-2023-49985 cve@mitre.org cve@mitre.org
N/A — N/A	An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one.	2024-03-19	not yet calculated	CVE-2023-50811 cve@mitre.org
N/A — N/A	erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value in a JOSE header.	2024-03-19	not yet calculated	CVE-2023-50966 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.	2024-03-20	not yet calculated	CVE-2023-50967 cve@mitre.org cve@mitre.org
N/A — N/A	A stack-based buffer overflow vulnerability in gross 0.9.3 through 1.x before 1.0.4 allows remote attackers to trigger a denial of service (grossd daemon crash) or potentially execute arbitrary code in grossd via crafted SMTP transaction parameters that cause an incorrect strncat for a log entry.	2024-03-18	not yet calculated	CVE-2023-52159 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. The SQLite database file has weak permissions.	2024-03-20	not yet calculated	CVE-2024-22077 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Privilege escalation can occur via world writable files. The network configuration script has weak filesystem permissions. This results in write access for all authenticated users and the possibility to escalate from user privileges to administrative privileges.	2024-03-20	not yet calculated	CVE-2024-22078 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Directory traversal can occur via the system logs download mechanism.	2024-03-20	not yet calculated	CVE-2024-22079 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated memory corruption can occur during XML body parsing.	2024-03-20	not yet calculated	CVE-2024-22080 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated memory corruption can occur in the HTTP header parsing mechanism.	2024-03-20	not yet calculated	CVE-2024-22081 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated directory listing can occur: the web interface cay be abused be an attacker get a better understanding of the operating system.	2024-03-20	not yet calculated	CVE-2024-22082 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. A hardcoded backdoor session ID exists that can be used for further access to the device, including reconfiguration tasks.	2024-03-20	not yet calculated	CVE-2024-22083 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Cleartext passwords and hashes are exposed through log files.	2024-03-20	not yet calculated	CVE-2024-22084 cve@mitre.org
N/A — N/A	An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. The shadow file is world readable.	2024-03-20	not yet calculated	CVE-2024-22085 cve@mitre.org
N/A — N/A	An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature.	2024-03-21	not yet calculated	CVE-2024-22724 cve@mitre.org cve@mitre.org
N/A — N/A	A Directory Traversal issue was discovered in process_post on Draytek Vigor3910 4.3.2.5 devices. When sending a certain POST request, it calls the function and exports information.	2024-03-20	not yet calculated	CVE-2024-23721 cve@mitre.org cve@mitre.org
N/A — N/A	ClickUp Desktop before 3.3.77 on macOS and Windows allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode.	2024-03-23	not yet calculated	CVE-2024-23755 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	Server Side Request Forgery (SSRF) vulnerability in Likeshop before 2.5.7 allows attackers to view sensitive information via the avatar parameter in function UserLogic::updateWechatInfo.	2024-03-21	not yet calculated	CVE-2024-24028 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Sourcecodester Workout Journal App 1.0 allows attackers to run arbitrary code via parameters firstname and lastname in /add-user.php.	2024-03-20	not yet calculated	CVE-2024-24050 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people.	2024-03-21	not yet calculated	CVE-2024-24110 cve@mitre.org
N/A — N/A	Komm.One CMS 10.4.2.14 has a Server-Side Template Injection (SSTI) vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.lang.Runtime in conjunction with getRuntime().exec followed by an OS command.	2024-03-18	not yet calculated	CVE-2024-24230 cve@mitre.org
N/A — N/A	An issue in iTop DualSafe Password Manager & Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed by the local user without knowledge of the master secret.	2024-03-21	not yet calculated	CVE-2024-24272 cve@mitre.org
N/A — N/A	A multiple Cross-site scripting (XSS) vulnerability in the ‘/members/moremember.pl’, and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the ‘Circulation note’ and ‘Patrons Restriction’ components.	2024-03-19	not yet calculated	CVE-2024-24336 cve@mitre.org
N/A — N/A	An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place.	2024-03-21	not yet calculated	CVE-2024-24520 cve@mitre.org cve@mitre.org
N/A — N/A	FusionPBX before 5.2.0 does not validate a session.	2024-03-18	not yet calculated	CVE-2024-24539 cve@mitre.org cve@mitre.org
N/A — N/A	Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.	2024-03-23	not yet calculated	CVE-2024-24725 cve@mitre.org cve@mitre.org
N/A — N/A	Cross Site Scripting vulnerability in eblog v1.0 allows a remote attacker to execute arbitrary code via a crafted script to the argument description parameter when submitting a comment on a post.	2024-03-21	not yet calculated	CVE-2024-25167 cve@mitre.org
N/A — N/A	SQL injection vulnerability in snow snow v.2.0.0 allows a remote attacker to execute arbitrary code via the dataScope parameter of the system/role/list interface.	2024-03-22	not yet calculated	CVE-2024-25168 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Sourcecodester Employee Management System v1.0 allows attackers to run arbitrary SQL commands via crafted POST request to /emloyee_akpoly/Account/login.php.	2024-03-21	not yet calculated	CVE-2024-25239 cve@mitre.org
N/A — N/A	An SSRF issue in REBUILD v.3.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the FileDownloader.java, proxyDownload,URL parameters.	2024-03-20	not yet calculated	CVE-2024-25294 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	An issue in zuoxingdong lagom v.0.1.2 allows a local attacker to execute arbitrary code via the pickle_load function of the serialize.py file.	2024-03-21	not yet calculated	CVE-2024-25359 cve@mitre.org
N/A — N/A	Insecure permissions for log files of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allow members (with local access to the UMP application server) to access credentials to authenticate to all services, and to decrypt sensitive data stored in the database.	2024-03-18	not yet calculated	CVE-2024-25654 cve@mitre.org
N/A — N/A	Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who successfully authenticate to web management via LDAP.	2024-03-18	not yet calculated	CVE-2024-25655 cve@mitre.org
N/A — N/A	Improper input validation in AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS can result in unauthenticated CPE (Customer Premises Equipment) devices storing arbitrarily large amounts of data during registration. This can potentially lead to DDoS attacks on the application database and, ultimately, affect the entire product.	2024-03-18	not yet calculated	CVE-2024-25656 cve@mitre.org
N/A — N/A	An open redirect in the Login/Logout functionality of web management in AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS could allow attackers to redirect authenticated users to malicious websites.	2024-03-18	not yet calculated	CVE-2024-25657 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album.	2024-03-22	not yet calculated	CVE-2024-25807 cve@mitre.org
N/A — N/A	Cross-site Request Forgery (CSRF) vulnerability in Lychee version 3.1.6, allows remote attackers to execute arbitrary code via the create new album function.	2024-03-22	not yet calculated	CVE-2024-25808 cve@mitre.org
N/A — N/A	An access control issue in Dreamer CMS v4.0.1 allows attackers to download backup files and leak sensitive information.	2024-03-21	not yet calculated	CVE-2024-25811 cve@mitre.org
N/A — N/A	An issue in the HistoryQosPolicy component of FastDDS v2.12.x, v2.11.x, v2.10.x, and v2.6.x leads to a SIGABRT (signal abort) upon receiving DataWriter’s data.	2024-03-19	not yet calculated	CVE-2024-26369 cve@mitre.org cve@mitre.org
N/A — N/A	Codiad v2.8.4 allows reflected XSS via the components/market/dialog.php type parameter.	2024-03-22	not yet calculated	CVE-2024-26557 cve@mitre.org
N/A — N/A	A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Dotclear version 2.29. The flaw exists within the Search functionality of the Admin Panel.	2024-03-21	not yet calculated	CVE-2024-27626 cve@mitre.org
N/A — N/A	An issue in GLPI v.10.0.12 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted script to the title field.	2024-03-15	not yet calculated	CVE-2024-27756 cve@mitre.org
N/A — N/A	flusity CMS through 2.45 allows tools/addons_model.php Gallery Name XSS. The reporter indicates that this product “ceased its development as of February 2024.”	2024-03-18	not yet calculated	CVE-2024-27757 cve@mitre.org
N/A — N/A	Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.	2024-03-18	not yet calculated	CVE-2024-28054 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	UBEE DDW365 XCNDDW365 8.14.3105 software on hardware 3.13.1 allows a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via RgFirewallEL.asp, RgDdns.asp, RgTime.asp, RgDiagnostics.asp, or RgParentalBasic.asp. The affected fields are SMTP Server Name, SMTP Username, Host Name, Time Server 1, Time Server 2, Time Server 3, Target, Add Keyword, Add Domain, and Add Allowed Domain.	2024-03-19	not yet calculated	CVE-2024-28092 cve@mitre.org
N/A — N/A	There is stack-based buffer overflow vulnerability in pc_change_act function in Linksys E1000 router firmware version v.2.1.03 and before, leading to remote code execution.	2024-03-19	not yet calculated	CVE-2024-28283 cve@mitre.org
N/A — N/A	In mz-automation libiec61850 v1.4.0, a NULL Pointer Dereference was detected in the mmsServer_handleFileCloseRequest.c function of src/mms/iso_mms/server/mms_file_service.c. The vulnerability manifests as SEGV and causes the application to crash	2024-03-21	not yet calculated	CVE-2024-28286 cve@mitre.org
N/A — N/A	Open Source Medicine Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the date parameter at /admin/reports/index.php.	2024-03-19	not yet calculated	CVE-2024-28303 cve@mitre.org cve@mitre.org
N/A — N/A	gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a out of boundary write vulnerability via swf_get_string at scene_manager/swf_parse.c:325	2024-03-15	not yet calculated	CVE-2024-28318 cve@mitre.org
N/A — N/A	gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an out of boundary read vulnerability via gf_dash_setup_period media_tools/dash_client.c:6374	2024-03-15	not yet calculated	CVE-2024-28319 cve@mitre.org
N/A — N/A	There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.config.smb_admin_name in the apply.cgi interface, thereby gaining root shell privileges.	2024-03-15	not yet calculated	CVE-2024-28353 cve@mitre.org
N/A — N/A	There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in the apply.cgi interface, thereby gaining root shell privileges.	2024-03-15	not yet calculated	CVE-2024-28354 cve@mitre.org
N/A — N/A	SQL injection vulnerability in KnowBand spinwheel v.3.0.3 and before allows a remote attacker to gain escalated privileges and obtain sensitive information via the SpinWheelFrameSpinWheelModuleFrontController::sendEmail() method.	2024-03-19	not yet calculated	CVE-2024-28389 cve@mitre.org
N/A — N/A	SQL injection vulnerability in pscartabandonmentpro v.2.0.11 and before allows a remote attacker to escalate privileges via the pscartabandonmentproFrontCAPUnsubscribeJobModuleFrontController::setEmailVisualized() method.	2024-03-20	not yet calculated	CVE-2024-28392 cve@mitre.org cve@mitre.org
N/A — N/A	An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.	2024-03-19	not yet calculated	CVE-2024-28394 cve@mitre.org cve@mitre.org
N/A — N/A	SQL injection vulnerability in Best-Kit bestkit_popup v.1.7.2 and before allows a remote attacker to escalate privileges via the bestkit_popup.php component.	2024-03-20	not yet calculated	CVE-2024-28395 cve@mitre.org cve@mitre.org
N/A — N/A	An issue in MyPrestaModules ordersexport v.6.0.2 and before allows a remote attacker to execute arbitrary code via the download.php component.	2024-03-20	not yet calculated	CVE-2024-28396 cve@mitre.org cve@mitre.org
N/A — N/A	TOTOLINK X2000R before v1.0.0-B20231213.1013 contains a Store Cross-site scripting (XSS) vulnerability in Root Access Control under the Wireless Page.	2024-03-15	not yet calculated	CVE-2024-28401 cve@mitre.org cve@mitre.org
N/A — N/A	TOTOLINK X2000R before V1.0.0-B20231213.1013 is vulnerable to Cross Site Scripting (XSS) via the VPN Page.	2024-03-15	not yet calculated	CVE-2024-28403 cve@mitre.org cve@mitre.org
N/A — N/A	TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page.	2024-03-15	not yet calculated	CVE-2024-28404 cve@mitre.org cve@mitre.org
N/A — N/A	File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of the mail/mailupdate.jsp endpoint.	2024-03-22	not yet calculated	CVE-2024-28441 cve@mitre.org
N/A — N/A	Shenzhen Libituo Technology Co., Ltd LBT-T300-mini1 v1.2.9 was discovered to contain a buffer overflow via lan_netmask parameter at /apply.cgi.	2024-03-19	not yet calculated	CVE-2024-28446 cve@mitre.org
N/A — N/A	Shenzhen Libituo Technology Co., Ltd LBT-T300-mini1 v1.2.9 was discovered to contain a buffer overflow via lan_ipaddr parameters at /apply.cgi.	2024-03-19	not yet calculated	CVE-2024-28447 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Netcome NS-ASG Application Security Gateway v.6.3.1 allows a local attacker to execute arbitrary code and obtain sensitive information via a crafted script to the loginid parameter of the /singlelogin.php component.	2024-03-21	not yet calculated	CVE-2024-28521 cve@mitre.org
N/A — N/A	Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the page parameter of fromNatStaticSetting function.	2024-03-18	not yet calculated	CVE-2024-28537 cve@mitre.org
N/A — N/A	Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the firewallEn parameter of formSetFirewallCfg function.	2024-03-18	not yet calculated	CVE-2024-28547 cve@mitre.org
N/A — N/A	Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the filePath parameter of formExpandDlnaFile function.	2024-03-18	not yet calculated	CVE-2024-28550 cve@mitre.org
N/A — N/A	SQL injection vulnerability in Niushop B2B2C v.5.3.3 and before allows an attacker to escalate privileges via the setPrice() function of the Goodsbatchset.php component.	2024-03-22	not yet calculated	CVE-2024-28559 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	SQL injection vulnerability in Niushop B2B2C v.5.3.3 and before allows an attacker to escalate privileges via the deleteArea() function of the Address.php component.	2024-03-22	not yet calculated	CVE-2024-28560 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the Imf_2_2::copyIntoFrameBuffer() component when reading images in EXR format.	2024-03-20	not yet calculated	CVE-2024-28562 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the Imf_2_2::DwaCompressor::Classifier::Classifier() function when reading images in EXR format.	2024-03-20	not yet calculated	CVE-2024-28563 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the Imf_2_2::CharPtrIO::readChars() function when reading images in EXR format.	2024-03-20	not yet calculated	CVE-2024-28564 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the psdParser::ReadImageData() function when reading images in PSD format.	2024-03-20	not yet calculated	CVE-2024-28565 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the AssignPixel() function when reading images in TIFF format.	2024-03-20	not yet calculated	CVE-2024-28566 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the FreeImage_CreateICCProfile() function when reading images in TIFF format.	2024-03-20	not yet calculated	CVE-2024-28567 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the read_iptc_profile() function when reading images in TIFF format.	2024-03-20	not yet calculated	CVE-2024-28568 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the Imf_2_2::Xdr::read() function when reading images in EXR format.	2024-03-20	not yet calculated	CVE-2024-28569 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the processMakerNote() function when reading images in JPEG format.	2024-03-20	not yet calculated	CVE-2024-28570 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the fill_input_buffer() function when reading images in JPEG format.	2024-03-20	not yet calculated	CVE-2024-28571 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the FreeImage_SetTagValue() function when reading images in JPEG format.	2024-03-20	not yet calculated	CVE-2024-28572 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the jpeg_read_exif_profile() function when reading images in JPEG format.	2024-03-20	not yet calculated	CVE-2024-28573 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the opj_j2k_copy_default_tcp_and_create_tcd() function when reading images in J2K format.	2024-03-20	not yet calculated	CVE-2024-28574 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the opj_j2k_read_mct() function when reading images in J2K format.	2024-03-20	not yet calculated	CVE-2024-28575 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the opj_j2k_tcp_destroy() function when reading images in J2K format.	2024-03-20	not yet calculated	CVE-2024-28576 cve@mitre.org
N/A — N/A	Null Pointer Dereference vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the jpeg_read_exif_profile_raw() function when reading images in JPEG format.	2024-03-20	not yet calculated	CVE-2024-28577 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the Load() function when reading images in RAS format.	2024-03-20	not yet calculated	CVE-2024-28578 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the FreeImage_Unload() function when reading images in HDR format.	2024-03-20	not yet calculated	CVE-2024-28579 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the ReadData() function when reading images in RAS format.	2024-03-20	not yet calculated	CVE-2024-28580 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the _assignPixel<>() function when reading images in TARGA format.	2024-03-20	not yet calculated	CVE-2024-28581 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the rgbe_RGBEToFloat() function when reading images in HDR format.	2024-03-20	not yet calculated	CVE-2024-28582 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to execute arbitrary code via the readLine() function when reading images in XPM format.	2024-03-20	not yet calculated	CVE-2024-28583 cve@mitre.org
N/A — N/A	Null Pointer Dereference vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the J2KImageToFIBITMAP() function when reading images in J2K format.	2024-03-20	not yet calculated	CVE-2024-28584 cve@mitre.org
N/A — N/A	The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor’s Using_Chat page says “If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text.” This page also says “Chat is due to be removed from standard Moodle.”	2024-03-22	not yet calculated	CVE-2024-28593 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php.	2024-03-19	not yet calculated	CVE-2024-28595 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v.1.9.132 and before, allows attackers to execute arbitrary code and obtain sensitive information via the title parameter in form.	2024-03-21	not yet calculated	CVE-2024-28635 cve@mitre.org cve@mitre.org
N/A — N/A	Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint.	2024-03-19	not yet calculated	CVE-2024-28715 cve@mitre.org
N/A — N/A	Cross Site Scripting vulnerability in Unit4 Financials by Coda v.2024Q1 allows a remote attacker to escalate privileges via a crafted script to the cols parameter.	2024-03-19	not yet calculated	CVE-2024-28734 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	An incorrect access control issue in Unit4 Financials by Coda v.2023Q4 allows a remote attacker to escalate privileges via a crafted script to the change password function.	2024-03-20	not yet calculated	CVE-2024-28735 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.	2024-03-21	not yet calculated	CVE-2024-29131 security@apache.org
N/A — N/A	Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI.	2024-03-18	not yet calculated	CVE-2024-29151 cve@mitre.org
N/A — N/A	In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service’s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.	2024-03-18	not yet calculated	CVE-2024-29156 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the vpn_client_ip parameter at /apply.cgi.	2024-03-21	not yet calculated	CVE-2024-29243 cve@mitre.org
N/A — N/A	Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the pin_code_3g parameter at /apply.cgi.	2024-03-21	not yet calculated	CVE-2024-29244 cve@mitre.org
N/A — N/A	Reflected Cross-Site Scripting (XSS) vulnerability in VvvebJs before version 1.7.7, allows remote attackers to execute arbitrary code and obtain sensitive information via the action parameter in save.php.	2024-03-22	not yet calculated	CVE-2024-29271 cve@mitre.org cve@mitre.org
N/A — N/A	Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.	2024-03-22	not yet calculated	CVE-2024-29272 cve@mitre.org cve@mitre.org
N/A — N/A	There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document.	2024-03-22	not yet calculated	CVE-2024-29273 cve@mitre.org
N/A — N/A	SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php.	2024-03-22	not yet calculated	CVE-2024-29275 cve@mitre.org
N/A — N/A	Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/categories/delete/2.	2024-03-22	not yet calculated	CVE-2024-29338 cve@mitre.org
N/A — N/A	A command injection vulnerability exists in the cgibin binary in DIR-845L router firmware <= v1.01KRb03.	2024-03-22	not yet calculated	CVE-2024-29366 cve@mitre.org cve@mitre.org
N/A — N/A	A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the “GET /?lang=” URL parameter.	2024-03-21	not yet calculated	CVE-2024-29374 cve@mitre.org
N/A — N/A	DIR-845L router <= v1.01KRb03 has an Unauthenticated remote code execution vulnerability in the cgibin binary via soapcgi_main function.	2024-03-22	not yet calculated	CVE-2024-29385 cve@mitre.org cve@mitre.org
N/A — N/A	There is a Cross-site scripting (XSS) vulnerability in the Wireless settings under the Easy Setup Page of TOTOLINK X2000R before v1.0.0-B20231213.1013.	2024-03-20	not yet calculated	CVE-2024-29419 cve@mitre.org cve@mitre.org
N/A — N/A	A stored cross-site scripting (XSS) vulnerability in OneBlog v2.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category List parameter under the Lab module.	2024-03-20	not yet calculated	CVE-2024-29469 cve@mitre.org
N/A — N/A	OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component {{rootpath}}/links.	2024-03-20	not yet calculated	CVE-2024-29470 cve@mitre.org
N/A — N/A	OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Notice Manage module.	2024-03-20	not yet calculated	CVE-2024-29471 cve@mitre.org
N/A — N/A	OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Privilege Management module.	2024-03-20	not yet calculated	CVE-2024-29472 cve@mitre.org
N/A — N/A	OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Role Management module.	2024-03-20	not yet calculated	CVE-2024-29473 cve@mitre.org
N/A — N/A	OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Management module.	2024-03-20	not yet calculated	CVE-2024-29474 cve@mitre.org
N/A — N/A	Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/users/delete/2.	2024-03-22	not yet calculated	CVE-2024-29499 cve@mitre.org
N/A — N/A	In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.	2024-03-21	not yet calculated	CVE-2024-29858 cve@mitre.org
N/A — N/A	In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.	2024-03-21	not yet calculated	CVE-2024-29859 cve@mitre.org
N/A — N/A	The Kerlink firewall in ChirpStack chirpstack-mqtt-forwarder before 4.2.1 and chirpstack-gateway-bridge before 4.0.11 wrongly accepts certain TCP packets when a connection is not in the ESTABLISHED state.	2024-03-21	not yet calculated	CVE-2024-29862 cve@mitre.org cve@mitre.org
N/A — N/A	Distrobox before 1.7.0.1 allows attackers to execute arbitrary code via command injection into exported executables.	2024-03-21	not yet calculated	CVE-2024-29864 cve@mitre.org cve@mitre.org
N/A — N/A	Logpoint before 7.1.0 allows Self-XSS on the LDAP authentication page via the username to the LDAP login form.	2024-03-22	not yet calculated	CVE-2024-29865 cve@mitre.org
N/A — N/A	Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges.	2024-03-21	not yet calculated	CVE-2024-29866 cve@mitre.org cve@mitre.org
N/A — N/A	The dormakaba Saflok system before the November 2023 software update allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property, aka the “Unsaflok” issue. This occurs, in part, because the key derivation function relies only on a UID. This affects, for example, Saflok MT, and the Confidant, Quantum, RT, and Saffire series.	2024-03-21	not yet calculated	CVE-2024-29916 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.	2024-03-22	not yet calculated	CVE-2024-29943 security@mozilla.org security@mozilla.org
N/A — N/A	An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.	2024-03-22	not yet calculated	CVE-2024-29944 security@mozilla.org security@mozilla.org security@mozilla.org
a.k.i_software — pmc.exe	Stored cross-site scripting vulnerability exists in CGIs included in A.K.I Software’s PMailServer/PMailServer2 products. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user’s web browser.	2024-03-18	not yet calculated	CVE-2023-39223 vultures@jpcert.or.jp vultures@jpcert.or.jp
a.k.i_software — pmman.exe_(standard_edition)	Directory traversal vulnerability exists in A.K.I Software’s PMailServer/PMailServer2 products’ CGIs included in Internal Simple Webserver. If this vulnerability is exploited, a remote attacker may access arbitrary files outside DocumentRoot.	2024-03-18	not yet calculated	CVE-2023-40747 vultures@jpcert.or.jp vultures@jpcert.or.jp
a.k.i_software_ — pmc.exe	Insufficient verification vulnerability exists in Broadcast Mail CGI (pmc.exe) included in A.K.I Software’s PMailServer/PMailServer2 products. If this vulnerability is exploited, a user who can upload files through the product may execute an arbitrary executable file with the web server’s execution privilege.	2024-03-18	not yet calculated	CVE-2023-39933 vultures@jpcert.or.jp vultures@jpcert.or.jp
a.k.i_software_ — pmmls.exe	Directory traversal vulnerability exists in Mailing List Search CGI (pmmls.exe) included in A.K.I Software’s PMailServer/PMailServer2 products. If this vulnerability is exploited, a remote attacker may obtain arbitrary files on the server.	2024-03-18	not yet calculated	CVE-2023-40160 vultures@jpcert.or.jp vultures@jpcert.or.jp
abematv,_inc. — ‘abema’_app_for_android	Improper export of Android application components issue exists in ‘ABEMA’ App for Android prior to 10.65.0 allowing another app installed on the user’s device to access an arbitrary URL on ‘ABEMA’ App for Android via Intent. If this vulnerability is exploited, an arbitrary website may be displayed on the app, and as a result, the user may become a victim of a phishing attack.	2024-03-18	not yet calculated	CVE-2024-28745 vultures@jpcert.or.
apache_software_foundation — apache_commons_configuration	Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.	2024-03-21	not yet calculated	CVE-2024-29133 security@apache.org
apache_software_foundation — apache_doris	Possible race condition vulnerability in Apache Doris. Some of code using `chmod()` method. This method run the risk of someone renaming the file out from under user and chmodding the wrong file. This could theoretically happen, but the impact would be minimal. This issue affects Apache Doris: before 1.2.8, before 2.0.4. Users are recommended to upgrade to version 2.0.4, which fixes the issue.	2024-03-21	not yet calculated	CVE-2024-26307 security@apache.org
apache_software_foundation — apache_doris	Download of Code Without Integrity Check vulnerability in Apache Doris. The jdbc driver files used for JDBC catalog is not checked and may resulting in remote command execution. Once the attacker is authorized to create a JDBC catalog, he/she can use arbitrary driver jar file with unchecked code snippet. This code snippet will be run when catalog is initializing without any check. This issue affects Apache Doris: from 1.2.0 through 2.0.4. Users are recommended to upgrade to version 2.0.5 or 2.1.x, which fixes the issue.	2024-03-21	not yet calculated	CVE-2024-27438 security@apache.org
apache_software_foundation — apache_hop_engine	Improper Input Validation vulnerability in Apache Hop Engine.This issue affects Apache Hop Engine: before 2.8.0. Users are recommended to upgrade to version 2.8.0, which fixes the issue. When Hop Server writes links to the PrepareExecutionPipelineServlet page one of the parameters provided to the user was not properly escaped. The variable not properly escaped is the “id”, which is not directly accessible by users creating pipelines making the risk of exploiting this low. This issue only affects users using the Hop Server component and does not directly affect the client.	2024-03-19	not yet calculated	CVE-2024-24683 security@apache.org
apache_software_foundation — apache_wicket	An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.	2024-03-19	not yet calculated	CVE-2024-27439 security@apache.org
artica_tech — artica_proxy	The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the “www-data” user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the “www-data” user.	2024-03-21	not yet calculated	CVE-2024-2053 cve@takeonme.org cve@takeonme.org
artica_tech — artica_proxy	The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the “www-data” user.	2024-03-21	not yet calculated	CVE-2024-2054 cve@takeonme.org cve@takeonme.org
atlassian — confluence_data_center	This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was reported via our Bug Bounty program.	2024-03-19	not yet calculated	CVE-2024-21677 security@atlassian.com security@atlassian.com
autodesk — dwg_trueview	A maliciously crafted DWG file when parsed through Autodesk DWG TrueView can be used to cause a Stack-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.	2024-03-18	not yet calculated	CVE-2024-23138 psirt@autodesk.com
autodesk — fbx_review	An Out-Of-Bounds Write Vulnerability in Autodesk FBX Review version 1.5.3.0 and prior may lead to code execution or information disclosure through maliciously crafted ActionScript Byte Code “ABC” files. ABC files are created by the Flash compiler and contain executable code. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.	2024-03-18	not yet calculated	CVE-2024-23139 psirt@autodesk.com
brother_industries,_ltd — multiple_printers_and_scanners	Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative user. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].	2024-03-18	not yet calculated	CVE-2024-21824 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
brother_industries,_ltd — multiple_printers_and_scanners	Cross-site request forgery vulnerability in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. allows a remote unauthenticated attacker to perform unintended operations on the affected product. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].	2024-03-18	not yet calculated	CVE-2024-22475 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
cdex_psa — cdex	Weak password recovery mechanism in CDeX application allows to retrieve password reset token.This issue affects CDeX application versions through 5.7.1.	2024-03-21	not yet calculated	CVE-2024-2463 cvd@cert.pl cvd@cert.pl cvd@cert.pl
cdex_psa — cdex	This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.This issue affects CDeX application versions through 5.7.1.	2024-03-21	not yet calculated	CVE-2024-2464 cvd@cert.pl cvd@cert.pl cvd@cert.pl
cdex_psa — cdex	Open redirection vulnerability in CDeX application allows to redirect users to arbitrary websites via a specially crafted URL.This issue affects CDeX application versions through 5.7.1.	2024-03-21	not yet calculated	CVE-2024-2465 cvd@cert.pl cvd@cert.pl cvd@cert.pl
claris — filemaker_pro	Claris International has fixed a dylib hijacking vulnerability in the FileMaker Pro.app and Claris Pro.app versions on macOS.	2024-03-19	not yet calculated	CVE-2023-42920 product-security@apple.com
claris — filemaker_server	A privilege escalation issue existed in FileMaker Server, potentially exposing sensitive information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by reducing the information sent in requests.	2024-03-21	not yet calculated	CVE-2023-42954 product-security@apple.com
david_artiss — code_embed	Uncontrolled Resource Consumption vulnerability in David Artiss Code Embed.This issue affects Code Embed: from n/a through 2.3.6.	2024-03-21	not yet calculated	CVE-2023-49837 audit@patchstack.com
fujifilm_business_inovation_corp. — docuprint_p450_d	Cross-site request forgery vulnerability in FUJIFILM printers which implement CentreWare Internet Services or Internet Services allows a remote unauthenticated attacker to alter user information. In the case the user is an administrator, the settings such as the administrator’s ID, password, etc. may be altered. As for the details of affected product names, model numbers, and versions, refer to the information provided by the vendor listed under [References].	2024-03-18	not yet calculated	CVE-2024-27974 vultures@jpcert.or.jp vultures@jpcert.or.jp
google — chrome	Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)	2024-03-20	not yet calculated	CVE-2024-2625 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)	2024-03-20	not yet calculated	CVE-2024-2626 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Use after free in Canvas in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)	2024-03-20	not yet calculated	CVE-2024-2627 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL. (Chromium security severity: Medium)	2024-03-20	not yet calculated	CVE-2024-2628 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)	2024-03-20	not yet calculated	CVE-2024-2629 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)	2024-03-20	not yet calculated	CVE-2024-2630 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)	2024-03-20	not yet calculated	CVE-2024-2631 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
gradio-app — gradio-app/gradio	To prevent malicious 3rd party websites from making requests to Gradio applications running locally, this PR tightens the CORS rules around Gradio applications. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.	2024-03-21	not yet calculated	CVE-2024-1727 security@huntr.dev security@huntr.dev
hp_inc — certain_hp_officejet_pro_printers	Certain HP OfficeJet Pro printers are potentially vulnerable to a Denial of Service when using an improper eSCL URL GET request.	2024-03-22	not yet calculated	CVE-2023-4063 hp-security-alert@hp.com
linux — linux	In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput() and do_exit() Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A \| Task B ——————+—————— mmget_not_zero() \| \| do_exit() \| exit_mm() \| mmput() mmput() \| exit_mmap() \| remove_vma() \| fput() \| In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it’s dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A.	2024-03-18	not yet calculated	CVE-2023-52609 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix skb leak and crash on ooo frags act_ct adds skb->users before defragmentation. If frags arrive in order, the last frag’s reference is reset in: inet_frag_reasm_prepare skb_morph which is not straightforward. However when frags arrive out of order, nobody unref the last frag, and all frags are leaked. The situation is even worse, as initiating packet capture can lead to a crash[0] when skb has been cloned and shared at the same time. Fix the issue by removing skb_get() before defragmentation. act_ct returns TC_ACT_CONSUMED when defrag failed or in progress. [0]: [ 843.804823] ————[ cut here ]———— [ 843.809659] kernel BUG at net/core/skbuff.c:2091! [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Call Trace: [ 843.902772] <IRQ> [ 843.906922] ? __die_body+0x1e/0x60 [ 843.911032] ? die+0x3c/0x60 [ 843.915037] ? do_trap+0xe2/0x110 [ 843.918911] ? pskb_expand_head+0x2ac/0x300 [ 843.922687] ? do_error_trap+0x65/0x80 [ 843.926342] ? pskb_expand_head+0x2ac/0x300 [ 843.929905] ? exc_invalid_op+0x50/0x60 [ 843.933398] ? pskb_expand_head+0x2ac/0x300 [ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 [ 843.940226] ? pskb_expand_head+0x2ac/0x300 [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 [ 843.946904] ip_defrag+0x5d4/0x870 [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] [ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] [ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] [ 843.959657] tcf_action_exec+0xa1/0x160 [ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] [ 843.966010] ? skb_clone+0x53/0xc0 [ 843.969173] tcf_classify+0x24d/0x420 [ 843.972333] tc_run+0x8f/0xf0 [ 843.975465] __netif_receive_skb_core+0x67a/0x1080 [ 843.978634] ? dev_gro_receive+0x249/0x730 [ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 [ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 [ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] [ 843.991170] napi_complete_done+0x72/0x1a0 [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] [ 843.997501] __napi_poll+0x25/0x1b0 [ 844.000627] net_rx_action+0x256/0x330 [ 844.003705] __do_softirq+0xb3/0x29b [ 844.006718] irq_exit_rcu+0x9e/0xc0 [ 844.009672] common_interrupt+0x86/0xa0 [ 844.012537] </IRQ> [ 844.015285] <TASK> [ 844.017937] asm_common_interrupt+0x26/0x40 [ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb —truncated—	2024-03-18	not yet calculated	CVE-2023-52610 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: sdio: Honor the host max_req_size in the RX path Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth combo card. The error he observed is identical to what has been fixed in commit e967229ead0e (“wifi: rtw88: sdio: Check the HISR RX_REQUEST bit in rtw_sdio_rx_isr()”) but that commit didn’t fix Lukas’ problem. Lukas found that disabling or limiting RX aggregation works around the problem for some time (but does not fully fix it). In the following discussion a few key topics have been discussed which have an impact on this problem: – The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller which prevents DMA transfers. Instead all transfers need to go through the controller SRAM which limits transfers to 1536 bytes – rtw88 chips don’t split incoming (RX) packets, so if a big packet is received this is forwarded to the host in it’s original form – rtw88 chips can do RX aggregation, meaning more multiple incoming packets can be pulled by the host from the card with one MMC/SDIO transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation and BIT_EN_PRE_CALC makes the chip honor the limits more effectively) Use multiple consecutive reads in rtw_sdio_read_port() and limit the number of bytes which are copied by the host from the card in one MMC/SDIO transfer. This allows receiving a buffer that’s larger than the hosts max_req_size (number of bytes which can be transferred in one MMC/SDIO transfer). As a result of this the skb_over_panic error is gone as the rtw88 driver is now able to receive more than 1536 bytes from the card (either because the incoming packet is larger than that or because multiple packets have been aggregated). In case of an receive errors (-EILSEQ has been observed by Lukas) we need to drain the remaining data from the card’s buffer, otherwise the card will return corrupt data for the next rtw_sdio_read_port() call.	2024-03-18	not yet calculated	CVE-2023-52611 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: crypto: scomp – fix req->dst buffer overflow The req->dst buffer size should be checked before copying from the scomp_scratch->dst to avoid req->dst buffer overflow problem.	2024-03-18	not yet calculated	CVE-2023-52612 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment PTR_ERR() returns -ENODEV when thermal-zones are undefined, and we need -ENODEV as the right value for comparison. Otherwise, tz->type is NULL when thermal-zones is undefined, resulting in the following error: [ 12.290030] CPU 1 Unable to handle kernel paging request at virtual address fffffffffffffff1, era == 900000000355f410, ra == 90000000031579b8 [ 12.302877] Oops[#1]: [ 12.305190] CPU: 1 PID: 181 Comm: systemd-udevd Not tainted 6.6.0-rc7+ #5385 [ 12.312304] pc 900000000355f410 ra 90000000031579b8 tp 90000001069e8000 sp 90000001069eba10 [ 12.320739] a0 0000000000000000 a1 fffffffffffffff1 a2 0000000000000014 a3 0000000000000001 [ 12.329173] a4 90000001069eb990 a5 0000000000000001 a6 0000000000001001 a7 900000010003431c [ 12.337606] t0 fffffffffffffff1 t1 54567fd5da9b4fd4 t2 900000010614ec40 t3 00000000000dc901 [ 12.346041] t4 0000000000000000 t5 0000000000000004 t6 900000010614ee20 t7 900000000d00b790 [ 12.354472] t8 00000000000dc901 u0 54567fd5da9b4fd4 s9 900000000402ae10 s0 900000010614ec40 [ 12.362916] s1 90000000039fced0 s2 ffffffffffffffed s3 ffffffffffffffed s4 9000000003acc000 [ 12.362931] s5 0000000000000004 s6 fffffffffffff000 s7 0000000000000490 s8 90000001028b2ec8 [ 12.362938] ra: 90000000031579b8 thermal_add_hwmon_sysfs+0x258/0x300 [ 12.386411] ERA: 900000000355f410 strscpy+0xf0/0x160 [ 12.391626] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 12.397898] PRMD: 00000004 (PPLV0 +PIE -PWE) [ 12.403678] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 12.409859] ECFG: 00071c1c (LIE=2-4,10-12 VS=7) [ 12.415882] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 12.415907] BADV: fffffffffffffff1 [ 12.415911] PRID: 0014a000 (Loongson-64bit, Loongson-2K1000) [ 12.415917] Modules linked in: loongson2_thermal(+) vfat fat uio_pdrv_genirq uio fuse zram zsmalloc [ 12.415950] Process systemd-udevd (pid: 181, threadinfo=00000000358b9718, task=00000000ace72fe3) [ 12.415961] Stack : 0000000000000dc0 54567fd5da9b4fd4 900000000402ae10 9000000002df9358 [ 12.415982] ffffffffffffffed 0000000000000004 9000000107a10aa8 90000001002a3410 [ 12.415999] ffffffffffffffed ffffffffffffffed 9000000107a11268 9000000003157ab0 [ 12.416016] 9000000107a10aa8 ffffff80020fc0c8 90000001002a3410 ffffffffffffffed [ 12.416032] 0000000000000024 ffffff80020cc1e8 900000000402b2a0 9000000003acc000 [ 12.416048] 90000001002a3410 0000000000000000 ffffff80020f4030 90000001002a3410 [ 12.416065] 0000000000000000 9000000002df6808 90000001002a3410 0000000000000000 [ 12.416081] ffffff80020f4030 0000000000000000 90000001002a3410 9000000002df2ba8 [ 12.416097] 00000000000000b4 90000001002a34f4 90000001002a3410 0000000000000002 [ 12.416114] ffffff80020f4030 fffffffffffffff0 90000001002a3410 9000000002df2f30 [ 12.416131] … [ 12.416138] Call Trace: [ 12.416142] [<900000000355f410>] strscpy+0xf0/0x160 [ 12.416167] [<90000000031579b8>] thermal_add_hwmon_sysfs+0x258/0x300 [ 12.416183] [<9000000003157ab0>] devm_thermal_add_hwmon_sysfs+0x50/0xe0 [ 12.416200] [<ffffff80020cc1e8>] loongson2_thermal_probe+0x128/0x200 [loongson2_thermal] [ 12.416232] [<9000000002df6808>] platform_probe+0x68/0x140 [ 12.416249] [<9000000002df2ba8>] really_probe+0xc8/0x3c0 [ 12.416269] [<9000000002df2f30>] __driver_probe_device+0x90/0x180 [ 12.416286] [<9000000002df3058>] driver_probe_device+0x38/0x160 [ 12.416302] [<9000000002df33a8>] __driver_attach+0xa8/0x200 [ 12.416314] [<9000000002deffec>] bus_for_each_dev+0x8c/0x120 [ 12.416330] [<9000000002df198c>] bus_add_driver+0x10c/0x2a0 [ 12.416346] [<9000000002df46b4>] driver_register+0x74/0x160 [ 12.416358] [<90000000022201a4>] do_one_initcall+0x84/0x220 [ 12.416372] [<90000000022f3ab8>] do_init_module+0x58/0x2c0 [ —truncated—	2024-03-18	not yet calculated	CVE-2023-52613 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don’t have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.	2024-03-18	not yet calculated	CVE-2023-52614 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: hwrng: core – Fix page fault dead lock on mmap-ed hwrng There is a dead-lock in the hwrng device read path. This triggers when the user reads from /dev/hwrng into memory also mmap-ed from /dev/hwrng. The resulting page fault triggers a recursive read which then dead-locks. Fix this by using a stack buffer when calling copy_to_user.	2024-03-18	not yet calculated	CVE-2023-52615 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi – Fix unexpected pointer access in mpi_ec_init When the mpi_ec_ctx structure is initialized, some fields are not cleared, causing a crash when referencing the field when the structure was released. Initially, this issue was ignored because memory for mpi_ec_ctx is allocated with the __GFP_ZERO flag. For example, this error will be triggered when calculating the Za value for SM2 separately.	2024-03-18	not yet calculated	CVE-2023-52616 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: PCI: switchtec: Fix stdev_release() crash after surprise hot remove A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit, at a point way past switchtec_pci_remove(). Otherwise the last ref would vanish with the trailing put_device(), just before return. At that later point in time, the devm cleanup has already removed the stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause a fatal page fault, and the subsequent dma_free_coherent(), if reached, would pass a stale &stdev->pdev->dev pointer. Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent future accidents. Reproducible via the script at https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com	2024-03-18	not yet calculated	CVE-2023-52617 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: block/rnbd-srv: Check for unlikely string overflow Since “dev_search_path” can technically be as large as PATH_MAX, there was a risk of truncation when copying it and a second string into “full_path” since it was also PATH_MAX sized. The W=1 builds were reporting this warning: drivers/block/rnbd/rnbd-srv.c: In function ‘process_msg_open.isra’: drivers/block/rnbd/rnbd-srv.c:616:51: warning: ‘%s’ directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=] 616 \| snprintf(full_path, PATH_MAX, “%s/%s”, \| ^~ In function ‘rnbd_srv_get_full_path’, inlined from ‘process_msg_open.isra’ at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: ‘snprintf’ output between 2 and 4351 bytes into a destination of size 4096 616 \| snprintf(full_path, PATH_MAX, “%s/%s”, \| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 617 \| dev_search_path, dev_name); \| ~~~~~~~~~~~~~~~~~~~~~~~~~~ To fix this, unconditionally check for truncation (as was already done for the case where “%SESSNAME%” was present).	2024-03-18	not yet calculated	CVE-2023-52618 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Fix crash when setting number of cpus to an odd number When the number of cpu cores is adjusted to 7 or other odd numbers, the zone size will become an odd number. The address of the zone will become: addr of zone0 = BASE addr of zone1 = BASE + zone_size addr of zone2 = BASE + zone_size*2 … The address of zone1/3/5/7 will be mapped to non-alignment va. Eventually crashes will occur when accessing these va. So, use ALIGN_DOWN() to make sure the zone size is even to avoid this bug.	2024-03-18	not yet calculated	CVE-2023-52619 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow timeout for anonymous sets Never used from userspace, disallow these parameters.	2024-03-21	not yet calculated	CVE-2023-52620 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can be written over without proper locking. Originally found by syzbot [1], fix this issue by encapsulating calls to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with mutex_lock() and mutex_unlock() accordingly as these functions should only be called with mc_lock per their declarations. [1] BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725 addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 addrconf_notify+0x310/0x980 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 __dev_notify_flags+0x205/0x3d0 dev_change_flags+0xab/0xd0 net/core/dev.c:8685 do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] __rtnl_newlink net/core/rtnetlink.c:3717 [inline] rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910 … write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700 worker_thread+0x525/0x730 kernel/workqueue.c:2781 …	2024-03-18	not yet calculated	CVE-2024-26631 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: block: Fix iterating over an empty bio with bio_for_each_folio_all If the bio contains no data, bio_first_folio() calls page_folio() on a NULL pointer and oopses. Move the test that we’ve reached the end of the bio from bio_next_folio() to bio_first_folio(). [axboe: add unlikely() to error case]	2024-03-18	not yet calculated	CVE-2024-26632 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendms —truncated—	2024-03-18	not yet calculated	CVE-2024-26633 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net: fix removing a namespace with conflicting altnames Mark reports a BUG() when a net namespace is removed. kernel BUG at net/core/dev.c:11520! Physical interfaces moved outside of init_net get “refunded” to init_net when that namespace disappears. The main interface name may get overwritten in the process if it would have conflicted. We need to also discard all conflicting altnames. Recent fixes addressed ensuring that altnames get moved with the main interface, which surfaced this problem.	2024-03-18	not yet calculated	CVE-2024-26634 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ‘)’, “90e5dd”}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e (“net: delete all instances of special processing for token ring”). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let’s remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023	2024-03-18	not yet calculated	CVE-2024-26635 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_alloc_send_skb(). Then it acquires it again, but does not redo all the sanity checks that were performed. This fix: – Uses LL_RESERVED_SPACE() to reserve space. – Check all conditions again after socket lock is held again. – Do not account Ethernet header for mtu limitation. [1] skbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0 kernel BUG at net/core/skbuff.c:193 ! Internal error: Oops – BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : skb_panic net/core/skbuff.c:189 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 lr : skb_panic net/core/skbuff.c:189 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 sp : ffff800096f97000 x29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000 x26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2 x23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0 x20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce x17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001 x14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400 x8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic net/core/skbuff.c:189 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 skb_push+0xf0/0x108 net/core/skbuff.c:2451 eth_header+0x44/0x1f8 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3188 [inline] llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33 llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209 llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270 llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x194/0x274 net/socket.c:767 splice_to_socket+0x7cc/0xd58 fs/splice.c:881 do_splice_from fs/splice.c:933 [inline] direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142 splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088 do_splice_direct+0x20c/0x348 fs/splice.c:1194 do_sendfile+0x4bc/0xc70 fs/read_write.c:1254 __do_sys_sendfile64 fs/read_write.c:1322 [inline] __se_sys_sendfile64 fs/read_write.c:1308 [inline] __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Code: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)	2024-03-18	not yet calculated	CVE-2024-26636 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: rely on mac80211 debugfs handling for vif mac80211 started to delete debugfs entries in certain cases, causing a ath11k to crash when it tried to delete the entries later. Fix this by relying on mac80211 to delete the entries when appropriate and adding them from the vif_add_debugfs handler.	2024-03-18	not yet calculated	CVE-2024-26637 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg->msg_get_inq value can be uninitialized [1] struct msghdr got many new fields recently, we should always make sure their values is zero by default. [1] BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0x12b/0x1e0 net/socket.c:1066 __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781 kthread+0x3ed/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Local variable msg created at: __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 CPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: nbd5-recv recv_work	2024-03-18	not yet calculated	CVE-2024-26638 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mm, kmsan: fix infinite recursion due to RCU critical section Alexander Potapenko writes in [1]: “For every memory access in the code instrumented by KMSAN we call kmsan_get_metadata() to obtain the metadata for the memory being accessed. For virtual memory the metadata pointers are stored in the corresponding `struct page`, therefore we need to call virt_to_page() to get them. According to the comment in arch/x86/include/asm/page.h, virt_to_page(kaddr) returns a valid pointer iff virt_addr_valid(kaddr) is true, so KMSAN needs to call virt_addr_valid() as well. To avoid recursion, kmsan_get_metadata() must not call instrumented code, therefore ./arch/x86/include/asm/kmsan.h forks parts of arch/x86/mm/physaddr.c to check whether a virtual address is valid or not. But the introduction of rcu_read_lock() to pfn_valid() added instrumented RCU API calls to virt_to_page_or_null(), which is called by kmsan_get_metadata(), so there is an infinite recursion now. I do not think it is correct to stop that recursion by doing kmsan_enter_runtime()/kmsan_exit_runtime() in kmsan_get_metadata(): that would prevent instrumented functions called from within the runtime from tracking the shadow values, which might introduce false positives.” Fix the issue by switching pfn_valid() to the _sched() variant of rcu_read_lock/unlock(), which does not require calling into RCU. Given the critical section in pfn_valid() is very small, this is a reasonable trade-off (with preemptible RCU). KMSAN further needs to be careful to suppress calls into the scheduler, which would be another source of recursion. This can be done by wrapping the call to pfn_valid() into preempt_disable/enable_no_resched(). The downside is that this sacrifices breaking scheduling guarantees; however, a kernel compiled with KMSAN has already given up any performance guarantees due to being heavily instrumented. Note, KMSAN code already disables tracing via Makefile, and since mmzone.h is included, it is not necessary to use the notrace variant, which is generally preferred in all other cases.	2024-03-18	not yet calculated	CVE-2024-26639 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: – Page must not be a compound one. – page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=’./file0x00′, 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=’./file0x00′, 0x181e42, 0x0)	2024-03-18	not yet calculated	CVE-2024-26640 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023	2024-03-18	not yet calculated	CVE-2024-26641 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.	2024-03-21	not yet calculated	CVE-2024-26642 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (“netfilter: nf_tables: use timestamp to check for set element timeout”). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (“netfilter: nf_tables: mark newset as dead on transaction abort”), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.	2024-03-21	not yet calculated	CVE-2024-26643 416baaa9-dc9f-4396-8d5f-8c081fb06d67
mikrotik — routeros-tftp	Implementations of UDP application protocol are vulnerable to network loops. An unauthenticated attacker can use maliciously-crafted packets against a vulnerable implementation that can lead to Denial of Service (DOS) and/or abuse of resources.	2024-03-19	not yet calculated	CVE-2024-2169 cret@cert.org cret@cert.org
mozilla — firefox	NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2023-5388 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2605 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	Passing invalid data could have led to invalid wasm values being created, such as arbitrary integers turning into pointer values. This vulnerability affects Firefox < 124.	2024-03-19	not yet calculated	CVE-2024-2606 security@mozilla.org security@mozilla.org
mozilla — firefox	Return registers were overwritten which could have allowed an attacker to execute arbitrary code. Note: This issue only affected Armv7-A systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2607 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	`AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an out of bounds write. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2608 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	The permission prompt input delay could have expired while the window is not in focus, which made the prompt vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124.	2024-03-19	not yet calculated	CVE-2024-2609 security@mozilla.org security@mozilla.org
mozilla — firefox	Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2610 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2611 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2612 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. This vulnerability affects Firefox < 124.	2024-03-19	not yet calculated	CVE-2024-2613 security@mozilla.org security@mozilla.org
mozilla — firefox	Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2614 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
mozilla — firefox	Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124.	2024-03-19	not yet calculated	CVE-2024-2615 security@mozilla.org security@mozilla.org
mozilla — firefox	To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This vulnerability affects Firefox ESR < 115.9 and Thunderbird < 115.9.	2024-03-19	not yet calculated	CVE-2024-2616 security@mozilla.org security@mozilla.org security@mozilla.org security@mozilla.org
node.js — node.js	setuid() does not affect libuv’s internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.	2024-03-19	not yet calculated	CVE-2024-22017 support@hackerone.com
node.js — node.js	A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.	2024-03-19	not yet calculated	CVE-2024-22025 support@hackerone.com
paddlepaddle — paddlepaddle/paddle	paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.	2024-03-23	not yet calculated	CVE-2024-1603 security@huntr.dev
unclebob — fitnesse	Cross-site scripting vulnerability exists in FitNesse all releases, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters.	2024-03-18	not yet calculated	CVE-2024-23604 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
unclebob — fitnesse	Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.	2024-03-18	not yet calculated	CVE-2024-28039 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
unclebob — fitnesse	FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands.	2024-03-18	not yet calculated	CVE-2024-28125 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
unclebob — fitnesse	Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter.	2024-03-18	not yet calculated	CVE-2024-28128 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
unknown — advanced_social_feeds_widget_&_shortcode	The Advanced Social Feeds Widget & Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)	2024-03-18	not yet calculated	CVE-2024-0951 contact@wpscan.com
unknown — appointment_booking_calendar	The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.	2024-03-20	not yet calculated	CVE-2024-0856 contact@wpscan.com
unknown — backup_bolt	The Backup Bolt WordPress plugin through 1.3.0 is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information.	2024-03-18	not yet calculated	CVE-2023-7236 contact@wpscan.com
unknown — buttons_shortcode_and_widget	The Buttons Shortcode and Widget WordPress plugin through 1.16 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.	2024-03-18	not yet calculated	CVE-2024-0711 contact@wpscan.com
unknown — enjoy_social_feed_plugin_for_wordpress_website	The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example	2024-03-18	not yet calculated	CVE-2024-0779 contact@wpscan.com
unknown — enjoy_social_feed_plugin_for_wordpress_website	The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action	2024-03-18	not yet calculated	CVE-2024-0780 contact@wpscan.com
unknown — error_log_viewer_by_bestwebsoft	The Error Log Viewer by BestWebSoft WordPress plugin before 1.1.3 contains a vulnerability that allows you to read and download PHP logs without authorization	2024-03-18	not yet calculated	CVE-2023-6821 contact@wpscan.com
unknown — fancy_product_designer	The Fancy Product Designer WordPress plugin before 6.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.	2024-03-18	not yet calculated	CVE-2024-0365 contact@wpscan.com
unknown — grid_shortcodes	The Grid Shortcodes WordPress plugin before 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks	2024-03-18	not yet calculated	CVE-2024-1658 contact@wpscan.com
unknown — innovs_hr	The Innovs HR WordPress plugin through 1.0.3.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding them as employees.	2024-03-18	not yet calculated	CVE-2024-0858 contact@wpscan.com
unknown — jobs_for_wordpress	The Jobs for WordPress plugin before 2.7.4 does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks	2024-03-18	not yet calculated	CVE-2024-0820 contact@wpscan.com
unknown — profile_box_shortcode_and_widget	The Profile Box Shortcode And Widget WordPress plugin before 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)	2024-03-19	not yet calculated	CVE-2024-1401 contact@wpscan.com
unknown — responsive_pricing_table	The Responsive Pricing Table WordPress plugin before 5.1.11 does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks	2024-03-18	not yet calculated	CVE-2024-1333 contact@wpscan.com
unknown — scalable_vector_graphics_(svg)	The Scalable Vector Graphics (SVG) WordPress plugin through 3.4 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.	2024-03-18	not yet calculated	CVE-2023-7085 contact@wpscan.com
unknown — simple_ajax_chat_	The Simple Ajax Chat WordPress plugin before 20240223 does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users.	2024-03-20	not yet calculated	CVE-2024-1983 contact@wpscan.com
unknown — system_dashboard	The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks	2024-03-20	not yet calculated	CVE-2023-7246 contact@wpscan.com
unknown — tabs_shortcode_and_widget	The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks	2024-03-18	not yet calculated	CVE-2024-0719 contact@wpscan.com
unknown — team_members	The Team Members WordPress plugin before 5.3.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks.	2024-03-18	not yet calculated	CVE-2024-1331 contact@wpscan.com
unknown — travelpayouts:_all_travel_brands_in_one_place	The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.	2024-03-20	not yet calculated	CVE-2024-0337 contact@wpscan.com
unknown — widget_for_social_page_feeds	The Widget for Social Page Feeds WordPress plugin before 6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)	2024-03-18	not yet calculated	CVE-2024-0973 contact@wpscan.com
xen — xen	PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned. Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain.	2024-03-20	not yet calculated	CVE-2023-46839 security@xen.org
xen — xen	Incorrect placement of a preprocessor directive in source code results in logic that doesn’t operate as intended when support for HVM guests is compiled out of Xen.	2024-03-20	not yet calculated	CVE-2023-46840 security@xen.org
xen — xen	Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called “shadow stacks”, holding little more than return addresses. Shadow stacks aren’t writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn’t right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing.	2024-03-20	not yet calculated	CVE-2023-46841 security@xen.org security@xen.org

alerts

CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities

Post author By admin
Post date March 25, 2024

Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. Additionally, the Alert highlights the prevalence of this class of vulnerability.

Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products.

For more information on recommended principles and best practices to achieve this goal, visit CISA’s Secure by Design page. To catch up on the publications in this series, visit Secure by Design Alerts.

alerts

Ivanti Releases Security Updates for Neurons for ITSM and Standalone Sentry

Post author By admin
Post date March 21, 2024

Ivanti has released security advisories to address vulnerabilities in Ivanti Neurons for ITSM and Standalone Sentry. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary updates:

alerts

CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques

Post author By admin
Post date March 21, 2024

Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques:

Volumetric, attacks aiming to consume available bandwidth.
Protocol, attacks which exploit vulnerabilities in network protocols.
Application, attacks targeting vulnerabilities in specific applications or running services.

CISA, FBI, and MS-ISAC urge network defenders and leaders of critical infrastructure organizations to read the guidance provided to defend against this threat. For more actionable recommendations, best practices, and operational insights designed to address common challenges, visit CISA’s Capacity Enhancement Guides for Federal Agencies page.

alerts

Vulnerability Summary for the Week of March 11, 2024

Post author By admin
Post date March 18, 2024

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
academylms — academy_lms_-_elearning_and_online_course_solution_for_wordpress	The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saved_user_info() function. This makes it possible for authenticated attackers, with minimal permissions such as students, to elevate their user role to that of an administrator.	2024-03-13	8.8	CVE-2024-1505 security@wordfence.com security@wordfence.com
andrei_ivasiuc — fontific_\|_google_fonts	Cross-Site Request Forgery (CSRF) vulnerability in Andrei Ivasiuc Fontific \| Google Fonts allows Stored XSS.This issue affects Fontific \| Google Fonts: from n/a through 0.1.6.	2024-03-16	7.1	CVE-2024-27194 audit@patchstack.com
apache_software_foundation — apache_pulsar	Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials. This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0. The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy’s logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer’s default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to “Cluster” by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren’t known to be exposed. 2.10 Pulsar Proxy users should upgrade to at least 2.10.6. 2.11 Pulsar Proxy users should upgrade to at least 2.11.3. 3.0 Pulsar Proxy users should upgrade to at least 3.0.2. 3.1 Pulsar Proxy users should upgrade to at least 3.1.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it’s imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.	2024-03-12	8.2	CVE-2022-34321 security@apache.org security@apache.org
apache_software_foundation — apache_pulsar	Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with “functionsWorkerEnabled=true”. This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.	2024-03-12	8.5	CVE-2024-27135 security@apache.org security@apache.org
apache_software_foundation — apache_pulsar	In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren’t properly validated, contain special elements like “..”, altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with “functionsWorkerEnabled=true”. This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.	2024-03-12	8.4	CVE-2024-27317 security@apache.org security@apache.org
apache_software_foundation — apache_pulsar	The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function’s implementation is referenced by a URL. The supported URL schemes include “file”, “http”, and “https”. When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks. This vulnerability also applies to the Pulsar Broker when it is configured with “functionsWorkerEnabled=true”. This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: “additionalEnabledConnectorUrlPatterns” and “additionalEnabledFunctionsUrlPatterns”. These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.	2024-03-12	8.5	CVE-2024-27894 security@apache.org security@apache.org
arcserve — unified_data_protection	An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.	2024-03-13	9.8	CVE-2024-0799 vulnreport@tenable.com
arcserve — unified_data_protection	A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.	2024-03-13	8.8	CVE-2024-0800 vulnreport@tenable.com
arcserve — unified_data_protection	A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.	2024-03-13	7.5	CVE-2024-0801 vulnreport@tenable.com
argoproj — argo-cd	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim’s permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.	2024-03-13	9	CVE-2024-28175 security-advisories@github.com security-advisories@github.com
autopolisbg — bulgarisation_for_woocommerce	The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and including, 3.0.14. This makes it possible for unauthenticated and authenticated attackers, with subscriber-level access and above, to generate and delete labels.	2024-03-13	7.3	CVE-2024-0683 security@wordfence.com security@wordfence.com
autopolisbg — bulgarisation_for_woocommerce	The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to generate and delete labels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-12	7.3	CVE-2024-2395 security@wordfence.com security@wordfence.com
aweber — aweber_-_free_sign_up_form_and_landing_page_builder_plugin_for_lead_generation_and_email_newsletter_growth	The AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 7.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-13	7.2	CVE-2024-1793 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
badger_meter — monitool	SQL injection vulnerability in Badger Meter Monitool affecting versions 4.6.3 and earlier. A remote attacker could send a specially crafted SQL query to the server via the j_username parameter and retrieve the information stored in the database.	2024-03-12	9.8	CVE-2024-1301 cve-coordination@incibe.es
badger_meter — monitool	Information exposure vulnerability in Badger Meter Monitool affecting versions up to 4.6.3 and earlier. A local attacker could change the application’s file parameter to a log file obtaining all sensitive information such as database credentials.	2024-03-12	7.3	CVE-2024-1302 cve-coordination@incibe.es
bee — beepress	Cross-Site Request Forgery (CSRF) vulnerability in Bee BeePress allows Stored XSS.This issue affects BeePress: from n/a through 6.9.8.	2024-03-16	7.1	CVE-2024-27197 audit@patchstack.com
boldgrid — weforms_-_easy_drag_&_drop_contact_form_builder_for_wordpress	The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Referer’ HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-12	7.2	CVE-2024-0386 security@wordfence.com security@wordfence.com
canon_inc. — color_imageclass_mf740c_series	Buffer overflow in identifier field of WSD probe request process of Small Office Multifunction Printers and Laser Printers() which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.:Satera MF740C Series/Satera MF640C Series/Satera LBP660C Series/Satera LBP620C Series firmware v12.07 and earlier, and Satera MF750C Series/Satera LBP670C Series firmware v03.09 and earlier sold in Japan.Color imageCLASS MF740C Series/Color imageCLASS MF640C Series/Color imageCLASS X MF1127C/Color imageCLASS LBP664Cdw/Color imageCLASS LBP622Cdw/Color imageCLASS X LBP1127C firmware v12.07 and earlier, and Color imageCLASS MF750C Series/Color imageCLASS X MF1333C/Color imageCLASS LBP674Cdw/Color imageCLASS X LBP1333C firmware v03.09 and earlier sold in US.i-SENSYS MF740C Series/i-SENSYS MF640C Series/C1127i Series/i-SENSYS LBP660C Series/i-SENSYS LBP620C Series/C1127P firmware v12.07 and earlier, and i-SENSYS MF750C Series/C1333i Series/i-SENSYS LBP673Cdw/C1333P firmware v03.09 and earlier sold in Europe.
chatgptnextweb — nextchat	NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also write access using HTTP POST, PUT, and other methods. Attackers can also use this vulnerability to mask their source IP by forwarding malicious traffic intended for other Internet targets through these open proxies. As of time of publication, no patch is available, but other mitigation strategies are available. Users may avoid exposing the application to the public internet or, if exposing the application to the internet, ensure it is an isolated network with no access to any other internal resources.	2024-03-12	9.1	CVE-2023-49785 security-advisories@github.com security-advisories@github.com
cisco — cisco_ios_xr_software	A vulnerability in the Layer 2 Ethernet services of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the line card network processor to reset, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of specific Ethernet frames that are received on line cards that have the Layer 2 services feature enabled. An attacker could exploit this vulnerability by sending specific Ethernet frames through an affected device. A successful exploit could allow the attacker to cause the ingress interface network processor to reset, resulting in a loss of traffic over the interfaces that are supported by the network processor. Multiple resets of the network processor would cause the line card to reset, resulting in a DoS condition.	2024-03-13	7.4	CVE-2024-20318 ykramarz@cisco.com
cisco — cisco_ios_xr_software	A vulnerability in the SSH client feature of Cisco IOS XR Software for Cisco 8000 Series Routers and Cisco Network Convergence System (NCS) 540 Series and 5700 Series Routers could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of arguments that are included with the SSH client CLI command. An attacker with low-privileged access to an affected device could exploit this vulnerability by issuing a crafted SSH client command to the CLI. A successful exploit could allow the attacker to elevate privileges to root on the affected device.	2024-03-13	7.8	CVE-2024-20320 ykramarz@cisco.com
cisco — cisco_ios_xr_software	A vulnerability in the PPP over Ethernet (PPPoE) termination feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to crash the ppp_ma process, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of malformed PPPoE packets that are received on a router that is running Broadband Network Gateway (BNG) functionality with PPPoE termination on a Lightspeed-based or Lightspeed-Plus-based line card. An attacker could exploit this vulnerability by sending a crafted PPPoE packet to an affected line card interface that does not terminate PPPoE. A successful exploit could allow the attacker to crash the ppp_ma process, resulting in a DoS condition for PPPoE traffic across the router.	2024-03-13	7.4	CVE-2024-20327 ykramarz@cisco.com
cms_made_simple — cms_made_simple	Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.	2024-03-12	9.8	CVE-2024-1527 cve-coordination@incibe.es
cms_made_simple — cms_made_simple	CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.	2024-03-12	7.4	CVE-2024-1528 cve-coordination@incibe.es
cms_made_simple — cms_made_simple	Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session.	2024-03-12	7.4	CVE-2024-1529 cve-coordination@incibe.es
codepeople — calculated_fields_form	The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher.	2024-03-13	7.2	CVE-2024-2020 security@wordfence.com security@wordfence.com
concerted_action — action_network	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Concerted Action Action Network allows Reflected XSS.This issue affects Action Network: from n/a through 1.4.2.	2024-03-15	7.1	CVE-2024-25921 audit@patchstack.com
corewcf — corewcf	CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. If you have a NetFraming based CoreWCF service, extra system resources could be consumed by connections being left established instead of closing or aborting them. There are two scenarios when this can happen. When a client established a connection to the service and sends no data, the service will wait indefinitely for the client to initiate the NetFraming session handshake. Additionally, once a client has established a session, if the client doesn’t send any requests for the period of time configured in the binding ReceiveTimeout, the connection is not properly closed as part of the session being aborted. The bindings affected by this behavior are NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding. Only NetTcpBinding has the ability to accept non local connections. The currently supported versions of CoreWCF are v1.4.x and v1.5.x. The fix can be found in v1.4.2 and v1.5.3 of the CoreWCF packages. Users are advised to upgrade. There are no workarounds for this issue.	2024-03-15	7.5	CVE-2024-28252 security-advisories@github.com security-advisories@github.com
cyberlord92 — web_application_firewall_-_website_security	The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.	2024-03-13	9.8	CVE-2024-2172 security@wordfence.com security@wordfence.com security@wordfence.com
dell — poweredge_platform	Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. A local low privileged attacker could potentially exploit this vulnerability leading to arbitrary writes to SMRAM.	2024-03-13	7.2	CVE-2024-0161 security_alert@emc.com
etoile_web_design — ultimate_reviews	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Etoile Web Design Ultimate Reviews allows Stored XSS.This issue affects Ultimate Reviews: from n/a through 3.2.8.	2024-03-15	7.1	CVE-2024-25597 audit@patchstack.com
faronics — deep_freeze_server_standard	A search path or unquoted item vulnerability in Faronics Deep Freeze Server Standard, which affects versions 8.30.020.4627 and earlier. This vulnerability affects the DFServ.exe file. An attacker with local user privileges could exploit this vulnerability to replace the legitimate DFServ.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. Thus, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system or stop the service from running.	2024-03-12	7.8	CVE-2024-1618 cve-coordination@incibe.es
fortinet — forticlient_endpoint_management_server	A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets.	2024-03-12	8.8	CVE-2023-47534 psirt@fortinet.com
fortinet — forticlient_enterprise_management_server	A improper neutralization of special elements used in an sql command (‘sql injection’) in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.	2024-03-12	9.8	CVE-2023-48788 psirt@fortinet.com
fortinet — fortimanager	A improper access control in Fortinet FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13, 6.2 all versions allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.	2024-03-12	9.8	CVE-2023-36554 psirt@fortinet.com
fortinet — fortios	An improper authentication vulnerability [CWE-287] in FortiOS versions 7.4.1 and below, versions 7.2.6 and below, and versions 7.0.12 and below when configured with FortiAuthenticator in HA may allow a readonly user to gain read-write access via successive login attempts.	2024-03-12	7.5	CVE-2023-46717 psirt@fortinet.com
fortinet — fortiproxy	A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.	2024-03-12	9.8	CVE-2023-42789 psirt@fortinet.com
fortinet — fortiproxy	A stack-based buffer overflow in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.	2024-03-12	8.1	CVE-2023-42790 psirt@fortinet.com
fortra — filecatalyst	A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.	2024-03-13	9.8	CVE-2024-25153 df4dee71-de3a-4139-9588-11b62fe6c0ff df4dee71-de3a-4139-9588-11b62fe6c0ff
freescout-helpdesk — freescout	FreeScout is an open source help desk and shared inbox built with PHP. A vulnerability has been identified in the Free Scout Application, which exposes SMTP server credentials used by an organization in the application to users of the application. This issue arises from the application storing complete stack traces of exceptions in its database. The sensitive information is then inadvertently disclosed to users via the `/conversation/ajax-html/send_log?folder_id=&thread_id={id}` endpoint. The stack trace reveals value of parameters, including the username and password, passed to the `Swift_Transport_Esmtp_Auth_LoginAuthenticator->authenticate()` function. Exploiting this vulnerability allows an attacker to gain unauthorized access to SMTP server credentials. With this sensitive information in hand, the attacker can potentially send unauthorized emails from the compromised SMTP server, posing a severe threat to the confidentiality and integrity of email communications. This could lead to targeted attacks on both the application users and the organization itself, compromising the security of email exchange servers. This issue has been addressed in version 1.8.124. Users are advised to upgrade. Users unable to upgrade should adopt the following measures: 1. Avoid Storing Complete Stack Traces, 2. Implement redaction mechanisms to filter and exclude sensitive information, and 3. Review and enhance the application’s logging practices.	2024-03-12	7.1	CVE-2024-28186 security-advisories@github.com security-advisories@github.com
givewp — give	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GiveWP Give allows Reflected XSS.This issue affects Give: from n/a through 3.3.1.	2024-03-15	7.1	CVE-2024-27987 audit@patchstack.com
go-vela — worker	Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and – by using common substitution string manipulation – can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the “no commands” option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. To exploit this the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a responsibility on the end-user to understand how values injected into a plugin are used. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather, the greater risk is that users who restrict a secret to the “no commands” option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can potentially expose them, especially in `parameters` that are not intended to be used for sensitive values, ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process, make use of the build approval setting, restricting builds from untrusted users, and limit use of shared secrets, as they are less restrictive to access by nature.	2024-03-12	7.7	CVE-2024-28236 security-advisories@github.com security-advisories@github.com
hammadh — play.ht_-_make_your_blog_posts_accessible_with_text_to_speech_audio	The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-13	8.8	CVE-2024-1772 security@wordfence.com security@wordfence.com
hopsoft — turbo_boost-commands	turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren’t as robust as they should be. It’s possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn’t robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. This issue has been addressed in versions 0.1.3, and 0.2.2. Users are advised to upgrade. Users unable to upgrade should see the repository GHSA for workaround advice.	2024-03-14	8.1	CVE-2024-28181 security-advisories@github.com security-advisories@github.com
ibm — i	Db2 for IBM i 7.2, 7.3, 7.4, and 7.5 infrastructure could allow a local user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. IBM X-Force ID: 280203.	2024-03-14	8.4	CVE-2024-22346 psirt@us.ibm.com psirt@us.ibm.com
ibm — maximo_asset_management	IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.	2024-03-14	8.2	CVE-2024-27266 psirt@us.ibm.com psirt@us.ibm.com
intumit — smartrobot	Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user’s name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.	2024-03-13	9.8	CVE-2024-2413 twcert@cert.org.tw
inunosinsi — soycms	SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-11	7.2	CVE-2024-28187 security-advisories@github.com security-advisories@github.com
jfrog — artifactory	JFrog Artifactory versions below 7.77.7, 7.82.1, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism.	2024-03-13	8.8	CVE-2024-2247 reefs@jfrog.com
joel_starnes — postmash_-_custom_post_order	Cross Site Scripting (XSS) vulnerability in Joel Starnes postMash – custom post order allows Reflected XSS.This issue affects postMash – custom post order: from n/a through 1.2.0.	2024-03-15	7.1	CVE-2024-27196 audit@patchstack.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability classified as critical was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256951. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	7.3	CVE-2024-2514 cna@vuldb.com cna@vuldb.com cna@vuldb.com
manageengine_ — manageengine_desktop_central	Unrestricted file upload vulnerability in ManageEngine Desktop Central affecting version 9, build 90055. This vulnerability could allow a remote attacker to upload a malicious file to the system without any credentials provided.	2024-03-11	9.8	CVE-2024-2370 cve-coordination@incibe.es
mattermost — mattermost	Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.	2024-03-15	8.8	CVE-2024-2450 responsibledisclosure@mattermost.com
microsoft — azure_data_studio	Azure Data Studio Elevation of Privilege Vulnerability	2024-03-12	7.3	CVE-2024-26203 secure@microsoft.com
microsoft — azure_kubernetes_service	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability	2024-03-12	9	CVE-2024-21400 secure@microsoft.com
microsoft — azure_sdk	Azure SDK Spoofing Vulnerability	2024-03-12	7.5	CVE-2024-21421 secure@microsoft.com
microsoft — microsoft_365_apps_for_enterprise	Microsoft Office Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-26199 secure@microsoft.com
microsoft — microsoft_authenticator	Microsoft Authenticator Elevation of Privilege Vulnerability	2024-03-12	7.1	CVE-2024-21390 secure@microsoft.com
microsoft — microsoft_dynamics_365_(on-premises)_version_9.1	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	2024-03-12	7.6	CVE-2024-21419 secure@microsoft.com
microsoft — microsoft_exchange_server_2019_cumulative_update_14	Microsoft Exchange Server Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-26198 secure@microsoft.com
microsoft — microsoft_outlook_for_android	Outlook for Android Information Disclosure Vulnerability	2024-03-12	7.5	CVE-2024-26204 secure@microsoft.com
microsoft — microsoft_sharepoint_enterprise_server_2016	Microsoft SharePoint Server Remote Code Execution Vulnerability	2024-03-12	7.8	CVE-2024-21426 secure@microsoft.com
microsoft — microsoft_visual_studio_2022_version_17.9	.NET and Visual Studio Denial of Service Vulnerability	2024-03-12	7.5	CVE-2024-21392 secure@microsoft.com
microsoft — microsoft_visual_studio_2022_version_17.9	Microsoft QUIC Denial of Service Vulnerability	2024-03-12	7.5	CVE-2024-26190 secure@microsoft.com
microsoft — skype_for_consumer	Skype for Consumer Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-21411 secure@microsoft.com
microsoft — software_for_open_networking_in_the_cloud_(sonic)	Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-21418 secure@microsoft.com
microsoft — sql_server_backend_for_django	Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-26164 secure@microsoft.com
microsoft — system_center_operations_manager_(scom)_2019	Open Management Infrastructure (OMI) Remote Code Execution Vulnerability	2024-03-12	9.8	CVE-2024-21334 secure@microsoft.com
microsoft — system_center_operations_manager_(scom)_2019	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-21330 secure@microsoft.com
microsoft — visual_studio_code	Visual Studio Code Elevation of Privilege Vulnerability	2024-03-12	8.8	CVE-2024-26165 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Hyper-V Remote Code Execution Vulnerability	2024-03-12	8.1	CVE-2024-21407 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft ODBC Driver Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-21440 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-21441 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-21444 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-21450 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft ODBC Driver Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-21451 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft ODBC Driver Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-26159 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-26161 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft ODBC Driver Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-26162 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-26166 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kerberos Security Feature Bypass Vulnerability	2024-03-12	7.5	CVE-2024-21427 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Update Stack Elevation of Privilege Vulnerability	2024-03-12	7	CVE-2024-21432 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Print Spooler Elevation of Privilege Vulnerability	2024-03-12	7	CVE-2024-21433 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-21434 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Installer Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-21436 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Graphics Component Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-21437 secure@microsoft.com
microsoft — windows_10_version_1809	Microsoft AllJoyn API Denial of Service Vulnerability	2024-03-12	7.5	CVE-2024-21438 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Telephony Server Elevation of Privilege Vulnerability	2024-03-12	7	CVE-2024-21439 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Elevation of Privilege Vulnerability	2024-03-12	7.3	CVE-2024-21443 secure@microsoft.com
microsoft — windows_10_version_1809	NTFS Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-21446 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Error Reporting Service Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-26169 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-26173 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-26176 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-26178 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-26182 secure@microsoft.com
microsoft — windows_11_version_22h2	Windows OLE Remote Code Execution Vulnerability	2024-03-12	8.8	CVE-2024-21435 secure@microsoft.com
microsoft — windows_server_2022	Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability	2024-03-12	7.8	CVE-2024-21431 secure@microsoft.com
microsoft — windows_server_2022	Windows USB Print Driver Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-21442 secure@microsoft.com
microsoft — windows_server_2022	Windows USB Print Driver Elevation of Privilege Vulnerability	2024-03-12	7	CVE-2024-21445 secure@microsoft.com
microsoft — windows_server_2022	Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability	2024-03-12	7.8	CVE-2024-26170 secure@microsoft.com
mitsubishi_electric_corporation — melsec-q_series_q03udecpu	Incorrect Pointer Scaling vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to read arbitrary information from a target product or execute malicious code on a target product by sending a specially crafted packet.	2024-03-15	9.8	CVE-2024-0802 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation — melsec-q_series_q03udecpu	Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.	2024-03-15	9.8	CVE-2024-0803 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation — melsec-q_series_q03udecpu	Incorrect Pointer Scaling vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.	2024-03-15	9.8	CVE-2024-1915 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation — melsec-q_series_q03udecpu	Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.	2024-03-15	9.8	CVE-2024-1916 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mitsubishi_electric_corporation — melsec-q_series_q03udecpu	Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafted packet.	2024-03-15	9.8	CVE-2024-1917 Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
mndpsingh287 — file_manager	The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.	2024-03-13	9.9	CVE-2023-6825 security@wordfence.com security@wordfence.com security@wordfence.com
mostafas1990 — wp_statistics	The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	7.2	CVE-2024-2194 security@wordfence.com security@wordfence.com
movistar_ — router_movistar_4g	The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the ‘adb’ service open on port 5555 and provides access to a shell with root privileges.	2024-03-13	8.8	CVE-2024-2414 cve-coordination@incibe.es
movistar_ — router_movistar_4g	Command injection vulnerability in Movistar 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an authenticated user to execute commands inside the router by making a POST request to the URL ‘/cgi-bin/gui.cgi’.	2024-03-13	7.8	CVE-2024-2415 cve-coordination@incibe.es
n/a — 4th_generation_intel(r)_xeon(r)_processors_when_using_intel(r)_sgx_or_intel(r)_tdx	On-chip debug and test interface with improper access control in some 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.	2024-03-14	7.2	CVE-2023-32666 secure@intel.com
n/a — intel(r)_processors	Race condition in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.	2024-03-14	7.2	CVE-2023-32282 secure@intel.com
ni — labview	An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.	2024-03-11	7.8	CVE-2024-23608 security@ni.com
ni — labview	An improper error handling vulnerability in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.	2024-03-11	7.8	CVE-2024-23609 security@ni.com
ni — labview	An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.	2024-03-11	7.8	CVE-2024-23610 security@ni.com
ni — labview	An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.	2024-03-11	7.8	CVE-2024-23611 security@ni.com
ni — labview	An improper error handling vulnerability in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.	2024-03-11	7.8	CVE-2024-23612 security@ni.com
open-metadata — openmetadata	OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL’s Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-15	9.4	CVE-2024-28253 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
open-metadata — openmetadata	OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request’s path is checked against this list. When the request’s path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.	2024-03-15	9.8	CVE-2024-28255 security-advisories@github.com security-advisories@github.com security-advisories@github.com
open-metadata — openmetadata	OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `?AlertUtil::validateExpression` method evaluates an SpEL expression using `getValue` which by default uses the `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/events/subscriptions/validation/condition/<expression>` endpoint passes user-controlled data `AlertUtil::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and, therefore, any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL’s Expression language injection (Spring) query and is also tracked as `GHSL-2023-235`. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-15	8.8	CVE-2024-28254 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
open-metadata — openmetadata	OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Similarly to the GHSL-2023-250 issue, `AlertUtil::validateExpression` is also called from `EventSubscriptionRepository.prepare()`, which can lead to Remote Code Execution. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that, even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and, therefore, after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/events/subscriptions` which gets handled by `EventSubscriptionResource.createOrUpdateEventSubscription()`. This vulnerability was discovered with the help of CodeQL’s Expression language injection (Spring) query. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-251`.	2024-03-15	8.8	CVE-2024-28847 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
open-metadata — openmetadata	OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `?CompiledRule::validateExpression` method evaluates an SpEL expression using an `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/policies/validation/condition/<expression>` endpoint passes user-controlled data `CompiledRule::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and therefore any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL’s Expression language injection (Spring) query and is also tracked as `GHSL-2023-236`. This issue may lead to Remote Code Execution and has been resolved in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-15	8.8	CVE-2024-28848 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
opentext — netiq_privileged_account_manager	Allocation of Resources Without Limits or Throttling vulnerability in OpenText NetIQ Privileged Account Manager on Linux, Windows, 64 bit allows Flooding.This issue affects NetIQ Privileged Account Manager: before 3.7.0.2.	2024-03-13	8.6	CVE-2020-11862 security@opentext.com
opentextâ„¢ — exceed_turbo_x	Improper authentication vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.0 and 12.5.1. The vulnerability could allow disclosure of restricted information in unauthenticated RPC.	2024-03-13	8.6	CVE-2023-38534 security@opentext.com
papercut — papercut_ng,_papercut_mf	This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut NG/MF API calls.	2024-03-14	8.6	CVE-2024-1222 eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut — papercut_ng,_papercut_mf	This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. An attacker must already have authenticated admin access and knowledge of both an internal system identifier and details of another valid user to exploit this.	2024-03-14	7.2	CVE-2024-1654 eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut — papercut_ng,_papercut_mf	This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server.	2024-03-14	7.2	CVE-2024-1882 eb41dac7-0af8-4f84-9f6d-0272772514f4
payu — payu_india	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PayU PayU India allows Reflected XSS.This issue affects PayU India: from n/a through 3.8.2.	2024-03-15	7.1	CVE-2024-27193 audit@patchstack.com
peering-manager — peering-manager	Peering Manager is a BGP session management tool. There is a Server Side Template Injection vulnerability that leads to Remote Code Execution in Peering Manager <=1.8.2. As a result arbitrary commands can be executed on the operating system that is running Peering Manager. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-12	8.1	CVE-2024-28114 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
pegasystems — pega_platform	Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.	2024-03-14	7.7	CVE-2023-50168 security@pega.com
phlex-ruby — phlex	phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`.	2024-03-11	7.1	CVE-2024-28199 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can modify configurations to perform a remote code execution due to a missing authentication for a critical function.	2024-03-12	9.8	CVE-2024-25995 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated local attacker can perform a privilege escalation due to improper input validation in the OCPP agent service.	2024-03-12	8.4	CVE-2024-25999 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can influence the communication due to the lack of encryption of sensitive data via a MITM. Charging is not affected.	2024-03-12	8.7	CVE-2024-26288 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can perform a command injection in the OCPP Service with limited privileges due to improper input validation.	2024-03-12	7.3	CVE-2024-25998 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can write memory out of bounds due to improper input validation in the MQTT stack. The brute force attack is not always successful because of memory randomization.	2024-03-12	7.4	CVE-2024-26001 info@cert.vde.com
phoenix_contact — charx_sec-3000	An improper input validation in the Qualcom plctool allows a local attacker with low privileges to gain root access by changing the ownership of specific files.	2024-03-12	7.8	CVE-2024-26002 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can DoS the control agent due to a out-of-bounds read which may prevent or disrupt the charging functionality.	2024-03-12	7.5	CVE-2024-26003 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can DoS a control agent due to access of a uninitialized pointer which may prevent or disrupt the charging functionality.	2024-03-12	7.5	CVE-2024-26004 info@cert.vde.com
pickplugins — post_grid,_form_maker,_popup_maker,_woocommerce_blocks,_post_blocks,_post_carousel_-_combo_blocks	The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the ‘get_posts’ REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well as the password for password-protected posts.	2024-03-12	7.5	CVE-2023-7072 security@wordfence.com security@wordfence.com security@wordfence.com
pixelemu — terraclassifieds	Cross-Site Request Forgery (CSRF) vulnerability in Pixelemu TerraClassifieds.This issue affects TerraClassifieds: from n/a through 2.0.3.	2024-03-16	8.8	CVE-2023-51474 audit@patchstack.com
plv8 — plv8	A user who can create objects in a database with plv8 3.2.1 installed is able to cause deferred triggers to execute as the Superuser during autovacuum.	2024-03-14	7.2	CVE-2024-1713 cve-coordination@google.com
projectdiscovery — nuclei	projectdiscovery/nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user’s system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies. The vulnerability is addressed in Nuclei v3.2.0. Users are strongly recommended to update to this version to mitigate the security risk. Users should refrain from using custom workflows if unable to upgrade immediately. Only trusted, verified workflows should be executed.	2024-03-15	7.4	CVE-2024-27920 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
pterodactyl — wings	Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server’s base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing “server” allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.	2024-03-13	9.9	CVE-2024-27102 security-advisories@github.com security-advisories@github.com
realmag777 — husky_-_products_filter_professional_for_woocommerce	The HUSKY – Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to SQL Injection via the ‘name’ parameter in the woof shortcode in all versions up to, and including, 1.3.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-15	8.8	CVE-2024-1795 security@wordfence.com security@wordfence.com
rejetto_ — http_file_server_	The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.	2024-03-12	7.5	CVE-2024-1226 cve-coordination@incibe.es
renventura — woocommerce_add_to_cart_custom_redirect	The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the ‘wcr_dismiss_admin_notice’ function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with contributor access and above, to update the values of arbitrary site options to ‘dismissed’.	2024-03-13	8.1	CVE-2024-1862 security@wordfence.com security@wordfence.com security@wordfence.com
root3nl — supportapp	Support App is an opensource application specialized in managing Apple devices. It’s possible to abuse a vulnerability inside the postinstall installer script to make the installer execute arbitrary code as root. The cause of the vulnerability is the fact that the shebang `#!/bin/zsh` is being used. When the installer is executed it asks for the users password to be executed as root. However, it’ll still be using the $HOME of the user and therefore loading the file `$HOME/.zshenv` when the `postinstall` script is executed. An attacker could add malicious code to `$HOME/.zshenv` and it will be executed when the app is installed. An attacker may leverage this vulnerability to escalate privilege on the system. This issue has been addressed in version 2.5.1 Rev 2. All users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-14	7.3	CVE-2024-27301 security-advisories@github.com security-advisories@github.com
sagemcom — fast3686_v2_vodafone	Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the ‘Login.asp and logout.asp’ files do not handle session details correctly.	2024-03-14	7.7	CVE-2024-1623 cve-coordination@incibe.es
sandi_verdev — watermark_reloaded	Cross-Site Request Forgery (CSRF) vulnerability in Sandi Verdev Watermark RELOADED allows Stored XSS.This issue affects Watermark RELOADED: from n/a through 1.3.5.	2024-03-16	7.1	CVE-2024-27195 audit@patchstack.com
sandisk — privateaccess_windows_app	A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. This vulnerability is only exploitable locally if an attacker has access to a copy of the user’s vault or has already gained access into a user’s system. This attack is limited to the system in context and cannot be propagated.	2024-03-13	7.9	CVE-2024-22167 psirt@wdc.com
santesoft — sante_fft_imaging	In Santesoft Sante FFT Imaging versions 1.4.1 and prior once a user opens a malicious DCM file on affected FFT Imaging installations, a local attacker could perform an out-of-bounds write, which could allow for arbitrary code execution.	2024-03-11	7.8	CVE-2024-1696 ics-cert@hq.dhs.gov
sap_se — sap_netweaver_as_java_(administrator_log_viewer_plug-in)	SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) – version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application.	2024-03-12	9.1	CVE-2024-22127 cna@sap.com cna@sap.com
scott_reilly — configure_smtp	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Scott Reilly Configure SMTP allows Reflected XSS.This issue affects Configure SMTP: from n/a through 3.1.	2024-03-15	7.1	CVE-2024-27192 audit@patchstack.com
siemens — cerberus_pro_en_engineering_tool	A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions < IP8), Cerberus PRO EN Fire Panel FC72x (All versions < IP8), Cerberus PRO EN X200 Cloud Distribution (All versions < V4.0.5016), Cerberus PRO EN X300 Cloud Distribution (All versions < V4.2.5015), Sinteso FS20 EN Engineering Tool (All versions < MP8), Sinteso FS20 EN Fire Panel FC20 (All versions < MP8), Sinteso FS20 EN X200 Cloud Distribution (All versions < V4.0.5016), Sinteso FS20 EN X300 Cloud Distribution (All versions < V4.2.5015), Sinteso Mobile (All versions < V3.0.0). The network communication library in affected systems does not validate the length of certain X.509 certificate attributes which might result in a stack-based buffer overflow. This could allow an unauthenticated remote attacker to execute code on the underlying operating system with root privileges.	2024-03-12	10	CVE-2024-22039 productcert@siemens.com
siemens — cerberus_pro_en_engineering_tool	A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions), Cerberus PRO EN Fire Panel FC72x (All versions < IP8 SR4), Cerberus PRO EN X200 Cloud Distribution (All versions < V4.3.5618), Cerberus PRO EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso FS20 EN Engineering Tool (All versions), Sinteso FS20 EN Fire Panel FC20 (All versions < MP8 SR4), Sinteso FS20 EN X200 Cloud Distribution (All versions < V4.3.5618), Sinteso FS20 EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso Mobile (All versions). The network communication library in affected systems insufficiently validates HMAC values which might result in a buffer overread. This could allow an unauthenticated remote attacker to crash the network service.	2024-03-12	7.5	CVE-2024-22040 productcert@siemens.com
siemens — cerberus_pro_en_engineering_tool	A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions), Cerberus PRO EN Fire Panel FC72x (All versions < IP8 SR4), Cerberus PRO EN X200 Cloud Distribution (All versions < V4.3.5618), Cerberus PRO EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso FS20 EN Engineering Tool (All versions), Sinteso FS20 EN Fire Panel FC20 (All versions < MP8 SR4), Sinteso FS20 EN X200 Cloud Distribution (All versions < V4.3.5618), Sinteso FS20 EN X300 Cloud Distribution (All versions < V4.3.5617), Sinteso Mobile (All versions). The network communication library in affected systems improperly handles memory buffers when parsing X.509 certificates. This could allow an unauthenticated remote attacker to crash the network service.	2024-03-12	7.5	CVE-2024-22041 productcert@siemens.com
siemens — sentron_3kc_atc6_expansion_module_ethernet	A vulnerability has been identified in SENTRON 3KC ATC6 Expansion Module Ethernet (3KC9000-8TL75) (All versions). Affected devices expose an unused, unstable http service at port 80/tcp on the Modbus-TCP Ethernet. This could allow an attacker on the same Modbus network to create a denial of service condition that forces the device to reboot.	2024-03-12	7.5	CVE-2024-22044 productcert@siemens.com
siemens — simcenter_femap	A vulnerability has been identified in Simcenter Femap (All versions < V2306.0000). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted Catia MODEL file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-22051)	2024-03-12	7.8	CVE-2024-27907 productcert@siemens.com
siemens — sinema_remote_connect_client	A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. This information is also available via the web interface of the product.	2024-03-12	7.6	CVE-2024-22045 productcert@siemens.com
siemens — sinema_remote_connect_server	A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to resources and potentially lead to code execution.	2024-03-12	9.8	CVE-2022-32257 productcert@siemens.com
smub — giveaways_and_contests_by_rafflepress_-_get_more_website_traffic,_email_subscribers,_and_social_followers	The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	7.2	CVE-2024-1935 security@wordfence.com security@wordfence.com security@wordfence.com
softing — edgeconnector	The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.	2024-03-14	8	CVE-2024-0860 ics-cert@hq.dhs.gov
spring — spring_framework	Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.	2024-03-16	8.1	CVE-2024-22259 security@vmware.com
stimulusreflex — stimulus_reflex	stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `”target”:”[class_name]#[method_name]”,”args”:[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.	2024-03-12	8.8	CVE-2024-28121 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
storeapps — news_announcement_scroll	The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-13	8.8	CVE-2023-5663 security@wordfence.com security@wordfence.com security@wordfence.com
sygnoos — social_media_share_buttons	The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-16	8.8	CVE-2024-1685 security@wordfence.com security@wordfence.com
tatvic — conversios_-_google_analytics_4_(ga4),_meta_pixel_&_more_via_google_tag_manager_for_woocommerce	The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘valueData’ parameter in all versions up to, and including, 6.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-13	8.8	CVE-2024-1203 security@wordfence.com security@wordfence.com
tenda — ac18	A vulnerability was found in Tenda AC18 15.03.05.05 and classified as critical. Affected by this issue is the function formSetSpeedWan of the file /goform/SetSpeedWan. The manipulation of the argument speed_dir leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256892. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	8.8	CVE-2024-2485 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability was found in Tenda AC18 15.03.05.05. It has been classified as critical. This affects the function formQuickIndex of the file /goform/QuickIndex. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256893 was assigned to this vulnerability.	2024-03-15	8.8	CVE-2024-2486 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability was found in Tenda AC18 15.03.05.05. It has been declared as critical. This vulnerability affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256894 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	8.8	CVE-2024-2487 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability was found in Tenda AC18 15.03.05.05. It has been rated as critical. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument startIP leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256895. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	8.8	CVE-2024-2488 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. Affected is the function formSetQosBand of the file /goform/SetNetControlList. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256896. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	8.8	CVE-2024-2489 cna@vuldb.com cna@vuldb.com cna@vuldb.com
tenda — ac18	A vulnerability classified as critical was found in Tenda AC18 15.03.05.05. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime/schedEndTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256897 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	8.8	CVE-2024-2490 cna@vuldb.com cna@vuldb.com cna@vuldb.com
themefusecom — brizy_-_page_builder	The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.	2024-03-13	8.8	CVE-2024-1311 security@wordfence.com security@wordfence.com security@wordfence.com
themeum — tutor_lms_-_elearning_and_online_course_solution	The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-13	8.8	CVE-2024-1751 security@wordfence.com security@wordfence.com security@wordfence.com
tibco_software_inc. — tibco_ftl_-_enterprise_edition	The FTL Server component of TIBCO Software Inc.’s TIBCO FTL – Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. Affected releases are TIBCO Software Inc.’s TIBCO FTL – Enterprise Edition: versions 6.10.1 and below.	2024-03-12	8.8	CVE-2024-1138 security@tibco.com
tmccombs — tls-listener	tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 `TcpStream`s a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service using `TlsListener::new()` vulnerable to a slow-loris DoS attack. This impacts any publicly accessible service using the default configuration of tls-listener in versions prior to 0.10.0. Users are advised to upgrade. Users unable to upgrade may mitigate this by passing a large value, such as `usize::MAX` as the parameter to `Builder::max_handshakes`.	2024-03-15	7.5	CVE-2024-28854 security-advisories@github.com security-advisories@github.com security-advisories@github.com
totolink — x6000r	A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.852_20230719. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation of the argument ip leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256313 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-10	8.8	CVE-2024-2353 cna@vuldb.com cna@vuldb.com cna@vuldb.com
ultimatemember — ultimate_member_-_user_profile,_registration,_login,_member_directory,_content_restriction_&_membership_plugin	The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-03-13	9.8	CVE-2024-1071 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
ultimatemember — ultimate_member_-_user_profile,_registration,_login,_member_directory,_content_restriction_&_membership_plugin	The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	7.2	CVE-2024-2123 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
ultimatemember — ultimate_member_-_user_profile,_registration,_login,_member_directory,_content_restriction_&_membership_plugin	In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.	2024-03-13	7.2	CVE-2024-25155 df4dee71-de3a-4139-9588-11b62fe6c0ff df4dee71-de3a-4139-9588-11b62fe6c0ff
wago — controller_bacnet/ip	An unautheticated remote attacker could send specifically crafted packets to a affected device. If an authenticated user then views that data in a specific page of the web-based management a buffer overflow will be triggered to gain full access of the device.	2024-03-13	8.8	CVE-2015-10123 info@cert.vde.com
webtechstreet — elementor_addon_elements	The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP files on the server, which may expose sensitive information.	2024-03-13	8.8	CVE-2024-1358 security@wordfence.com security@wordfence.com security@wordfence.com
wp_codeus — advanced_sermons	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Codeus Advanced Sermons allows Reflected XSS.This issue affects Advanced Sermons: from n/a through 3.2.	2024-03-13	7.1	CVE-2024-27952 audit@patchstack.com
wpdevteam — essential_addons_for_elementor_-_best_elementor_templates,_widgets,_kits_&_woocommerce_builders	The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s event calendar widget in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	7.4	CVE-2024-1536 security@wordfence.com security@wordfence.com
wpmudev — hustle_-_email_marketing,_lead_generation,_optins,_popups	The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII.	2024-03-13	8.6	CVE-2024-0368 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
wpwax — logo_showcase_ultimate_-_logo_carousel,_logo_slider_&_logo_grid	The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-13	7.5	CVE-2024-1951 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
wpwax — post_grid,_slider_&_carousel_ultimate_-_with_shortcode,_gutenberg_block_&_elementor_widget	The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-13	8.8	CVE-2024-2006 security@wordfence.com security@wordfence.com security@wordfence.com
wpwax — product_carousel_slider_&_grid_ultimate_for_woocommerce	The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-13	7.5	CVE-2024-1950 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
yooooomi — your_spotify	your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-13	9.1	CVE-2024-28194 security-advisories@github.com
yooooomi — your_spotify	your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-13	8.1	CVE-2024-28195 security-advisories@github.com security-advisories@github.com
zephyrproject-rtos — zephyr	Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.	2024-03-15	8.6	CVE-2023-7060 vulnerabilities@zephyrproject.org
zephyrproject-rtos — zephyr	Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges	2024-03-11	8.8	CVE-2024-0670 security@checkmk.com security@checkmk.com
zitadel — zitadel	Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`.	2024-03-11	7.5	CVE-2024-28197 security-advisories@github.com
zoom_video_communications,_inc. — zoom_rooms_client_for_windows	Improper access control in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.	2024-03-13	7.2	CVE-2024-24693 security@zoom.us

Medium Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
aio-libs — aiosmtpd	aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-12	5.3	CVE-2024-27305 security-advisories@github.com security-advisories@github.com security-advisories@github.com
ameliabooking — booking_for_appointments_and_events_calendar_-_amelia	The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	6.1	CVE-2024-1484 security@wordfence.com security@wordfence.com
apache_software_foundation — apache_pulsar	The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.	2024-03-12	6.4	CVE-2024-28098 security@apache.org security@apache.org
apache_software_foundation — apache_zookeeper	A vulnerability was found in SourceCodester Employee Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Admin/add-admin.php. The manipulation of the argument avatar leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256454 is the identifier assigned to this vulnerability.	2024-03-12	4.7	CVE-2024-2394 cna@vuldb.com cna@vuldb.com cna@vuldb.com
argoproj — argo-cd	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. “Local sync” is an Argo CD feature that allows developers to temporarily override an Application’s manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.	2024-03-13	6.4	CVE-2023-50726 security-advisories@github.com security-advisories@github.com security-advisories@github.com
ari_soft — ari_stream_quiz	Cross-Site Request Forgery (CSRF) vulnerability in ARI Soft ARI Stream Quiz.This issue affects ARI Stream Quiz: from n/a through 1.2.32.	2024-03-16	5.4	CVE-2023-51487 audit@patchstack.com
artibot — artibot_free_chat_bot_for_wordpress_websites	The ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.	2024-03-13	4.4	CVE-2024-0449 security@wordfence.com security@wordfence.com
artibot — artibot_free_chat_bot_for_wordpress_websites	The ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the artibot_update function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin settings.	2024-03-13	5	CVE-2024-0447 security@wordfence.com security@wordfence.com
atlas_gondal — export_media_urls	Cross-Site Request Forgery (CSRF) vulnerability in Atlas Gondal Export Media URLs.This issue affects Export Media URLs: from n/a through 1.0.	2024-03-16	4.3	CVE-2023-51510 audit@patchstack.com
automattic,_inc. — crowdsignal_dashboard_-_polls,_surveys_&_more	Cross-Site Request Forgery (CSRF) vulnerability in Automattic, Inc. Crowdsignal Dashboard – Polls, Surveys & more.This issue affects Crowdsignal Dashboard – Polls, Surveys & more: from n/a through 3.0.11.	2024-03-16	5.4	CVE-2023-51489 audit@patchstack.com
averta — depicter_slider	Cross-Site Request Forgery (CSRF) vulnerability in Averta Depicter Slider.This issue affects Depicter Slider: from n/a through 2.0.6.	2024-03-16	5.4	CVE-2023-51491 audit@patchstack.com
badger_meter — monitool	Incorrectly limiting the path to a restricted directory vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows an authenticated attacker to retrieve any file from the device using the download-file functionality.	2024-03-12	6.5	CVE-2024-1303 cve-coordination@incibe.es
badger_meter — monitool	Cross-site scripting vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows a remote attacker to send a specially crafted javascript payload to an authenticated user and partially hijack their browser session.	2024-03-12	6.3	CVE-2024-1304 cve-coordination@incibe.es
barrykooij — related_posts_for_wordpress	The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handle_create_link() function. This makes it possible for unauthenticated attackers to add related posts to other posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This ultimately makes it possible for attackers to view draft and password protected posts.	2024-03-13	5.4	CVE-2024-0592 security@wordfence.com security@wordfence.com security@wordfence.com
basix — nex-forms_-_ultimate_form_builder	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Basix NEX-Forms – Ultimate Form Builder allows Stored XSS.This issue affects NEX-Forms – Ultimate Form Builder: from n/a through 8.5.5.	2024-03-15	6.5	CVE-2024-25593 audit@patchstack.com
bdthemes — prime_slider_-_addons_for_elementor_(revolution_of_a_slider,_hero_slider,_ecommerce_slider)	The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tags’ attribute of the Rubix widget in all versions up to, and including, 3.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1507 security@wordfence.com security@wordfence.com
bdthemes — prime_slider_-_addons_for_elementor_(revolution_of_a_slider,_hero_slider,_ecommerce_slider)	The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘settings[‘title_tags’]’ attribute of the Mercury widget in all versions up to, and including, 3.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1508 security@wordfence.com security@wordfence.com
binhnguyenplus — ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketin-¦	The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflow_save_hook() function in versions up to, and including, 4.3. This makes it possible for authenticated attackers with subscriber-level access and above to update the ‘ladiflow_hook_configs’ option.	2024-03-12	4.3	CVE-2023-4626 security@wordfence.com security@wordfence.com
binhnguyenplus — ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦	The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the ‘ladipage_config’ option.	2024-03-12	4.3	CVE-2023-4627 security@wordfence.com security@wordfence.com
binhnguyenplus — ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦	The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflow_save_hook() function in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to update the ‘ladiflow_hook_configs’ option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-12	4.3	CVE-2023-4628 security@wordfence.com security@wordfence.com
binhnguyenplus — ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦	The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the save_config() function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the ‘ladipage_config’ option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-12	4.3	CVE-2023-4629 security@wordfence.com security@wordfence.com
binhnguyenplus — ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦	The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS	2024-03-12	4.3	CVE-2023-4728 security@wordfence.com security@wordfence.com
binhnguyenplus — ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦	The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-12	4.3	CVE-2023-4729 security@wordfence.com security@wordfence.com
binhnguyenplus — ladiapp:_landing_page,_popupx,_marketing_automation,_affiliate_marketing-¦	The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the init_endpoint() function hooked via ‘init’ in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to modify a variety of settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can directly modify the ‘ladipage_key’ which enables them to create new posts on the website and inject malicious web scripts,	2024-03-12	4.3	CVE-2023-4731 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
bitpressadmin — contact_form_builder_by_bit_form:_create_contact_form,_multi_step_form,_conversational_form	The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up to, and including, 2.10.1. This makes it possible for unauthenticated attackers to modify form submissions.	2024-03-13	5.3	CVE-2024-1640 security@wordfence.com security@wordfence.com
blossomthemes — blossom_spa	The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.4 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts.	2024-03-12	5.8	CVE-2024-2107 security@wordfence.com security@wordfence.com
bluecoral — chat_bubble_-_floating_chat_with_contact_chat_icons,_messages,_telegram,_email,_sms,_call_me_back	The Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.	2024-03-13	4.4	CVE-2024-0898 security@wordfence.com security@wordfence.com
bobbingwide — oik	The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcodes such as bw_contact_button and bw_button shortcodes in all versions up to, and including, 4.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-14	6.4	CVE-2024-2256 security@wordfence.com security@wordfence.com security@wordfence.com
bradwenqiang — hr	A vulnerability was found in BradWenqiang HR 2.0. It has been rated as critical. Affected by this issue is the function selectAll of the file /bishe/register of the component Background Management. The manipulation of the argument userName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256886 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	6.3	CVE-2024-2478 cna@vuldb.com cna@vuldb.com cna@vuldb.com
brainstormforce — elementor_header_&_footer_builder	The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyout_layout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1237 security@wordfence.com security@wordfence.com security@wordfence.com
britner — gutenberg_blocks_by_kadence_blocks_-_page_builder_features	The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htmlTag attribute in all versions up to, and including, 3.2.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1541 security@wordfence.com security@wordfence.com security@wordfence.com
catchsquare — wp_social_widget	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in catchsquare WP Social Widget allows Stored XSS.This issue affects WP Social Widget: from n/a through 2.2.5.	2024-03-15	6.5	CVE-2024-27189 audit@patchstack.com
charlestsmith — word_replacer_pro	The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the word_replacer_ultra() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the affected WordPress site.	2024-03-16	5.3	CVE-2024-1733 security@wordfence.com security@wordfence.com
choijun — la-studio_element_kit_for_elementor	The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets in all versions up to, and including, 1.3.7.4 due to insufficient input sanitization and output escaping the user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-14	6.4	CVE-2024-2249 security@wordfence.com security@wordfence.com
chrisbadgett — lifterlms_-_wordpress_lms_plugin_for_elearning	The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘process_review’ function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site.	2024-03-13	5.3	CVE-2024-0377 security@wordfence.com security@wordfence.com
cisco — cisco_ios_xr_software	A vulnerability in the Secure Copy Protocol (SCP) and SFTP feature of Cisco IOS XR Software could allow an authenticated, local attacker to create or overwrite files in a system directory, which could lead to a denial of service (DoS) condition. The attacker would require valid user credentials to perform this attack. This vulnerability is due to a lack of proper validation of SCP and SFTP CLI input parameters. An attacker could exploit this vulnerability by authenticating to the device and issuing SCP or SFTP CLI commands with specific parameters. A successful exploit could allow the attacker to impact the functionality of the device, which could lead to a DoS condition. The device may need to be manually rebooted to recover. Note: This vulnerability is exploitable only when a local user invokes SCP or SFTP commands at the Cisco IOS XR CLI. A local user with administrative privileges could exploit this vulnerability remotely.	2024-03-13	6.5	CVE-2024-20262 ykramarz@cisco.com
cisco — cisco_ios_xr_software	The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘zoom_recordings_by_meeting’ shortcode in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-12	6.4	CVE-2024-2031 security@wordfence.com security@wordfence.com
cisco — cisco_ios_xr_software	A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition. This vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a crash of the dhcpd process. While the dhcpd process is restarting, which may take approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period and rely on the DHCPv4 server of the affected device. Notes: Only the dhcpd process crashes and eventually restarts automatically. The router does not reload. This vulnerability only applies to DHCPv4. DHCP version 6 (DHCPv6) is not affected.	2024-03-13	5.3	CVE-2024-20266 ykramarz@cisco.com
cisco — cisco_ios_xr_software	A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to improper assignment of lookup keys to internal interface contexts. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access resources behind the affected device that were supposed to be protected by a configured ACL.	2024-03-13	5.8	CVE-2024-20315 ykramarz@cisco.com
cisco — cisco_ios_xr_software	A vulnerability in the access control list (ACL) processing on Pseudowire interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to improper assignment of lookup keys to internal interface contexts. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access resources behind the affected device that were supposed to be protected by a configured ACL.	2024-03-13	5.8	CVE-2024-20322 ykramarz@cisco.com
cisco — cisco_ios_xr_software	A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to bypass configured management plane protection policies and access the Simple Network Management Plane (SNMP) server of an affected device. This vulnerability is due to incorrect UDP forwarding programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by attempting to perform an SNMP operation using broadcast as the destination address that could be processed by an affected device that is configured with an SNMP server. A successful exploit could allow the attacker to communicate to the device on the configured SNMP ports. Although an unauthenticated attacker could send UDP datagrams to the configured SNMP port, only an authenticated user can retrieve or modify data using SNMP requests.	2024-03-13	4.3	CVE-2024-20319 ykramarz@cisco.com
citrix — citrix_sd-wan_standard/premium_editions	Server-Side Request Forgery (SSRF) in Citrix SD-WAN Standard/Premium Editions on or after 11.4.0 and before 11.4.4.46 allows an attacker to disclose limited information from the appliance via Access to management IP.	2024-03-12	6.5	CVE-2024-2049 secure@citrix.com
ckan — ckan	A user endpoint didn’t perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines.	2024-03-13	4.3	CVE-2024-27097 security-advisories@github.com security-advisories@github.com
cloudflare — quiche	Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker. quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.	2024-03-12	5.9	CVE-2024-1765 cna@cloudflare.com
codename065 — download_manager	The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 3.2.85 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2023-6954 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
codename065 — download_manager	The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately published).	2024-03-13	5.3	CVE-2023-6785 security@wordfence.com security@wordfence.com
codeworkweb — cww_companion	The CWW Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Module2 widget in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-12	6.4	CVE-2024-2130 security@wordfence.com security@wordfence.com
collizo4sky — paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_-_profilepress	The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s [reg-select-role] shortcode in all versions up to, and including, 4.15.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1409 security@wordfence.com security@wordfence.com
collizo4sky — paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_-_profilepress	The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 4.15.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1535 security@wordfence.com security@wordfence.com security@wordfence.com
collizo4sky — paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_-_profilepress	The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 4.15.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1806 security@wordfence.com security@wordfence.com security@wordfence.com
cool_plugins — cryptocurrency_widgets_-_price_ticker_&_coins_list	Missing Authorization vulnerability in Cool Plugins Cryptocurrency Widgets – Price Ticker & Coins List.This issue affects Cryptocurrency Widgets – Price Ticker & Coins List: from n/a through 2.6.8.	2024-03-13	4.7	CVE-2024-27953 audit@patchstack.com
cozmoslabs — paid_member_subscriptions	Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through 2.10.4.	2024-03-15	4.3	CVE-2023-51522 audit@patchstack.com
cozyvision1 — sms_alert_order_notifications_-_woocommerce	The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.9. This is due to missing or incorrect nonce validation on the processBulkAction function. This makes it possible for unauthenticated attackers to delete pages and posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-13	4.3	CVE-2024-1489 security@wordfence.com security@wordfence.com
crmperks — database_for_contact_form_7,_wpforms,_elementor_forms	The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2030 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
cservit — affiliate-toolkit – WordPress Affiliate Plugin	The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.	2024-03-08	6.3	CVE-2024-1851 security@wordfence.com security@wordfence.com
cyberlord92 — page_restriction_wordpress_(wp)_-_protect_wp_pages/post	The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage.	2024-03-13	5.3	CVE-2024-0681 security@wordfence.com security@wordfence.com
david_de_boer — paytium:_mollie_payment_forms_&_donations	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in David de Boer Paytium: Mollie payment forms & donations allows Stored XSS.This issue affects Paytium: Mollie payment forms & donations: from n/a through 4.4.2.	2024-03-13	6.5	CVE-2024-25099 audit@patchstack.com
dell — poweredge_bios_intel_16g	Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. A local low privileged attacker could potentially exploit this vulnerability leading to out-of-bound read/writes to SMRAM.	2024-03-13	5.3	CVE-2024-0162 security_alert@emc.com
dell — poweredge_bios_intel_16g	Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain a TOCTOU race condition vulnerability. A local low privileged attacker could potentially exploit this vulnerability to gain access to otherwise unauthorized resources.	2024-03-13	5.3	CVE-2024-0163 security_alert@emc.com
devitemsllc — ht_mega_-_absolute_addons_for_elementor	The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s blocks in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on the ‘titleTag’ user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-12	6.4	CVE-2024-1397 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
devitemsllc — ht_mega_-_absolute_addons_for_elementor	The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘border_type’ attribute of the Post Carousel widget in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-12	6.4	CVE-2024-1421 security@wordfence.com security@wordfence.com
directus — directus	Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There’s a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`. While credentials don’t seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message “Your password needs to be updated” to phish out the current password. Users who login via OAuth2 into Directus may be at risk. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-12	5.4	CVE-2024-28239 security-advisories@github.com security-advisories@github.com security-advisories@github.com
discourse — discourse	Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting.	2024-03-15	6.5	CVE-2024-27085 security-advisories@github.com security-advisories@github.com
discourse — discourse	Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren’t enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-15	6.5	CVE-2024-27100 security-advisories@github.com security-advisories@github.com
discourse — discourse	Discourse is an open source platform for community discussion. In affected versions an attacker can learn that a secret subcategory exists under a public category which has no public subcategories. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-15	5.3	CVE-2024-24748 security-advisories@github.com security-advisories@github.com
discourse — discourse	Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to site as various site settings like `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` will determine the amount of resources used when creating an upload. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should reduce `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` as smaller uploads require less resources to process. Alternatively, `client_max_body_size` can be reduced in Nginx to prevent large uploads from reaching the server.	2024-03-15	5.3	CVE-2024-24827 security-advisories@github.com security-advisories@github.com
discourse — discourse	Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should temporarily remove category backgrounds.	2024-03-15	5.3	CVE-2024-28242 security-advisories@github.com security-advisories@github.com
doofinder — doofinder_for_woocommerce	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Doofinder Doofinder for WooCommerce allows Stored XSS.This issue affects Doofinder for WooCommerce: from n/a through 2.1.8.	2024-03-15	5.9	CVE-2024-25596 audit@patchstack.com
dreamer — cms	A vulnerability, which was classified as problematic, was found in Dreamer CMS 4.1.3. Affected is an unknown function of the file /admin/menu/toEdit. The manipulation of the argument id leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256314 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-10	4.3	CVE-2024-2354 cna@vuldb.com cna@vuldb.com cna@vuldb.com
droitthemes — droit_elementor_addons_-_widgets,_blocks,_templates_library_for_elementor_builder	The Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widgets in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping on user supplied attributes such as URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	5.4	CVE-2024-2252 security@wordfence.com security@wordfence.com
edge22 — generateblocks	The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2 via Query Loop. This makes it possible for authenticated attackers, with contributor access and above, to see contents of posts and pages in draft or private status as well as those with scheduled publication dates.	2024-03-13	4.3	CVE-2024-1452 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
edge22 — wp_show_posts	The WP Show Posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the wpsp_display function. This makes it possible for authenticated attackers with contributor access and above to view the contents of draft, trash, future, private and pending posts and pages.	2024-03-13	5.3	CVE-2024-1479 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
elementinvader — elementinvader_addons_for_elementor	The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link in the EliSlider in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-16	6.4	CVE-2024-2308 security@wordfence.com security@wordfence.com
elementor — elementor_pro	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Elementor Pro.This issue affects Elementor Pro: from n/a through 3.19.2.	2024-03-16	6.5	CVE-2024-23523 audit@patchstack.com
exafunction — codeium-chrome	codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn’t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user’s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.	2024-03-11	6.5	CVE-2024-28120 security-advisories@github.com security-advisories@github.com
expresstech — quiz_and_survey_master	Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master. This issue affects Quiz And Survey Master: from n/a through 8.1.18.	2024-03-16	5.4	CVE-2023-51521 audit@patchstack.com
file_manager — file_manager_pro	The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tb’ parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	6.1	CVE-2023-7015 security@wordfence.com security@wordfence.com
fluid-cloudnative — fluid	Fluid is an open source Kubernetes-native Distributed Dataset Orchestrator and Accelerator for data-intensive applications. An OS command injection vulnerability within the Fluid project’s JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data. Users who’re using versions < 0.9.3 with JuicefsRuntime should upgrade to v0.9.3.	2024-03-15	4	CVE-2023-51699 security-advisories@github.com security-advisories@github.com
follow-redirects — follow-redirects	follow-redirects is an open source, drop-in replacement for Node’s `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-14	6.5	CVE-2024-28849 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
formfacade — formfacade	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in FormFacade allows Stored XSS.This issue affects FormFacade: from n/a through 1.0.0.	2024-03-15	6.5	CVE-2024-25934 audit@patchstack.com
fortinet — fortimanager	A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiManager version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer-BigData before 7.2.5 and Fortinet FortiPortal version 6.0 all versions and version 5.3 all versions allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.	2024-03-12	6.7	CVE-2023-41842 psirt@fortinet.com
fortinet — fortiportal	An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload.	2024-03-12	4.3	CVE-2024-21761 psirt@fortinet.com
fortinet — fortiproxy	An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS version 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14, and FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 SSL-VPN may allow an authenticated attacker to gain access to another user’s bookmark via URL manipulation.	2024-03-12	4.3	CVE-2024-23112 psirt@fortinet.com
fortra — filecatalyst	Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.	2024-03-13	5.3	CVE-2024-25154 df4dee71-de3a-4139-9588-11b62fe6c0ff df4dee71-de3a-4139-9588-11b62fe6c0ff
fortra — goanywhere_mft	A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.	2024-03-14	6.5	CVE-2024-25156 df4dee71-de3a-4139-9588-11b62fe6c0ff
frenify — categorify_-_wordpress_media_library_category_&_file_manager	The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxAddCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add categories.	2024-03-13	4.3	CVE-2024-0385 security@wordfence.com security@wordfence.com
friendlyelec — friendlywrt	Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data.	2024-03-15	5.2	CVE-2024-2495 cve-coordination@incibe.es
friendsofsymfony1 — symfony1	Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods. These methods are called when php destroys the object in memory. However, it is possible to include any object type in `$this->_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this->_keys …) for any class implementing ArrayAccess interface. This may allow an attacker to execute any PHP command which leads to remote code execution. This issue has been addressed in version 1.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-15	5	CVE-2024-28859 security-advisories@github.com security-advisories@github.com
gacjie — server	A vulnerability, which was classified as critical, was found in Gacjie Server up to 1.0. This affects the function index of the file /app/admin/controller/Upload.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256503.	2024-03-12	5.4	CVE-2024-2406 cna@vuldb.com cna@vuldb.com cna@vuldb.com
geminilabs — site_reviews	The Site Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user display name in all versions up to, and including, 6.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2293 security@wordfence.com security@wordfence.com security@wordfence.com
gonahkar — custom_fields_shortcode	The Custom fields shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s cf shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied custom post meta values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2023-6809 security@wordfence.com security@wordfence.com
gpriday — siteorigin_widgets_bundle	The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.58.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected parameters include: $instance[‘fonts’][‘title_options’][‘tag’], $headline_tag, $sub_headline_tag, $feature[‘icon’].	2024-03-13	6.4	CVE-2024-1723 security@wordfence.com security@wordfence.com security@wordfence.com
hammadh — play.ht_-_make_your_blog_posts_accessible_with_text_to_speech_audio	The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.	2024-03-13	5.4	CVE-2024-0828 security@wordfence.com security@wordfence.com
hammadh — play.ht_-_make_your_blog_posts_accessible_with_text_to_speech_audio	The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-13	4.3	CVE-2024-0827 security@wordfence.com security@wordfence.com
heimavista — rpage	The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.	2024-03-13	5.3	CVE-2024-2412 twcert@cert.org.tw
hiroaki_miyashita — custom_field_template	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6.	2024-03-15	6.5	CVE-2024-25919 audit@patchstack.com
hitachi — cosminexus_component_container	Insertion of Sensitive Information into Log File vulnerability in Hitachi Cosminexus Component Container allows local users to gain sensitive information.This issue affects Cosminexus Component Container: from 11-30 before 11-30-05, from 11-20 through 11-20-, from 11-10 through 11-10-, from 11-00 before 11-00-12, All versions of V8 and V9.	2024-03-12	5.6	CVE-2023-6814 hirt@hitachi.co.jp
htplugins — ht_easy_ga4_-_google_analytics_wordpress_plugin	The HT Easy GA4 – Google Analytics WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the login() function in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to update the email associated through the plugin with GA4.	2024-03-13	5.3	CVE-2024-1176 security@wordfence.com security@wordfence.com
ibm — host_access_transformation_services	IBM Host Access Transformation Services (HATS) 9.6 through 9.6.1.4 and 9.7 through 9.7.0.3 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 210989.	2024-03-15	6.2	CVE-2021-38938 psirt@us.ibm.com psirt@us.ibm.com
ibm — integration_bus_for_z/os	IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 284564.	2024-03-14	4.5	CVE-2024-27265 psirt@us.ibm.com psirt@us.ibm.com
ibm — maximo_application_suite_-_maximo_mobile_for_eam	IBM Maximo Application Suite – Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. IBM X-Force ID: 266875.	2024-03-13	5.1	CVE-2023-43043 psirt@us.ibm.com psirt@us.ibm.com
ibm — maximo_asset_management	IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262192.	2024-03-13	6.4	CVE-2023-38723 psirt@us.ibm.com psirt@us.ibm.com
ibm — secure_proxy	IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 270973.	2024-03-15	6.1	CVE-2023-47162 psirt@us.ibm.com psirt@us.ibm.com
ibm — secure_proxy	IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 270974.	2024-03-15	6.1	CVE-2023-47699 psirt@us.ibm.com psirt@us.ibm.com
ibm — secure_proxy	IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 269692.	2024-03-15	5.4	CVE-2023-46182 psirt@us.ibm.com psirt@us.ibm.com
ibm — secure_proxy	IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow an attacker to overwrite a log message under specific conditions. IBM X-Force ID: 270598.	2024-03-15	5.9	CVE-2023-47147 psirt@us.ibm.com psirt@us.ibm.com
ibm — secure_proxy	IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 269683.	2024-03-15	4.3	CVE-2023-46179 psirt@us.ibm.com psirt@us.ibm.com
ibm — secure_proxy	IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 269686.	2024-03-15	4	CVE-2023-46181 psirt@us.ibm.com psirt@us.ibm.com
ibm — sterling_partner_engagement_manager	IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 250421.	2024-03-13	5.4	CVE-2023-28517 psirt@us.ibm.com psirt@us.ibm.com
icopydoc — yml_for_yandex_market	The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the feed_id parameter in all versions up to, and including, 4.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	6.1	CVE-2024-1365 security@wordfence.com security@wordfence.com
intoxstudio — restrict_user_access_-_ultimate_membership_&_content_protection	The Restrict User Access – Ultimate Membership & Content Protection plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages via API.	2024-03-13	5.3	CVE-2024-0687 security@wordfence.com security@wordfence.com
joseph_c_dolson — my_calendar	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Joseph C Dolson My Calendar allows Stored XSS.This issue affects My Calendar: from n/a through 3.4.23.	2024-03-15	6.5	CVE-2024-25916 audit@patchstack.com
justinbusa — beaver_builder_-_wordpress_page_builder	The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-0896 security@wordfence.com security@wordfence.com security@wordfence.com
justinbusa — beaver_builder_-_wordpress_page_builder	The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image URL parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-0897 security@wordfence.com security@wordfence.com
justinbusa — beaver_builder_-_wordpress_page_builder	The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the audio widget ‘link_url’ parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1074 security@wordfence.com security@wordfence.com security@wordfence.com
justinbusa — beaver_builder_-_wordpress_page_builder	The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via the heading tag in all versions up to, and including, 2.7.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1080 security@wordfence.com security@wordfence.com
justinbusa — beaver_builder_-_wordpress_page_builder	The Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Widget ‘fl_builder_data[node_preview][link]’ and ‘fl_builder_data[settings][link_target]’ parameters in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	5.4	CVE-2024-0871 security@wordfence.com security@wordfence.com
justinbusa — beaver_builder_-_wordpress_page_builder	The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via a ‘playground.wordpress.net’ parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	5.4	CVE-2024-1038 security@wordfence.com security@wordfence.com security@wordfence.com
kbjohnson90 — user_shortcodes_plus	The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive user meta.	2024-03-13	5.3	CVE-2023-6969 security@wordfence.com security@wordfence.com
korenix — jeti/o_6550	Information exposure vulnerability in Korenix JetI/O 6550 affecting firmware version F208 Build:0817. The SNMP protocol uses plaintext to transfer data, allowing an attacker to intercept traffic and retrieve credentials.	2024-03-12	6.2	CVE-2024-2371 cve-coordination@incibe.es
leap13 — premium_addons_for_elementor	The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Link Wrapper functionality in all versions up to, and including, 4.10.17 due to insufficient input sanitization and output escaping on user supplied links. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-0326 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
leap13 — premium_addons_for_elementor	The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Settings URL of the Banner, Team Members, and Image Scroll widgets in all versions up to, and including, 4.10.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1680 security@wordfence.com security@wordfence.com
livemesh — elementor_addons_by_livemesh	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Livemesh Elementor Addons by Livemesh allows Stored XSS.This issue affects Elementor Addons by Livemesh: from n/a through 8.3.5.	2024-03-14	6.5	CVE-2024-27986 audit@patchstack.com
livemesh — livemesh_addons_for_elementor	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.3.	2024-03-15	6.5	CVE-2024-25598 audit@patchstack.com
livemesh — wpbakery_page_builder_addons_by_livemesh	The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘per_line_mobile’ shortcode in all versions up to, and including, 3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2079 security@wordfence.com security@wordfence.com
logitech — logi_tune	Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion.	2024-03-15	4.4	CVE-2024-2537 cve-coordination@logitech.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability, which was classified as critical, was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This affects an unknown part of the file home.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256953 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2516 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as critical. This vulnerability affects unknown code of the file book_history.php. The manipulation of the argument del_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256954 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2517 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/bookdate.php. The manipulation of the argument room_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256957 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2520 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability classified as critical has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This affects an unknown part of the file /admin/booktime.php. The manipulation of the argument room_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256959. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2522 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability, which was classified as critical, has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This issue affects some unknown processing of the file /admin/receipt.php. The manipulation of the argument room_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2524 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/rooms.php. The manipulation of the argument room_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256964. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2527 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/update-rooms.php. The manipulation of the argument room_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256965 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2528 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/rooms.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256966 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2529 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability classified as critical has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected is an unknown function of the file /admin/update-rooms.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256968. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2531 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability classified as critical was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/update-users.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256969 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	6.3	CVE-2024-2532 cna@vuldb.com cna@vuldb.com cna@vuldb.com
mainwp — mainwp_dashboard_-_wordpress_manager_for_multiple_websites_maintenance	The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the ‘posting_bulk’ function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-13	4.3	CVE-2024-1642 security@wordfence.com security@wordfence.com security@wordfence.com
mattermost — mattermost	Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.	2024-03-15	6.1	CVE-2024-2445 responsibledisclosure@mattermost.com
mattermost — mattermost	Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.	2024-03-15	4.3	CVE-2024-2446 responsibledisclosure@mattermost.com
mattermost — mattermost_mobile	A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	4.7	CVE-2024-2497 cna@vuldb.com cna@vuldb.com cna@vuldb.com
mdp — rotp	The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.	2024-03-16	5.3	CVE-2024-28862 security-advisories@github.com
metagauss — eventprime_-_events_calendar,_bookings_and_tickets	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event.	2024-03-13	5.3	CVE-2024-1126 security@wordfence.com security@wordfence.com
metagauss — eventprime_-_events_calendar,_bookings_and_tickets	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free.	2024-03-13	5.3	CVE-2024-1321 security@wordfence.com security@wordfence.com
metagauss — eventprime_-_events_calendar,_bookings_and_tickets	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_all() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve all event booking which can contain PII.	2024-03-13	4.3	CVE-2024-1127 security@wordfence.com security@wordfence.com security@wordfence.com
mha_sistemas — armhazena	A vulnerability classified as critical was found in MHA Sistemas arMHAzena 9.6.0.0. This vulnerability affects unknown code of the component Executa Page. The manipulation of the argument Companhia/Planta/Agente de/Agente até leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256888. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	6.3	CVE-2024-2480 cna@vuldb.com cna@vuldb.com cna@vuldb.com
microsoft — intune_company_portal_for_android	Microsoft Intune Linux Agent Elevation of Privilege Vulnerability	2024-03-12	6.6	CVE-2024-26201 secure@microsoft.com
microsoft — microsoft_edge_(chromium-based)	Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability	2024-03-14	4.7	CVE-2024-26163 secure@microsoft.com
microsoft — microsoft_teams_for_android	Microsoft Teams for Android Information Disclosure Vulnerability	2024-03-12	5	CVE-2024-21448 secure@microsoft.com
microsoft — windows_10_version_1809	Windows USB Hub Driver Remote Code Execution Vulnerability	2024-03-12	6.8	CVE-2024-21429 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Hyper-V Denial of Service Vulnerability	2024-03-12	5.5	CVE-2024-21408 secure@microsoft.com
microsoft — windows_10_version_1809	Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability	2024-03-12	5.7	CVE-2024-21430 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Information Disclosure Vulnerability	2024-03-12	5.5	CVE-2024-26174 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Information Disclosure Vulnerability	2024-03-12	5.5	CVE-2024-26177 secure@microsoft.com
microsoft — windows_10_version_1809	Windows Kernel Denial of Service Vulnerability	2024-03-12	5.5	CVE-2024-26181 secure@microsoft.com
microsoft — windows_11_version_22h2	Windows Compressed Folder Tampering Vulnerability	2024-03-12	6.5	CVE-2024-26185 secure@microsoft.com
microsoft — windows_11_version_22h2	Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability	2024-03-12	5.5	CVE-2024-26160 secure@microsoft.com
microsoft — windows_defender_antimalware_platform	Microsoft Defender Security Feature Bypass Vulnerability	2024-03-12	5.5	CVE-2024-20671 secure@microsoft.com
microsoft — windows_server_2019	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	2024-03-12	6.5	CVE-2024-26197 secure@microsoft.com
movistar_ — router_movistar_4g	Cross-Site Request Forgery vulnerability in Movistar’s 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an attacker to force an end user to execute unwanted actions in a web application in which they are currently authenticated.	2024-03-13	6.5	CVE-2024-2416 cve-coordination@incibe.es
mra13 — simple_membership	The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Display Name’ parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution.	2024-03-13	4.7	CVE-2024-1985 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
msaari — relevanssi_-_a_better_search	The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.	2024-03-13	5.3	CVE-2024-1380 security@wordfence.com security@wordfence.com
n/a — 1panel	A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.	2024-03-10	6.3	CVE-2024-2352 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — 3rd_and_4th_generation_intel(r)_xeon(r)_processors_when_using_intel(r)_sgx_or_intel(r)_tdx	Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.	2024-03-14	6.1	CVE-2023-22655 secure@intel.com
n/a — intel(r)_atom(r)_processors	Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.	2024-03-14	6.5	CVE-2023-28746 secure@intel.com
n/a — intel(r)_csme_installer_software	Incorrect default permissions in some Intel(R) CSME installer software before version 2328.5.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.	2024-03-14	6.7	CVE-2023-28389 secure@intel.com
n/a — intel(r)_csme_installer_software	Improper input validation in the Intel(R) CSME installer software before version 2328.5.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.	2024-03-14	6.7	CVE-2023-32633 secure@intel.com
n/a — intel(r)_processors	Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.	2024-03-14	6.5	CVE-2023-39368 secure@intel.com
n/a — intel(r)_processors	Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.	2024-03-14	5.5	CVE-2023-38575 secure@intel.com
n/a — intel(r)_sps_firmware_versions	Uncontrolled resource consumption for some Intel(R) SPS firmware versions may allow a privileged user to potentially enable denial of service via network access.	2024-03-14	6.8	CVE-2023-35191 secure@intel.com
n/a — intel(r)_xeon(r)_d_processors_with_intel(r)_sgx	Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access.	2024-03-14	5.3	CVE-2023-43490 secure@intel.com
n/a — libvirt	An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.	2024-03-11	5.5	CVE-2024-1441 secalert@redhat.com secalert@redhat.com
n/a — openstack-designate	An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.	2024-03-15	6.6	CVE-2023-6725 secalert@redhat.com secalert@redhat.com
n/a — ovn	A flaw was found in the Open Virtual Network (OVN). In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service.	2024-03-12	6.5	CVE-2024-2182 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com
ndijkstra — mollie_forms	The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages.	2024-03-11	4.3	CVE-2024-1400 security@wordfence.com security@wordfence.com
ndijkstra — mollie_forms	The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export payment data collected by this plugin.	2024-03-11	4.3	CVE-2024-1645 security@wordfence.com security@wordfence.com security@wordfence.com
netweblogic — events_manager_-_calendar,_bookings,_tickets,_and_more!	The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.4.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.	2024-03-13	4.4	CVE-2024-0614 security@wordfence.com security@wordfence.com security@wordfence.com
newsletter2go — newsletter2go	The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 4.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-12	6.4	CVE-2024-1328 security@wordfence.com security@wordfence.com
nik00726 — team_circle_image_slider_with_lightbox	The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the circle_thumbnail_slider_with_lightbox_image_management_func() function. This makes it possible for unauthenticated attackers to edit image data which can be used to inject malicious JavaScript, along with deleting images, and uploading malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-13	5.3	CVE-2015-10130 security@wordfence.com security@wordfence.com
nixos — nix	Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as “valid” and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-11	6.3	CVE-2024-27297 security-advisories@github.com security-advisories@github.com security-advisories@github.com
nmedia — comments_extra_fields_for_post,pages_and_cpt	The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.	2024-03-13	4.3	CVE-2024-0829 security@wordfence.com security@wordfence.com security@wordfence.com
nmedia — comments_extra_fields_for_post,pages_and_cpt	The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0. This is due to missing or incorrect nonce validation on several ajax actions. This makes it possible for unauthenticated attackers to invoke those actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. As a result, they may modify comment form fields and update plugin settings.	2024-03-13	4.3	CVE-2024-0830 security@wordfence.com security@wordfence.com security@wordfence.com
openolat — openolat	OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system.	2024-03-11	4.6	CVE-2024-28198 security-advisories@github.com security-advisories@github.com security-advisories@github.com
opentext — vertica_management_console	Certain functionality in OpenText Vertica Management console might be prone to bypass via crafted requests. The vulnerability would affect one of Vertica’s authentication functionalities by allowing specially crafted requests and sequences. This issue impacts the following Vertica Management Console versions: 10.x 11.1.1-24 or lower 12.0.4-18 or lower Please upgrade to one of the following Vertica Management Console versions: 10.x to upgrade to latest versions from below. 11.1.1-25 12.0.4-19 23.x 24.x	2024-03-15	5	CVE-2023-7248 security@opentext.com
opentext– exceed_turbo_x	HTML injection in OpenText™ Exceed Turbo X affecting version 12.5.1. The vulnerability could result in Cross site scripting.	2024-03-13	6.4	CVE-2023-38536 security@opentext.com
opentextâ„¢ — exceed_turbo_x	Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.	2024-03-13	4.7	CVE-2023-38535 security@opentext.com
palantir — com.palantir.acme.gaia:gaia	One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.	2024-03-12	6.8	CVE-2023-30968 cve-coordination@palantir.com
palo_alto_networks — globalprotect_app	An issue in the Palo Alto Networks GlobalProtect app enables a non-privileged user to disable the GlobalProtect app in configurations that allow a user to disable GlobalProtect with a passcode.	2024-03-13	5.5	CVE-2024-2431 psirt@paloaltonetworks.com
palo_alto_networks — globalprotect_app	A privilege escalation (PE) vulnerability in the Palo Alto Networks GlobalProtect app on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.	2024-03-13	4.5	CVE-2024-2432 psirt@paloaltonetworks.com
palo_alto_networks — pan-os	An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images. This issue affects only the web interface of the management plane; the dataplane is unaffected.	2024-03-13	4.3	CVE-2024-2433 psirt@paloaltonetworks.com
papercut — papercut_ng,_papercut_mf	This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability.	2024-03-14	6.3	CVE-2024-1883 eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut — papercut_ng,_papercut_mf	This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.	2024-03-14	6.5	CVE-2024-1884 eb41dac7-0af8-4f84-9f6d-0272772514f4
papercut — papercut_ng,_papercut_mf	This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.	2024-03-14	4.8	CVE-2024-1223 eb41dac7-0af8-4f84-9f6d-0272772514f4
pawaryogesh1989 — bulk_edit_post_titles	The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.	2024-03-13	4.3	CVE-2024-0369 security@wordfence.com security@wordfence.com
peering-manager — peering-manager	Peering Manager is a BGP session management tool. Affected versions of Peering Manager are subject to a potential stored Cross-Site Scripting (XSS) attack in the `name` attribute of AS or Platform. The XSS triggers on a routers detail page. Adversaries are able to execute arbitrary JavaScript code with the permission of a victim. XSS attacks are often used to steal credentials or login tokens of other users. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-12	6.1	CVE-2024-28112 security-advisories@github.com security-advisories@github.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write only.	2024-03-12	5.3	CVE-2024-25994 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. The access is limited to the service user.	2024-03-12	5.3	CVE-2024-25996 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can perform a log injection due to improper input validation. Only a certain log file is affected.	2024-03-12	5.3	CVE-2024-25997 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can read memory out of bounds due to improper input validation in the MQTT stack. The brute force attack is not always successful because of memory randomization.	2024-03-12	5.9	CVE-2024-26000 info@cert.vde.com
phoenix_contact — charx_sec-3000	An unauthenticated remote attacker can gain service level privileges through an incomplete cleanup during service restart after a DoS.	2024-03-12	4.8	CVE-2024-26005 info@cert.vde.com
pinterest — querybook	Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybook’s datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-14	5.6	CVE-2024-28251 security-advisories@github.com security-advisories@github.com
postalserver — postal	Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has ‘authorised’ to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with `<CR><LF>` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. Once upgraded, Postal will only accept End of DATA sequences which are explicitly `<CR><LF>.<CR><LF>`. If a non-compliant sequence is detected it will be logged to the SMTP server log. There are no workarounds for this issue.	2024-03-11	5.3	CVE-2024-27938 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
premium_addons_for_elementor — premium_addons_pro_for_elementor	The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s IHover widget link in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1996 security@wordfence.com security@wordfence.com
premium_addons_for_elementor — premium_addons_pro_for_elementor	The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘premium_fbchat_app_id’ parameter of the Messenger Chat Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1997 security@wordfence.com security@wordfence.com
premium_addons_for_elementor — premium_addons_pro_for_elementor	The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘navigation_dots’ parameter of the Multi Scroll Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2000 security@wordfence.com security@wordfence.com
premium_addons_for_elementor — premium_addons_pro_for_elementor	The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Global Badge module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2237 security@wordfence.com security@wordfence.com
premium_addons_for_elementor — premium_addons_pro_for_elementor	The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Mouse Cursor module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2238 security@wordfence.com security@wordfence.com
premium_addons_for_elementor — premium_addons_pro_for_elementor	The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Premium Magic Scroll module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2239 security@wordfence.com security@wordfence.com
premium_addons_for_elementor — premium_addons_pro_for_elementor	The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widgets in all versions up to, and including, 4.10.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-15	6.4	CVE-2024-2399 security@wordfence.com security@wordfence.com security@wordfence.com
qnap — qts	An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later	2024-03-08	6.5	CVE-2024-21900 security@qnapsecurity.com.tw
radgeek — feedwordpress	The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled ‘guid’ key. This makes it possible for unauthenticated attackers to view draft posts that may contain sensitive information.	2024-03-13	5.3	CVE-2024-0839 security@wordfence.com security@wordfence.com
rayhanduitku — duitku_payment_gateway	The Duitku Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_duitku_response function in all versions up to, and including, 2.11.4. This makes it possible for unauthenticated attackers to change the payment status of orders to failed.	2024-03-13	5.3	CVE-2024-0631 security@wordfence.com security@wordfence.com
realmag777 — husky_-_products_filter_for_woocommerce_(formerly_woof)	Cross-Site Request Forgery (CSRF) vulnerability in realmag777 HUSKY – Products Filter for WooCommerce (formerly WOOF).This issue affects HUSKY – Products Filter for WooCommerce (formerly WOOF): from n/a through 1.3.4.3.	2024-03-15	4.3	CVE-2023-50861 audit@patchstack.com
realmag777 — husky_-_products_filter_professional_for_woocommerce	The HUSKY – Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘woof’ shortcode in all versions up to, and including, 1.3.5.1 due to insufficient input sanitization and output escaping on user supplied attributes such as ‘swoof_slug’. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-15	6.4	CVE-2024-1796 security@wordfence.com security@wordfence.com
rednao — woocommerce_pdf_invoice_builder	Cross-Site Request Forgery (CSRF) vulnerability in RedNao WooCommerce PDF Invoice Builder.This issue affects WooCommerce PDF Invoice Builder: from n/a through 1.2.101.	2024-03-16	5.4	CVE-2023-51486 audit@patchstack.com
rejetto_ — http_file_server_	An open redirect vulnerability, the exploitation of which could allow an attacker to create a custom URL and redirect a legitimate page to a malicious site.	2024-03-12	6.5	CVE-2024-1227 cve-coordination@incibe.es
rocket_elements — split_test_for_elementor	Cross-Site Request Forgery (CSRF) vulnerability in Rocket Elements Split Test For Elementor.This issue affects Split Test For Elementor: from n/a through 1.6.9.	2024-03-16	4.3	CVE-2023-51407 audit@patchstack.com
rogierlankhorst — burst_statistics_-_privacy-friendly_analytics_for_wordpress	The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘burst_total_pageviews_count’ custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the ‘Show Toolbar when viewing site’ option enabled in their profile.	2024-03-13	6.4	CVE-2024-1894 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
sap_se — netweaver_(wsrm)	Under certain conditions SAP NetWeaver WSRM – version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.	2024-03-12	5.3	CVE-2024-25644 cna@sap.com cna@sap.com
sap_se — sap_abap_platform	Due to missing authorization check, attacker with business user account in SAP ABAP Platform – version 758, 795, can change the privacy setting of job templates from shared to private. As a result, the selected template would only be accessible to the owner.	2024-03-12	4.3	CVE-2024-27900 cna@sap.com cna@sap.com
sap_se — sap_fiori_front_end_server	SAP Fiori Front End Server – version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application.	2024-03-12	4.6	CVE-2024-22133 cna@sap.com cna@sap.com
sap_se — sap_netweaver_(enterprise_portal)	Under certain condition SAP NetWeaver (Enterprise Portal) – version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application.	2024-03-12	5.3	CVE-2024-25645 cna@sap.com cna@sap.com
sap_se — sap_netweaver_as_abap_applications_based_on_sapgui_for_html_(webgui)	Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP – versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system	2024-03-12	5.4	CVE-2024-27902 cna@sap.com cna@sap.com
sap_se — sap_netweaver_process_integration_(support_web_pages)	Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) – versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.	2024-03-12	5.3	CVE-2024-28163 cna@sap.com cna@sap.com
sewpafly — post_thumbnail_editor	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sewpafly Post Thumbnail Editor.This issue affects Post Thumbnail Editor: from n/a through 2.4.8.	2024-03-16	5.3	CVE-2024-24845 audit@patchstack.com
shapedplugin — easy_accordion_-_best_accordion_faq_plugin_for_wordpress	The Easy Accordion – Best Accordion FAQ Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘accordion_content_source’ attribute in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1363 security@wordfence.com security@wordfence.com
siemens — sentron_7km_pac3120_ac/dc	A vulnerability has been identified in SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003… and LQN231215… ( with LQNYYMMDD…)), SENTRON 7KM PAC3120 DC (7KM3120-1BA01-1EA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003… and LQN231215… ( with LQNYYMMDD…)), SENTRON 7KM PAC3220 AC/DC (7KM3220-0BA01-1DA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003… and LQN231215… ( with LQNYYMMDD…)), SENTRON 7KM PAC3220 DC (7KM3220-1BA01-1EA0) (All versions >= V3.2.3 < V3.3.0 only when manufactured between LQN231003… and LQN231215… ( with LQNYYMMDD…)). The read out protection of the internal flash of affected devices was not properly set at the end of the manufacturing process. An attacker with physical access to the device could read out the data.	2024-03-12	4.6	CVE-2024-21483 productcert@siemens.com
siemens — siveillance_control	A vulnerability has been identified in Siveillance Control (All versions >= V2.8 < V3.1.1). The affected product does not properly check the list of access groups that are assigned to an individual user. This could enable a locally logged on user to gain write privileges for objects where they only have read privileges.	2024-03-12	5.5	CVE-2023-45793 productcert@siemens.com
sirv.com — sirv	Missing Authorization vulnerability in sirv.Com Sirv.This issue affects Sirv: from n/a through 7.1.2.	2024-03-15	5.4	CVE-2023-50898 audit@patchstack.com
skyhigh — skyhigh_client_proxy	A malicious insider can bypass the existing policy of Skyhigh Client Proxy without a valid release code.	2024-03-14	5.5	CVE-2024-0311 trellixpsirt@trellix.com
skyhigh — skyhigh_client_proxy	A malicious insider can uninstall Skyhigh Client Proxy without a valid uninstall password.	2024-03-14	5.5	CVE-2024-0312 trellixpsirt@trellix.com
skyhigh — skyhigh_client_proxy	A malicious insider exploiting this vulnerability can circumvent existing security controls put in place by the organization. On the contrary, if the victim is legitimately using the temporary bypass to reach out to the Internet for retrieving application and system updates, a remote device could target it and undo the bypass, thereby denying the victim access to the update service, causing it to fail.	2024-03-14	5.5	CVE-2024-0313 trellixpsirt@trellix.com
snowflakedb — snowflake-hive-metastore-connector	The Snowflake Hive metastore connector provides an easy way to query Hive-managed data via Snowflake. Snowflake Hive MetaStore Connector has addressed a potential elevation of privilege vulnerability in a `helper script` for the Hive MetaStore Connector. A malicious insider without admin privileges could, in theory, use the script to download content from a Microsoft domain to the local system and replace the valid content with malicious code. If the attacker then also had local access to the same system where the maliciously modified script is run, they could attempt to manipulate users into executing the attacker-controlled helper script, potentially gaining elevated privileges to the local system. The vulnerability in the script was patched on February 09, 2024, without a version bump to the Connector. User who use the helper script are strongly advised to use the latest version as soon as possible. Users unable to upgrade should avoid using the helper script.	2024-03-15	4	CVE-2024-28851 security-advisories@github.com security-advisories@github.com security-advisories@github.com
softaculous — backuply_-_backup,_restore,_migrate_and_clone	The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.7 via the backup_name parameter in the backuply_download_backup function. This makes it possible for attackers to have an account with only activate_plugins capability to access arbitrary files on the server, which can contain sensitive information. This only impacts sites hosted on Windows servers.	2024-03-16	4.9	CVE-2024-2294 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
soundcloud_inc.,_lawrie_malen — soundcloud_shortcode	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in SoundCloud Inc., Lawrie Malen SoundCloud Shortcode allows Stored XSS.This issue affects SoundCloud Shortcode: from n/a through 4.0.1.	2024-03-15	6.5	CVE-2024-25936 audit@patchstack.com
sourcecodester — best_pos_management_system	A vulnerability was found in SourceCodester Best POS Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /view_order.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256705 was assigned to this vulnerability.	2024-03-13	6.3	CVE-2024-2418 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — crud_without_page_reload	A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file add_user.php. The manipulation of the argument city leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256453 was assigned to this vulnerability.	2024-03-12	6.3	CVE-2024-2393 cna@vuldb.com cna@vuldb.com cna@vuldb.com
stylemix — masterstudy_lms_wordpress_plugin_-_for_online_courses_and_education	The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. This can allow unauthenticated attackers to extract sensitive data including all registered user’s username and email addresses which can be used to help perform future attacks.	2024-03-13	5.3	CVE-2024-2106 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
subratamal — terawallet_-_best_woocommerce_wallet_system_with_cashback_rewards,_partial_payment,_wallet_refunds	The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails.	2024-03-13	4.3	CVE-2024-1690 security@wordfence.com security@wordfence.com
surya2developer — hostel_management_service	A vulnerability, which was classified as problematic, has been found in Surya2Developer Hostel Management Service 1.0. This issue affects some unknown processing of the file /change-password.php of the component Password Change Handler. The manipulation of the argument oldpassword leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256889 was assigned to this vulnerability.	2024-03-15	4.3	CVE-2024-2483 cna@vuldb.com cna@vuldb.com cna@vuldb.com
surya2developer — hostel_management_system	A vulnerability, which was classified as critical, was found in Surya2Developer Hostel Management System 1.0. Affected is an unknown function of the file /admin/manage-students.php. The manipulation of the argument del leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256890 is the identifier assigned to this vulnerability.	2024-03-15	6.5	CVE-2024-2481 cna@vuldb.com cna@vuldb.com cna@vuldb.com
svenl77 — post_form_-_registration_form_-_profile_form_for_user_profiles_-_frontend_content_forms_for_user_submissions_(ugc)	The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.	2024-03-13	4.3	CVE-2024-1158 security@wordfence.com security@wordfence.com security@wordfence.com
sysbasics — customize_my_account_for_woocommerce	Cross-Site Request Forgery (CSRF) vulnerability in SysBasics Customize My Account for WooCommerce.This issue affects Customize My Account for WooCommerce: from n/a through 1.8.3.	2024-03-15	4.3	CVE-2023-51369 audit@patchstack.com
takayukister — contact_form_7	The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	6.1	CVE-2024-2242 security@wordfence.com security@wordfence.com
techfyd — sky_addons_for_elementor_(free_templates_library,_live_copy,_animations,_post_grid,_post_carousel,_particles,_sliders,_chart,_blogs)	The Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapper link URL value in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2286 security@wordfence.com security@wordfence.com
techjewel — contact_form_plugin_by_fluent_forms_for_quiz,_survey,_and_drag_&_drop_wp_form_builder	The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploitation level depends on who is granted the right to create forms by an administrator. This level can be as low as contributor, but by default is admin.	2024-03-13	4.9	CVE-2023-6957 security@wordfence.com security@wordfence.com
thedark — auto_affiliate_links	The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or higher, to add arbitrary links to posts.	2024-03-13	4.3	CVE-2024-1843 security@wordfence.com security@wordfence.com security@wordfence.com
themefusecom — brizy_-_page_builder	The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1291 security@wordfence.com security@wordfence.com
themefusecom — brizy_-_page_builder	The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1293 security@wordfence.com security@wordfence.com
themefusecom — brizy_-_page_builder	The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1296 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
themefusion — avada_\|_website_builder_for_wordpress_&_woocommerce	The Avada \| Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form’s “password” field).	2024-03-13	6.5	CVE-2024-1668 security@wordfence.com security@wordfence.com
themegrill — maintenance_page	The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails.	2024-03-13	5.3	CVE-2024-1370 security@wordfence.com security@wordfence.com
themegrill — maintenance_page	The Maintenance Page plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 1.0.8 via the REST API. This makes it possible for unauthenticated attackers to view post titles and content when the site is in maintenance mode.	2024-03-13	5.3	CVE-2024-1462 security@wordfence.com security@wordfence.com
themeisle — orbit_fox_by_themeisle	The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form widget addr2_width attribute in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1497 security@wordfence.com security@wordfence.com security@wordfence.com
themeisle — orbit_fox_by_themeisle	The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in the $settings[‘title_tags’] parameter in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1499 security@wordfence.com security@wordfence.com security@wordfence.com
themeisle — orbit_fox_by_themeisle	The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2126 security@wordfence.com security@wordfence.com
themencode_llc — tnc_pdf_viewer	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeNcode LLC TNC PDF viewer allows Stored XSS.This issue affects TNC PDF viewer: from n/a through 2.8.0.	2024-03-13	6.5	CVE-2024-25097 audit@patchstack.com
themisle — otter_blocks_pro_-_gutenberg_blocks,_page_builder_for_gutenberg_editor_&_fse	The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form file field CSS metabox in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1684 security@wordfence.com security@wordfence.com
themisle — otter_blocks_pro_-_gutenberg_blocks,_page_builder_for_gutenberg_editor_&_fse	The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file upload form, which allows SVG uploads, in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that the patch in 2.6.4 allows SVG uploads but the uploaded SVG files are sanitized.	2024-03-13	6.1	CVE-2024-1691 security@wordfence.com security@wordfence.com
tibco_software_inc. — tibco_activespaces_-_enterprise_edition	The Proxy and Client components of TIBCO Software Inc.’s TIBCO ActiveSpaces – Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.’s TIBCO ActiveSpaces – Enterprise Edition: versions 4.4.0 through 4.9.0.	2024-03-12	4.3	CVE-2024-1137 security@tibco.com
timstrifler — exclusive_addons_for_elementor	The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1234 security@wordfence.com security@wordfence.com
timstrifler — exclusive_addons_for_elementor	The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1413 security@wordfence.com security@wordfence.com
timstrifler — exclusive_addons_for_elementor	The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1414 security@wordfence.com security@wordfence.com
timstrifler — exclusive_addons_for_elementor	The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Covid-19 Stats Widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-2028 security@wordfence.com security@wordfence.com
turtlepod — f(x)_private_site	The f(x) Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the API. This makes it possible for unauthenticated attackers to obtain page and post contents of a site protected with this plugin.	2024-03-12	5.3	CVE-2024-0906 security@wordfence.com security@wordfence.com
vantage6 — vantage6	vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`. These routes send emails to users if they have lost their password or MFA token. This issue has been addressed in commit `aecfd6d0e` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.	2024-03-14	5.3	CVE-2024-24770 security-advisories@github.com security-advisories@github.com security-advisories@github.com
vantage6 — vantage6	vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.	2024-03-14	4.2	CVE-2024-23823 security-advisories@github.com security-advisories@github.com
vantage6 — vantage6-ui	vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit `68dfa6614` which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While an upgrade path is not available users may modify the docker image build to insert the headers into nginx.	2024-03-14	5.4	CVE-2024-24562 security-advisories@github.com security-advisories@github.com
visualcomposer — visual_composer_website_builder,_landing_page_builder,_custom_theme_builder,_maintenance_mode_&_coming_soon_pages	The Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s custom fields in all versions up to, and including, 45.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2023-6880 security@wordfence.com security@wordfence.com
wago — controller_bacnet/ip	An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required. This leads to a limited impact of confidentiality and integrity but no impact of availability.	2024-03-13	5.4	CVE-2018-25090 info@cert.vde.com
wbw — product_table_by_wbw	Cross Site Request Forgery (CSRF) vulnerability in WBW Product Table by WBW.This issue affects Product Table by WBW: from n/a through 1.8.6.	2024-03-16	4.3	CVE-2023-51512 audit@patchstack.com
webtechstreet — elementor_addon_elements	The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icon_align’ attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1393 security@wordfence.com security@wordfence.com security@wordfence.com
webtechstreet — elementor_addon_elements	The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eae_custom_overlay_switcher’ attribute of the Thumbnail Slider widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1391 security@wordfence.com security@wordfence.com security@wordfence.com
webtechstreet — elementor_addon_elements	The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button1_icon’ attribute of the Dual Button widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1392 security@wordfence.com security@wordfence.com security@wordfence.com
webtechstreet — elementor_addon_elements	The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the modal popup widget’s effect setting in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1422 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
wokamoto — simple_tweet	The Simple Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tweet this text value in all versions up to, and including, 1.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-0700 security@wordfence.com security@wordfence.com security@wordfence.com
wpchill — simple_restrict	The Simple Restrict plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.6 via the REST API. This makes it possible for authenticated attackers to bypass the plugin’s restrictions to extract post titles and content	2024-03-13	5.3	CVE-2024-1083 security@wordfence.com security@wordfence.com
wpdatatables — wpdatatables_-_wordpress_data_table,_dynamic_tables_&_table_charts_plugin	The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘A’ parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	6.1	CVE-2024-0591 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
wpdevteam — essential_addons_for_elementor_-_best_elementor_templates,_widgets,_kits_&_woocommerce_builders	The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Data Table widget in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1537 security@wordfence.com security@wordfence.com
wpdevteam — essential_blocks_-_page_builder_gutenberg_blocks,_patterns_&_templates	The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1854 security@wordfence.com security@wordfence.com
wpeventmanager — wp_event_manager_-_events_calendar,_registrations,_sell_tickets_with_woocommerce	The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the plugin parameter in all versions up to, and including, 3.1.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	6.1	CVE-2024-0976 security@wordfence.com security@wordfence.com security@wordfence.com
wpgmaps — wp_go_maps_(formerly_wp_google_maps)	The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘wpgmza’ shortcode in all versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1582 security@wordfence.com security@wordfence.com
wpgmaps — wp_go_maps_(formerly_wp_google_maps)	The WP Go Maps for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.	2024-03-13	4.4	CVE-2023-4839 security@wordfence.com security@wordfence.com
wpmu_dev — broken_link_checker	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPMU DEV Broken Link Checker allows Stored XSS.This issue affects Broken Link Checker: from n/a through 2.2.3.	2024-03-15	5.9	CVE-2024-25592 audit@patchstack.com
wpswings — ultimate_gift_cards_for_woocommerce_-_create,_redeem_&_manage_digital_gift_certificates_with_personalized_templates	The Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wps_wgm_preview_email_template(). This makes it possible for unauthenticated attackers to read password protected and draft posts that may contain sensitive data.	2024-03-16	5.3	CVE-2024-1857 security@wordfence.com security@wordfence.com
wpvividplugins — wpvivid_backup_for_mainwp	The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 0.9.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-13	6.1	CVE-2024-1383 security@wordfence.com security@wordfence.com security@wordfence.com
wpwax — legal_pages	Cross-Site Request Forgery (CSRF), Incorrect Authorization vulnerability in wpWax Legal Pages.This issue affects Legal Pages: from n/a through 1.3.7.	2024-03-15	4.3	CVE-2023-50886 audit@patchstack.com
xpeedstudio — elementskit_elementor_addons	The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blog post read more button in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-16	6.4	CVE-2024-1239 security@wordfence.com security@wordfence.com
xpeedstudio — elementskit_elementor_addons	The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-16	6.4	CVE-2024-2042 security@wordfence.com security@wordfence.com security@wordfence.com
xpeedstudio — elementskit_elementor_addons	The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the progress bar element attributes in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled.	2024-03-16	5.5	CVE-2023-6525 security@wordfence.com security@wordfence.com security@wordfence.com
xpeedstudio — metform_elementor_contact_form_builder	The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-13	6.4	CVE-2024-1585 security@wordfence.com security@wordfence.com security@wordfence.com
xpeedstudio — wp_social_login_and_register_social_counter	The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp_social/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to enable and disable certain providers for the social share and login features.	2024-03-13	6.5	CVE-2024-1763 security@wordfence.com security@wordfence.com
yonifre — maspik_-_spam_blacklist	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in yonifre Maspik – Spam Blacklist allows Stored XSS.This issue affects Maspik – Spam Blacklist: from n/a through 0.10.6.	2024-03-13	5.9	CVE-2024-25101 audit@patchstack.com
yooooomi — your_spotify	your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify API access and refresh tokens to guest users. Attackers with access to a public token for guest access to YourSpotify can therefore obtain access to Spotify API tokens of YourSpotify users. As a consequence, attackers may extract profile information, information about listening habits, playlists and other information from the corresponding Spotify profile. In addition, the attacker can pause and resume playback in the Spotify app at will. This issue has been resolved in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this issue.	2024-03-13	6.5	CVE-2024-28193 security-advisories@github.com
yooooomi — your_spotify	your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account. Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether. When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-13	6.5	CVE-2024-28196 security-advisories@github.com
yooooomi — your_spotify	your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 is vulnerable to NoSQL injection in the public access token processing logic. Attackers can fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This vulnerability allows an attacker to fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-13	5.3	CVE-2024-28192 security-advisories@github.com
zemana — antilogger	Zemana AntiLogger v2.74.204.664 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers	2024-03-15	5.5	CVE-2024-2180 help@fluidattacks.com help@fluidattacks.com
zemana — antilogger	Zemana AntiLogger v2.74.204.664 is vulnerable to a Denial of Service (DoS) vulnerability by triggering the 0x80002004 and 0x80002010 IOCTL codes of the zam64.sys and zamguard64.sys drivers.	2024-03-15	5.5	CVE-2024-2204 help@fluidattacks.com help@fluidattacks.com
zemena — antilogger	Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.	2024-03-14	5.5	CVE-2024-1853 help@fluidattacks.com help@fluidattacks.com
zoom_video_communications,_inc. — zoom_rooms_client_for_windows	Race condition in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.	2024-03-13	5.3	CVE-2024-24692 security@zoom.us

Low Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
bpftrace — bpftrace	If kernel headers need to be extracted, bpftrace will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default.	2024-03-10	2.8	CVE-2024-2313 security@ubuntu.com security@ubuntu.com
cloudflare — quiche	Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Each QUIC connection possesses a set of connection Identifiers (IDs); see RFC 9000 Section 5.1 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Endpoints declare the number of active connection IDs they are willing to support using the active_connection_id_limit transport parameter. The peer can create new IDs using a NEW_CONNECTION_ID frame but must stay within the active ID limit. This is done by retirement of old IDs, the endpoint sends NEW_CONNECTION_ID includes a value in the retire_prior_to field, which elicits a RETIRE_CONNECTION_ID frame as confirmation. An unauthenticated remote attacker can exploit the vulnerability by sending NEW_CONNECTION_ID frames and manipulating the connection (e.g. by restricting the peer’s congestion window size) so that RETIRE_CONNECTION_ID frames can only be sent at a slower rate than they are received, leading to storage of information related to connection IDs in an unbounded queue. Quiche versions 0.19.2 and 0.20.1 are the earliest to address this problem. There is no workaround for affected versions.	2024-03-12	3.7	CVE-2024-1410 cna@cloudflare.com
collaboraonline — online	Collabora Online is a collaborative online office suite based on LibreOffice technology. Each document in Collabora Online is opened by a separate “Kit” instance in a different “jail” with a unique directory “jailID” name. For security reasons, this directory name is randomly generated and should not be given out to the client. In affected versions of Collabora Online it is possible to use the CELL() function, with the “filename” argument, in the spreadsheet component to get a path which includes this JailID. The impact of this vulnerability in its own is low because it requires to be chained with another vulnerability. Users should upgrade to Collabora Online 23.05.9; Collabora Online 22.05.22; Collabora Online 21.11.10 or higher. There are no known workarounds for this vulnerability.	2024-03-11	2.6	CVE-2024-25114 security-advisories@github.com security-advisories@github.com
dell — poweredge_platform	Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper parameter initialization vulnerability. A local low privileged attacker could potentially exploit this vulnerability to read the contents of non-SMM stack memory.	2024-03-13	3.8	CVE-2024-0154 security_alert@emc.com
dell — poweredge_platform	Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper parameter initialization vulnerability. A local low privileged attacker could potentially exploit this vulnerability to read the contents of non-SMM stack memory.	2024-03-13	3.8	CVE-2024-0173 security_alert@emc.com
directus — directus	Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-12	2.3	CVE-2024-28238 security-advisories@github.com
discourse — discourse	A vulnerability has been found in Surya2Developer Hostel Management Service 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /check_availability.php of the component HTTP POST Request Handler. The manipulation of the argument oldpassword leads to observable response discrepancy. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256891.	2024-03-15	3.7	CVE-2024-2482 cna@vuldb.com cna@vuldb.com cna@vuldb.com
ibm — maximo_application_suite	IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075.	2024-03-13	3.7	CVE-2023-32335 psirt@us.ibm.com psirt@us.ibm.com psirt@us.ibm.com
iovisor — bpf_compiler_collection	If kernel headers need to be extracted, bcc will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default.	2024-03-10	2.8	CVE-2024-2314 security@ubuntu.com security@ubuntu.com
keerti1924 — secret-coder-php-project	A vulnerability has been found in keerti1924 Secret-Coder-PHP-Project 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /secret_coder.sql. The manipulation leads to inclusion of sensitive information in source code. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256315. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-10	3.7	CVE-2024-2355 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability, which was classified as problematic, has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this issue is some unknown functionality of the file home.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256952. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2515 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as problematic. This issue affects some unknown processing of the file book_history.php. The manipulation of the argument id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256955. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2518 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been classified as problematic. Affected is an unknown function of the file navbar.php. The manipulation of the argument id leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256956. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2519 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/bookdate.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256958 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2521 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability classified as problematic was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. This vulnerability affects unknown code of the file /admin/booktime.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256960. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2523 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability, which was classified as problematic, was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected is an unknown function of the file /admin/receipt.php. The manipulation of the argument id leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256962 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2525 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/rooms.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256963. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2526 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/update-rooms.php. The manipulation of the argument id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256967. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2530 cna@vuldb.com cna@vuldb.com cna@vuldb.com
magesh-k21 — online-college-event-hall-reservation-system	A vulnerability, which was classified as problematic, has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this issue is some unknown functionality of the file /admin/update-users.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256970 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-16	3.5	CVE-2024-2533 cna@vuldb.com cna@vuldb.com cna@vuldb.com
mattermost — mattermost	Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.	2024-03-15	3.1	CVE-2024-28053 responsibledisclosure@mattermost.com
mattermost — mattermost_mobile	Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.	2024-03-15	3.5	CVE-2024-24975 responsibledisclosure@mattermost.com
mha_sistemas — armhazena	A vulnerability classified as problematic has been found in MHA Sistemas arMHAzena 9.6.0.0. This affects an unknown part of the component Cadastro Page. The manipulation of the argument Query leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256887. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-15	3.5	CVE-2024-2479 cna@vuldb.com cna@vuldb.com cna@vuldb.com
microsoft — microsoft_edge_for_android	Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability	2024-03-14	3.9	CVE-2024-26246 secure@microsoft.com
n/a — eve-ng	A vulnerability was found in EVE-NG 5.0.1-13 and classified as problematic. Affected by this issue is some unknown functionality of the component Lab Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256442 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-12	2.4	CVE-2024-2391 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — intel(r)_local_manageability_service_software	Insertion of sensitive information into log file for some Intel(R) Local Manageability Service software before version 2316.5.1.2 may allow an authenticated user to potentially enable information disclosure via local access.	2024-03-14	3.3	CVE-2023-27502 secure@intel.com
n/a — musicshelf	A vulnerability classified as problematic has been found in Musicshelf 1.0/1.1 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256320.	2024-03-10	1.8	CVE-2024-2364 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — musicshelf	A vulnerability classified as problematic was found in Musicshelf 1.0/1.1 on Android. Affected by this vulnerability is an unknown functionality of the file iofabricsdkandroidservicesnetworkPinningTrustManager.java of the component SHA-1 Handler. The manipulation leads to password hash with insufficient computational effort. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-256321 was assigned to this vulnerability.	2024-03-11	1.6	CVE-2024-2365 cna@vuldb.com cna@vuldb.com cna@vuldb.com
n/a — quarkus	A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.	2024-03-13	3.5	CVE-2024-1979 secalert@redhat.com secalert@redhat.com secalert@redhat.com
papercut — papercut_ng,_papercut_mf	This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This CVE only affects Linux and macOS PaperCut NG/MF servers.	2024-03-14	3.1	CVE-2024-1221 eb41dac7-0af8-4f84-9f6d-0272772514f4
peering-manager — peering-manager	Peering Manager is a BGP session management tool. In Peering Manager <=1.8.2, it is possible to redirect users to an arbitrary page using a crafted url. As a result users can be redirected to an unexpected location. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.	2024-03-12	3.5	CVE-2024-28113 security-advisories@github.com security-advisories@github.com

Severity Not Yet Assigned

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
N/A — N/A	In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Fix memory leak in amd_sfh_work Kmemleak tool detected a memory leak in the amd_sfh driver. ==================== unreferenced object 0xffff88810228ada0 (size 32): comm “insmod”, pid 3968, jiffies 4295056001 (age 775.792s) hex dump (first 32 bytes): 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s…………. 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 “…………… backtrace: [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0 [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh] [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh] [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub] [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common] [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d] [<00000000915760ce>] platform_probe+0x6a/0xd0 [<0000000060258a1f>] really_probe+0x192/0x620 [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0 [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110 [<0000000070d15018>] bus_for_each_drv+0xfd/0x160 [<0000000013a3c312>] __device_attach+0x18b/0x220 [<000000008c7b4afc>] device_initial_probe+0x13/0x20 [<00000000e6e99665>] bus_probe_device+0xfe/0x120 [<00000000833fa90b>] device_add+0x6a6/0xe00 [<00000000fa901078>] platform_device_add+0x180/0x380 ==================== The fix is to freeing request_list entry once the processed entry is removed from the request_list.	2024-03-15	not yet calculated	CVE-2021-47133 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A — N/A	GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path.	2024-03-11	not yet calculated	CVE-2022-46070 cve@mitre.org
N/A — N/A	Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter.	2024-03-13	not yet calculated	CVE-2023-36238 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Student Enrollment In PHP 1.0 allows attackers to run arbitrary code via the Student Search function.	2024-03-13	not yet calculated	CVE-2023-41504 cve@mitre.org
N/A — N/A	An arbitrary file upload vulnerability in the Add Student’s Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.	2024-03-13	not yet calculated	CVE-2023-41505 cve@mitre.org
N/A — N/A	There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload.	2024-03-14	not yet calculated	CVE-2023-42286 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Code-Projects Exam Form Submission 1.0 allows attackers to run arbitrary code via “Subject Name” and “Subject Code” section.	2024-03-12	not yet calculated	CVE-2023-42307 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Manage Fastrack Subjects in Code-Projects Exam Form Submission 1.0 allows attackers to run arbitrary code via the “Subject Name” and “Subject Code” Section.	2024-03-12	not yet calculated	CVE-2023-42308 cve@mitre.org
N/A — N/A	Null Pointer Dereference in mask_cidr6 component at cidr.c in Tcpreplay 4.4.4 allows attackers to crash the application via crafted tcprewrite command.	2024-03-12	not yet calculated	CVE-2023-43279 cve@mitre.org
N/A — N/A	Cross Site Scripting vulnerability in My Food Recipe Using PHP with Source Code v.1.0 allows a local attacker to execute arbitrary code via a crafted payload to the Recipe Name, Procedure, and ingredients parameters.	2024-03-12	not yet calculated	CVE-2023-43292 cve@mitre.org
N/A — N/A	Reflected cross-site scripting (XSS) vulnerability in Racktables v0.22.0 and before, allows local attackers to execute arbitrary code and obtain sensitive information via the search component in index.php.	2024-03-12	not yet calculated	CVE-2023-49453 cve@mitre.org
N/A — N/A	An issue in NETGEAR-DGND4000 v.1.1.00.15_1.00.15 allows a remote attacker to escalate privileges via the next_file parameter to the /setup.cgi component.	2024-03-14	not yet calculated	CVE-2023-50677 cve@mitre.org
N/A — N/A	djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.	2024-03-16	not yet calculated	CVE-2024-22513 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Code-projects.org Scholars Tracking System 1.0 allows attackers to run arbitrary code via login.php.	2024-03-12	not yet calculated	CVE-2024-24092 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via Personal Information Update information.	2024-03-12	not yet calculated	CVE-2024-24093 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via the News Feed.	2024-03-12	not yet calculated	CVE-2024-24097 cve@mitre.org
N/A — N/A	Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Eligibility Information Update.	2024-03-12	not yet calculated	CVE-2024-24101 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Code-projects Computer Science Time Table System 1.0 allows attackers to run arbitrary code via adminFormvalidation.php.	2024-03-13	not yet calculated	CVE-2024-24105 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Gnuboard g6 before Github commit 58c737a263ac0c523592fd87ff71b9e3c07d7cf5, allows remote attackers execute arbitrary code via the wr_content parameter.	2024-03-16	not yet calculated	CVE-2024-24156 cve@mitre.org
N/A — N/A	In TP-Link Omada er605 1.0.1 through (v2.6) 2.2.3, a cloud-brd binary is susceptible to an integer overflow that leads to a heap-based buffer overflow. After heap shaping, an attacker can achieve code execution in the context of the cloud-brd binary that runs at the root level. This is fixed in ER605(UN)_v2_2.2.4 Build 020240119.	2024-03-14	not yet calculated	CVE-2024-25139 cve@mitre.org cve@mitre.org
N/A — N/A	SQL Injection vulnerability in ABO.CMS version 5.8, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), escalate privileges, and obtain sensitive information via the tb_login parameter in admin login page.	2024-03-15	not yet calculated	CVE-2024-25227 cve@mitre.org
N/A — N/A	Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.	2024-03-14	not yet calculated	CVE-2024-25228 cve@mitre.org cve@mitre.org
N/A — N/A	SQL Injection vulnerability in code-projects Agro-School Management System 1.0 allows attackers to run arbitrary code via the Login page.	2024-03-13	not yet calculated	CVE-2024-25250 cve@mitre.org
N/A — N/A	SQL injection vulnerability in Employee Management System v.1.0 allows a local attacker to obtain sensitive information via a crafted payload to the txtemail parameter in the login.php.	2024-03-12	not yet calculated	CVE-2024-25325 cve@mitre.org
N/A — N/A	DIR-822 Rev. B Firmware v2.02KRB09 and DIR-822-CA Rev. B Firmware v2.03WWb01 suffer from a LAN-Side Unauthenticated Remote Code Execution (RCE) vulnerability elevated from HNAP Stack-Based Buffer Overflow.	2024-03-12	not yet calculated	CVE-2024-25331 cve@mitre.org cve@mitre.org
N/A — N/A	In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authentication is enabled), the encryption key of RabbitMQ queue messages, and session cookies.	2024-03-14	not yet calculated	CVE-2024-25649 cve@mitre.org
N/A — N/A	Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key (used to encrypt RabbitMQ messages) via crafted payloads to the /pre-authenticate, /authenticate, and /execute-and-respond REST API endpoints. This makes it possible for a PAM administrator to impersonate the Engine and exfiltrate sensitive information from the messages published in the RabbitMQ exchanges, without being audited in the application.	2024-03-14	not yet calculated	CVE-2024-25650 cve@mitre.org
N/A — N/A	User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint.	2024-03-14	not yet calculated	CVE-2024-25651 cve@mitre.org
N/A — N/A	In Delinea PAM Secret Server 11.4, it is possible for a user (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users.	2024-03-14	not yet calculated	CVE-2024-25652 cve@mitre.org
N/A — N/A	Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI.	2024-03-14	not yet calculated	CVE-2024-25653 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Sourcecodester Insurance Management System 1.0 allows attackers to run arbitrary code via the Subject and Description fields when submitting a support ticket.	2024-03-11	not yet calculated	CVE-2024-25854 cve@mitre.org
N/A — N/A	A Cross Site Scripting vulnerability in Healthcare-Chatbot through 9b7058a can occur via a crafted payload to the email1 or pwd1 parameter in login.php.	2024-03-15	not yet calculated	CVE-2024-26454 cve@mitre.org cve@mitre.org
N/A — N/A	An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.	2024-03-14	not yet calculated	CVE-2024-26475 cve@mitre.org
N/A — N/A	Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.	2024-03-14	not yet calculated	CVE-2024-26503 cve@mitre.org
N/A — N/A	HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted payload to the english.php component.	2024-03-12	not yet calculated	CVE-2024-26521 cve@mitre.org cve@mitre.org
N/A — N/A	An issue in mz-automation libiec61850 v.1.5.3 and before, allows a remote attacker to cause a denial of service (DoS) via the mmsServer_handleDeleteNamedVariableListRequest function of src/mms/iso_mms/server/mms_named_variable_list_service.c.	2024-03-13	not yet calculated	CVE-2024-26529 cve@mitre.org cve@mitre.org
N/A — N/A	A heap-based buffer overflow in Clmg before 3.3.3 can occur via a crafted file to cimg_library::CImg<unsigned char>::_load_analyze.	2024-03-15	not yet calculated	CVE-2024-26540 cve@mitre.org
N/A — N/A	In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.	2024-03-15	not yet calculated	CVE-2024-27351 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter.	2024-03-13	not yet calculated	CVE-2024-27703 cve@mitre.org
N/A — N/A	An issue in GLPI v.10.0.12 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted script to the title field.	2024-03-15	not yet calculated	CVE-2024-27756 cve@mitre.org
N/A — N/A	In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.	2024-03-12	not yet calculated	CVE-2024-27758 cve@mitre.org cve@mitre.org
N/A — N/A	A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component.	2024-03-16	not yet calculated	CVE-2024-28069 cve@mitre.org
N/A — N/A	A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information and gain unauthorized access.	2024-03-16	not yet calculated	CVE-2024-28070 cve@mitre.org
N/A — N/A	gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a out of boundary write vulnerability via swf_get_string at scene_manager/swf_parse.c:325	2024-03-15	not yet calculated	CVE-2024-28318 cve@mitre.org
N/A — N/A	gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an out of boundary read vulnerability via gf_dash_setup_period media_tools/dash_client.c:6374	2024-03-15	not yet calculated	CVE-2024-28319 cve@mitre.org
N/A — N/A	The bwdates-report-result.php file in Phpgurukul User Registration & Login and User Management System 3.1 contains a potential security vulnerability related to user input validation. The script retrieves user-provided date inputs without proper validation, making it susceptible to SQL injection attacks.	2024-03-14	not yet calculated	CVE-2024-28323 cve@mitre.org
N/A — N/A	A login bypass in TOTOLINK A8000RU V7.1cu.643_B20200521 allows attackers to login to Administrator accounts via providing a crafted session cookie.	2024-03-12	not yet calculated	CVE-2024-28338 cve@mitre.org
N/A — N/A	An information leak in the debuginfo.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required.	2024-03-12	not yet calculated	CVE-2024-28339 cve@mitre.org cve@mitre.org
N/A — N/A	An information leak in the currentsetting.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required.	2024-03-12	not yet calculated	CVE-2024-28340 cve@mitre.org cve@mitre.org
N/A — N/A	There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.config.smb_admin_name in the apply.cgi interface, thereby gaining root shell privileges.	2024-03-15	not yet calculated	CVE-2024-28353 cve@mitre.org
N/A — N/A	There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in the apply.cgi interface, thereby gaining root shell privileges.	2024-03-15	not yet calculated	CVE-2024-28354 cve@mitre.org
N/A — N/A	Tenda AX12 v1.0 v22.03.01.16 was discovered to contain a stack overflow via the ssid parameter in the sub_431CF0 function.	2024-03-14	not yet calculated	CVE-2024-28383 cve@mitre.org
N/A — N/A	SQL injection vulnerability in SunnyToo stproductcomments module for PrestaShop v.1.0.5 and before, allows a remote attacker to escalate privileges and obtain sensitive information via the StProductCommentClass::getListcomments method.	2024-03-14	not yet calculated	CVE-2024-28388 cve@mitre.org
N/A — N/A	An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control.	2024-03-14	not yet calculated	CVE-2024-28390 cve@mitre.org
N/A — N/A	SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProductAddToCart, getSearchProducts, and displayAjaxProductSku methods.	2024-03-14	not yet calculated	CVE-2024-28391 cve@mitre.org
N/A — N/A	TOTOLINK X2000R before v1.0.0-B20231213.1013 contains a Store Cross-site scripting (XSS) vulnerability in Root Access Control under the Wireless Page.	2024-03-15	not yet calculated	CVE-2024-28401 cve@mitre.org cve@mitre.org
N/A — N/A	TOTOLINK X2000R before V1.0.0-B20231213.1013 is vulnerable to Cross Site Scripting (XSS) via the VPN Page.	2024-03-15	not yet calculated	CVE-2024-28403 cve@mitre.org cve@mitre.org
N/A — N/A	TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page.	2024-03-15	not yet calculated	CVE-2024-28404 cve@mitre.org cve@mitre.org
N/A — N/A	Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php.	2024-03-14	not yet calculated	CVE-2024-28417 cve@mitre.org
N/A — N/A	Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php	2024-03-14	not yet calculated	CVE-2024-28418 cve@mitre.org
N/A — N/A	Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file upload vulnerability in the unsafe_load function at cli.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted YML file.	2024-03-14	not yet calculated	CVE-2024-28423 cve@mitre.org
N/A — N/A	zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file.	2024-03-14	not yet calculated	CVE-2024-28424 cve@mitre.org
N/A — N/A	greykite v1.0.0 was discovered to contain an arbitrary file upload vulnerability in the load_obj function at /templates/pickle_utils.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file.	2024-03-14	not yet calculated	CVE-2024-28425 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/archives_do.php	2024-03-13	not yet calculated	CVE-2024-28429 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/catalog_edit.php.	2024-03-13	not yet calculated	CVE-2024-28430 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/catalog_del.php.	2024-03-13	not yet calculated	CVE-2024-28431 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_edit.php.	2024-03-13	not yet calculated	CVE-2024-28432 cve@mitre.org
N/A — N/A	Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the mitInterface parameter of fromAddressNat function.	2024-03-12	not yet calculated	CVE-2024-28535 cve@mitre.org
N/A — N/A	Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the entrys parameter fromAddressNat function.	2024-03-12	not yet calculated	CVE-2024-28553 cve@mitre.org
N/A — N/A	RiteCMS v3.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component main_menu/edit_section.	2024-03-13	not yet calculated	CVE-2024-28623 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022, allow remote attackers to execute arbitrary code and cause a denial of service (DoS) via the IP field.	2024-03-16	not yet calculated	CVE-2024-28639 cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022 allows a remote attacker to cause a denial of service (D0S) via the command field.	2024-03-16	not yet calculated	CVE-2024-28640 cve@mitre.org
N/A — N/A	A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.	2024-03-13	not yet calculated	CVE-2024-28662 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_add.php	2024-03-13	not yet calculated	CVE-2024-28665 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/media_add.php	2024-03-13	not yet calculated	CVE-2024-28666 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/templets_one_edit.php	2024-03-13	not yet calculated	CVE-2024-28667 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/mychannel_add.php	2024-03-13	not yet calculated	CVE-2024-28668 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/freelist_edit.php.	2024-03-13	not yet calculated	CVE-2024-28669 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/freelist_main.php.	2024-03-13	not yet calculated	CVE-2024-28670 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/stepselect_main.php.	2024-03-13	not yet calculated	CVE-2024-28671 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/media_edit.php.	2024-03-13	not yet calculated	CVE-2024-28672 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/mychannel_edit.php.	2024-03-13	not yet calculated	CVE-2024-28673 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/diy_edit.php	2024-03-13	not yet calculated	CVE-2024-28675 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via /dede/article_edit.php.	2024-03-13	not yet calculated	CVE-2024-28676 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/article_keywords_main.php.	2024-03-13	not yet calculated	CVE-2024-28677 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_description_main.php	2024-03-13	not yet calculated	CVE-2024-28678 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via Photo Collection.	2024-03-13	not yet calculated	CVE-2024-28679 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/diy_add.php.	2024-03-13	not yet calculated	CVE-2024-28680 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/plus_edit.php.	2024-03-13	not yet calculated	CVE-2024-28681 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/sys_cache_up.php.	2024-03-13	not yet calculated	CVE-2024-28682 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via create file.	2024-03-13	not yet calculated	CVE-2024-28683 cve@mitre.org
N/A — N/A	DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/module_main.php	2024-03-13	not yet calculated	CVE-2024-28684 cve@mitre.org
N/A — N/A	Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability	2024-03-14	not yet calculated	CVE-2024-28746 security@apache.org security@apache.org
N/A — N/A	A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.	2024-03-15	not yet calculated	CVE-2024-28752 security@apache.org
N/A — N/A	libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).	2024-03-10	not yet calculated	CVE-2024-28757 cve@mitre.org cve@mitre.org
N/A — N/A	Student Information Chatbot a0196ab allows SQL injection via the username to the login function in index.php.	2024-03-11	not yet calculated	CVE-2024-28816 cve@mitre.org
N/A — N/A	Amazon AWS aws-js-s3-explorer (aka AWS JavaScript S3 Explorer) 1.0.0 allows XSS via a crafted S3 bucket name to index.html.	2024-03-11	not yet calculated	CVE-2024-28823 cve@mitre.org cve@mitre.org
amd — cpu	A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.	2024-03-15	not yet calculated	CVE-2024-2193 cret@cert.org cret@cert.org cret@cert.org cret@cert.org cret@cert.org cret@cert.org cret@cert.org cret@cert.org
apache_software_foundation — apache_doris	The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks. Users are recommended to upgrade to version 2.0.0 + or 1.2.8, which fixes this issue.	2024-03-12	not yet calculated	CVE-2023-41313 security@apache.org
apache_software_foundation — apache_tomcat	Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.	2024-03-13	not yet calculated	CVE-2024-23672 security@apache.org
apache_software_foundation — apache_tomcat	Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.	2024-03-13	not yet calculated	CVE-2024-24549 security@apache.org
apache_software_foundation — apache_zookeeper	Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn’t do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It’s important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.	2024-03-15	not yet calculated	CVE-2024-23944 security@apache.org
apple — garageband	A use-after-free issue was addressed with improved memory management. This issue is fixed in GarageBand 10.4.11. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.	2024-03-12	not yet calculated	CVE-2024-23300 product-security@apple.com product-security@apple.com
apple — itunes_for_windows	A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.13.1 for Windows. A local attacker may be able to elevate their privileges.	2024-03-14	not yet calculated	CVE-2023-42938 product-security@apple.com product-security@apple.com
apple — xcode	A logic issue was addressed with improved state management.	2024-03-15	not yet calculated	CVE-2024-23298 product-security@apple.com
devolutions — remote_desktop_manager	Improper cleanup in temporary file handling component in Devolutions Remote Desktop Manager 2024.1.12 and earlier on Windows allows an attacker that compromised a user endpoint, under specific circumstances, to access sensitive information via residual files in the temporary directory.	2024-03-13	not yet calculated	CVE-2024-2403 security@devolutions.net
google — android	In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0039 security@android.com security@android.com security@android.com security@android.com
google — android	In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0044 security@android.com security@android.com security@android.com security@android.com
google — android	In smp_proc_sec_req of smp_act.cc, there is a possible out of bounds read due to improper input validation. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0045 security@android.com security@android.com
google — android	In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0046 security@android.com security@android.com
google — android	In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. This could lead to local denial of service when policies are deserialized on reboot with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0047 security@android.com security@android.com security@android.com security@android.com
google — android	In Session of AccountManagerService.java, there is a possible method to retain foreground service privileges due to incorrect handling of null responses. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0048 security@android.com security@android.com
google — android	In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0049 security@android.com security@android.com
google — android	In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a missing validation check. This could lead to a local non-security issue with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0050 security@android.com security@android.com
google — android	In onQueueFilled of SoftMPEG4.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0051 security@android.com security@android.com
google — android	In multiple functions of healthconnect, there is a possible leakage of exercise route data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0052 security@android.com security@android.com
google — android	In getCustomPrinterIcon of PrintManagerService.java, there is a possible way to view other user’s images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-0053 security@android.com security@android.com
google — android	there is a possible Authentication Bypass due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-22005 dsap-vuln-management@google.com
google — android	OOB read in the TMU plugin that allows for memory disclosure in the power management subsystem of the device.	2024-03-11	not yet calculated	CVE-2024-22006 dsap-vuln-management@google.com
google — android	In constraint_check of fvp.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-22007 dsap-vuln-management@google.com
google — android	In config_gov_time_windows of tmu.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-22008 dsap-vuln-management@google.com
google — android	In init_data of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-22009 dsap-vuln-management@google.com
google — android	In dvfs_plugin_caller of fvp.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-22010 dsap-vuln-management@google.com
google — android	In ss_ProcessRejectComponent of ss_MmConManagement.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-22011 dsap-vuln-management@google.com
google — android	In access_secure_service_from_temp_bond of btm_sec.cc, there is a possible way to achieve keystroke injection due to improper input validation. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-23717 security@android.com security@android.com
google — android	In dumpBatteryDefend of dump_power.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25984 dsap-vuln-management@google.com
google — android	In bigo_unlocked_ioctl of bigo.c, there is a possible UAF due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25985 dsap-vuln-management@google.com
google — android	In ppmp_unprotect_buf of drm_fw.c, there is a possible compromise of protected memory due to a logic error in the code. This could lead to local escalation of privilege to TEE with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25986 dsap-vuln-management@google.com
google — android	In pt_sysctl_command of pt.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25987 dsap-vuln-management@google.com
google — android	In SAEMM_DiscloseGuti of SAEMM_RadioMessageCodec.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25988 dsap-vuln-management@google.com
google — android	In gpu_slc_liveness_update of pixel_gpu_slc.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25989 dsap-vuln-management@google.com
google — android	In pktproc_perftest_gen_rx_packet_sktbuf_mode of link_rx_pktproc.c, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25990 dsap-vuln-management@google.com
google — android	In acpm_tmu_ipc_handler of tmu_plugin.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25991 dsap-vuln-management@google.com
google — android	In tmu_tz_control of tmu.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25992 dsap-vuln-management@google.com
google — android	In tmu_reset_tmu_trip_counter of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-25993 dsap-vuln-management@google.com
google — android	In tmu_set_gov_active of tmu.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27204 dsap-vuln-management@google.com
google — android	there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27205 dsap-vuln-management@google.com
google — android	there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27206 dsap-vuln-management@google.com
google — android	Exported broadcast receivers allowing malicious apps to bypass broadcast protection.	2024-03-11	not yet calculated	CVE-2024-27207 dsap-vuln-management@google.com
google — android	there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27208 dsap-vuln-management@google.com
google — android	there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27209 dsap-vuln-management@google.com
google — android	In policy_check of fvp.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27210 dsap-vuln-management@google.com
google — android	In AtiHandleAPOMsgType of ati_Main.c, there is a possible OOB write due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27211 dsap-vuln-management@google.com
google — android	In init_data of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27212 dsap-vuln-management@google.com
google — android	In BroadcastSystemMessage of servicemgr.cpp, there is a possible Remote Code Execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27213 dsap-vuln-management@google.com
google — android	In update_freq_data of , there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27218 dsap-vuln-management@google.com
google — android	In tmu_set_pi of tmu.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27219 dsap-vuln-management@google.com
google — android	In lpm_req_handler of , there is a possible out of bounds memory access due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27220 dsap-vuln-management@google.com
google — android	In update_policy_data of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27221 dsap-vuln-management@google.com
google — android	In onSkipButtonClick of FaceEnrollFoldPage.java, there is a possible way to access the file the app cannot access due to Intent Redirect GRANT_URI_PERMISSIONS Attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27222 dsap-vuln-management@google.com
google — android	In EUTRAN_LCS_DecodeFacilityInformationElement of LPP_LcsManagement.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure after authenticating the cell connection with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27223 dsap-vuln-management@google.com
google — android	In strncpy of strncpy.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27224 dsap-vuln-management@google.com
google — android	In sendHciCommand of bluetooth_hci.cc, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27225 dsap-vuln-management@google.com
google — android	In tmu_config_gov_params of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27226 dsap-vuln-management@google.com
google — android	A malicious DNS response can trigger a number of OOB reads, writes, and other memory issues	2024-03-11	not yet calculated	CVE-2024-27227 dsap-vuln-management@google.com
google — android	there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27228 dsap-vuln-management@google.com
google — android	In ss_SendCallBarringPwdRequiredIndMsg of ss_CallBarring.c, there is a possible null pointer deref due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27229 dsap-vuln-management@google.com
google — android	In ProtocolPsKeepAliveStatusAdapter::getCode() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27230 dsap-vuln-management@google.com
google — android	In ppcfw_init_secpolicy of ppcfw.c, there is a possible permission bypass due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27233 dsap-vuln-management@google.com
google — android	In fvp_set_target of fvp.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27234 dsap-vuln-management@google.com
google — android	In plugin_extern_func of , there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27235 dsap-vuln-management@google.com
google — android	In aoc_unlocked_ioctl of aoc.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27236 dsap-vuln-management@google.com
google — android	In wipe_ns_memory of nsmemwipe.c, there is a possible incorrect size calculation due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-03-11	not yet calculated	CVE-2024-27237 dsap-vuln-management@google.com
google — chrome	Use after free in Performance Manager in Google Chrome prior to 122.0.6261.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-03-13	not yet calculated	CVE-2024-2400 chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
hp_inc. — hp_pc_bios	A potential security vulnerability has been reported in the system BIOS of certain HP PC products, which might allow memory tampering. HP is releasing mitigation for the potential vulnerability.	2024-03-12	not yet calculated	CVE-2023-5410 hp-security-alert@hp.com
implem_inc. — pleasanter_	Pleasanter 1.3.49.0 and earlier contains a cross-site scripting vulnerability. If an attacker tricks the user to access the product with a specially crafted URL and perform a specific operation, an arbitrary script may be executed on the web browser of the user.	2024-03-12	not yet calculated	CVE-2024-21584 vultures@jpcert.or.jp vultures@jpcert.or.jp
linux — linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned [BUG] There is a bug report that, on a ext4-converted btrfs, scrub leads to various problems, including: – “unable to find chunk map” errors BTRFS info (device vdb): scrub: started on devid 1 BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 4096 BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 45056 This would lead to unrepariable errors. – Use-after-free KASAN reports: ================================================================== BUG: KASAN: slab-use-after-free in __blk_rq_map_sg+0x18f/0x7c0 Read of size 8 at addr ffff8881013c9040 by task btrfs/909 CPU: 0 PID: 909 Comm: btrfs Not tainted 6.7.0-x64v3-dbg #11 c50636e9419a8354555555245df535e380563b2b Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-2 12/24/2023 Call Trace: <TASK> dump_stack_lvl+0x43/0x60 print_report+0xcf/0x640 kasan_report+0xa6/0xd0 __blk_rq_map_sg+0x18f/0x7c0 virtblk_prep_rq.isra.0+0x215/0x6a0 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff] virtio_queue_rqs+0xc4/0x310 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff] blk_mq_flush_plug_list.part.0+0x780/0x860 __blk_flush_plug+0x1ba/0x220 blk_finish_plug+0x3b/0x60 submit_initial_group_read+0x10a/0x290 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] flush_scrub_stripes+0x38e/0x430 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] scrub_stripe+0x82a/0xae0 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] scrub_chunk+0x178/0x200 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] scrub_enumerate_chunks+0x4bc/0xa30 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] btrfs_scrub_dev+0x398/0x810 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] btrfs_ioctl+0x4b9/0x3020 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] __x64_sys_ioctl+0xbd/0x100 do_syscall_64+0x5d/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f47e5e0952b – Crash, mostly due to above use-after-free [CAUSE] The converted fs has the following data chunk layout: item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM 2214658048) itemoff 16025 itemsize 80 length 86016 owner 2 stripe_len 65536 type DATA\|single For above logical bytenr 2214744064, it’s at the chunk end (2214658048 + 86016 = 2214744064). This means btrfs_submit_bio() would split the bio, and trigger endio function for both of the two halves. However scrub_submit_initial_read() would only expect the endio function to be called once, not any more. This means the first endio function would already free the bbio::bio, leaving the bvec freed, thus the 2nd endio call would lead to use-after-free. [FIX] – Make sure scrub_read_endio() only updates bits in its range Since we may read less than 64K at the end of the chunk, we should not touch the bits beyond chunk boundary. – Make sure scrub_submit_initial_read() only to read the chunk range This is done by calculating the real number of sectors we need to read, and add sector-by-sector to the bio. Thankfully the scrub read repair path won’t need extra fixes: – scrub_stripe_submit_repair_read() With above fixes, we won’t update error bit for range beyond chunk, thus scrub_stripe_submit_repair_read() should never submit any read beyond the chunk.	2024-03-11	not yet calculated	CVE-2024-26616 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: neighbour: allow NUD_NOARP entries to be forced GCed IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It’s possible to fill up the neighbour table with enough entries that it will overflow for valid connections after that. This behaviour is more prevalent after commit 58956317c8de (“neighbor: Improve garbage collection”) is applied, as it prevents removal from entries that are not NUD_FAILED, unless they are more than 5s old.	2024-03-15	not yet calculated	CVE-2021-47109 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. We need to disable it for all CPUs to guard against memory corruption e.g. on restore from hibernate. Note, writing ‘0’ to kvmclock MSR doesn’t clear memory location, it just prevents hypervisor from updating the location so for the short while after write and while CPU is still alive, the clock remains usable and correct so we don’t need to switch to some other clocksource.	2024-03-15	not yet calculated	CVE-2021-47110 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: xen-netback: take a reference to the RX task thread Do this in order to prevent the task from being freed if the thread returns (which can be triggered by the frontend) before the call to kthread_stop done as part of the backend tear down. Not taking the reference will lead to a use-after-free in that scenario. Such reference was taken before but dropped as part of the rework done in 2ac061ce97f4. Reintroduce the reference taking and add a comment this time explaining why it’s needed. This is XSA-374 / CVE-2021-28691.	2024-03-15	not yet calculated	CVE-2021-47111 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Teardown PV features on boot CPU as well Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from hibernation we must properly teardown all these features to make sure hypervisor doesn’t write to stale locations after we jump to the previously hibernated kernel (which can try to place anything there). For secondary CPUs the job is already done by kvm_cpu_down_prepare(), register syscore ops to do the same for boot CPU.	2024-03-15	not yet calculated	CVE-2021-47112 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: abort in rename_exchange if we fail to insert the second ref Error injection stress uncovered a problem where we’d leave a dangling inode ref if we failed during a rename_exchange. This happens because we insert the inode ref for one side of the rename, and then for the other side. If this second inode ref insert fails we’ll leave the first one dangling and leave a corrupt file system behind. Fix this by aborting if we did the insert for the first inode ref.	2024-03-15	not yet calculated	CVE-2021-47113 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption by fallocate When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to the end of the cluster will be zeroed with buffer write, at that time isize is not yet updated to match the new size, if writeback is kicked in, it will invoke ocfs2_writepage()->block_write_full_page() where the pages out of inode size will be dropped. That will cause file corruption. Fix this by zero out eof blocks when extending the inode size. Running the following command with qemu-image 4.2.1 can get a corrupted coverted image file easily. qemu-img convert -p -t none -T none -f qcow2 $qcow_image -O qcow2 -o compat=1.1 $qcow_image.conv The usage of fallocate in qemu is like this, it first punches holes out of inode size, then extend the inode size. fallocate(11, FALLOC_FL_KEEP_SIZE\|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0 v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/	2024-03-15	not yet calculated	CVE-2021-47114 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_mb_init_backend on error path. Fix a memory leak discovered by syzbot when a file system is corrupted with an illegally large s_log_groups_per_flex.	2024-03-15	not yet calculated	CVE-2021-47116 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed We got follow bug_on when run fsstress with injecting IO fault: [130747.323114] kernel BUG at fs/ext4/extents_status.c:762! [130747.323117] Internal error: Oops – BUG: 0 [#1] SMP …… [130747.334329] Call trace: [130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] [130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] [130747.335368] ext4_find_extent+0x300/0x330 [ext4] [130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] [130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] [130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] [130747.336995] ext4_readpage+0x54/0x100 [ext4] [130747.337359] generic_file_buffered_read+0x410/0xae8 [130747.337767] generic_file_read_iter+0x114/0x190 [130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] [130747.338556] __vfs_read+0x11c/0x188 [130747.338851] vfs_read+0x94/0x150 [130747.339110] ksys_read+0x74/0xf0 This patch’s modification is according to Jan Kara’s suggestion in: https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ “I see. Now I understand your patch. Honestly, seeing how fragile is trying to fix extent tree after split has failed in the middle, I would probably go even further and make sure we fix the tree properly in case of ENOSPC and EDQUOT (those are easily user triggerable). Anything else indicates a HW problem or fs corruption so I’d rather leave the extent tree as is and don’t try to fix it (which also means we will not create overlapping extents).”	2024-03-15	not yet calculated	CVE-2021-47117 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task’s struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task’s struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 (“[PATCH] replace cad_pid by a struct pid”) from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task’s struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff —truncated—	2024-03-15	not yet calculated	CVE-2021-47118 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev(); otherwise the buffer head (and its page referenced by b_data) will not be freed by kill_bdev, and subsequently that bh will be leaked. If blocksizes differ, sb_set_blocksize() will kill current buffers and page cache by using kill_bdev(). And then super block will be reread again but using correct blocksize this time. sb_set_blocksize() didn’t fully free superblock page and buffer head, and being busy, they were not freed and instead leaked. This can easily be reproduced by calling an infinite loop of: systemctl start <ext4_on_lvm>.mount, and systemctl stop <ext4_on_lvm>.mount … since systemd creates a cgroup for each slice which it mounts, and the bh leak get amplified by a dying memory cgroup that also never gets freed, and memory consumption is much more easily noticed.	2024-03-15	not yet calculated	CVE-2021-47119 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: fix NULL-deref on disconnect Commit 9d7b18668956 (“HID: magicmouse: add support for Apple Magic Trackpad 2”) added a sanity check for an Apple trackpad but returned success instead of -ENODEV when the check failed. This means that the remove callback will dereference the never-initialised driver data pointer when the driver is later unbound (e.g. on USB disconnect).	2024-03-15	not yet calculated	CVE-2021-47120 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net: caif: fix memory leak in cfusbl_device_notify In case of caif_enroll_dev() fail, allocated link_support won’t be assigned to the corresponding structure. So simply free allocated pointer in case of error.	2024-03-15	not yet calculated	CVE-2021-47121 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net: caif: fix memory leak in caif_device_notify In case of caif_enroll_dev() fail, allocated link_support won’t be assigned to the corresponding structure. So simply free allocated pointer in case of error	2024-03-15	not yet calculated	CVE-2021-47122 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: io_uring: fix ltout double free on completion race Always remove linked timeout on io_link_timeout_fn() from the master request link list, otherwise we may get use-after-free when first io_link_timeout_fn() puts linked timeout in the fail path, and then will be found and put on master’s free.	2024-03-15	not yet calculated	CVE-2021-47123 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: io_uring: fix link timeout refs WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] io_put_req fs/io_uring.c:2140 [inline] io_queue_linked_timeout fs/io_uring.c:6300 [inline] __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354 io_submit_sqe fs/io_uring.c:6534 [inline] io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660 __do_sys_io_uring_enter fs/io_uring.c:9240 [inline] __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182 io_link_timeout_fn() should put only one reference of the linked timeout request, however in case of racing with the master request’s completion first io_req_complete() puts one and then io_put_req_deferred() is called.	2024-03-15	not yet calculated	CVE-2021-47124 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: sch_htb: fix refcount leak in htb_parent_to_leaf_offload The commit ae81feb7338c (“sch_htb: fix null pointer dereference on a null new_q”) fixes a NULL pointer dereference bug, but it is not correct. Because htb_graft_helper properly handles the case when new_q is NULL, and after the previous patch by skipping this call which creates an inconsistency : dev_queue->qdisc will still point to the old qdisc, but cl->parent->leaf.q will point to the new one (which will be noop_qdisc, because new_q was NULL). The code is based on an assumption that these two pointers are the same, so it can lead to refcount leaks. The correct fix is to add a NULL pointer check to protect qdisc_refcount_inc inside htb_parent_to_leaf_offload.	2024-03-15	not yet calculated	CVE-2021-47125 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Reported by syzbot: HEAD commit: 90c911ad Merge tag ‘fixes’ of git://git.kernel.org/pub/scm.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7 compiler: Debian clang version 11.0.1-2 ================================================================== BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760 CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x202/0x31e lib/dump_stack.c:120 print_address_description+0x5f/0x3b0 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report+0x15c/0x200 mm/kasan/report.c:416 fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536 fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174 rcu_do_batch kernel/rcu/tree.c:2559 [inline] rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794 __do_softirq+0x372/0x7a6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422 irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 </IRQ> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515 Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d RSP: 0018:ffffc90009e06560 EFLAGS: 00000206 RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1 R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4 rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267 rcu_read_lock include/linux/rcupdate.h:656 [inline] ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231 ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212 ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379 ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982 ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238 ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638 ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848 ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900 ext4_append+0x1a4/0x360 fs/ext4/namei.c:67 ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768 ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814 vfs_mkdir+0x45b/0x640 fs/namei.c:3819 ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline] ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146 ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193 ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788 ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355 ovl_get_workdir fs/overlayfs/super.c:1492 [inline] ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035 mount_nodev+0x52/0xe0 fs/super.c:1413 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2903 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3233 do_mount fs/namespace.c:3246 [inline] __do_sys_mount fs/namespace.c:3454 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 —truncated—	2024-03-15	not yet calculated	CVE-2021-47126 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ice: track AF_XDP ZC enabled queues in bitmap Commit c7a219048e45 (“ice: Remove xsk_buff_pool from VSI structure”) silently introduced a regression and broke the Tx side of AF_XDP in copy mode. xsk_pool on ice_ring is set only based on the existence of the XDP prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. That is not something that should happen for copy mode as it should use the regular data path ice_clean_tx_irq. This results in a following splat when xdpsock is run in txonly or l2fwd scenarios in copy mode: <snip> [ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 106.057269] #PF: supervisor read access in kernel mode [ 106.062493] #PF: error_code(0x0000) – not-present page [ 106.067709] PGD 0 P4D 0 [ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45 [ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50 [ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00 [ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206 [ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800 [ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800 [ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800 [ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff [ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018 [ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000 [ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0 [ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 106.192898] PKRU: 55555554 [ 106.195653] Call Trace: [ 106.198143] <IRQ> [ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice] [ 106.205087] ice_napi_poll+0x3e/0x590 [ice] [ 106.209356] __napi_poll+0x2a/0x160 [ 106.212911] net_rx_action+0xd6/0x200 [ 106.216634] __do_softirq+0xbf/0x29b [ 106.220274] irq_exit_rcu+0x88/0xc0 [ 106.223819] common_interrupt+0x7b/0xa0 [ 106.227719] </IRQ> [ 106.229857] asm_common_interrupt+0x1e/0x40 </snip> Fix this by introducing the bitmap of queues that are zero-copy enabled, where each bit, corresponding to a queue id that xsk pool is being configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and checked within ice_xsk_pool(). The latter is a function used for deciding which napi poll routine is executed. Idea is being taken from our other drivers such as i40e and ixgbe.	2024-03-15	not yet calculated	CVE-2021-47127 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks Commit 59438b46471a (“security,lockdown,selinux: implement SELinux lockdown”) added an implementation of the locked_down LSM hook to SELinux, with the aim to restrict which domains are allowed to perform operations that would breach lockdown. This is indirectly also getting audit subsystem involved to report events. The latter is problematic, as reported by Ondrej and Serhei, since it can bring down the whole system via audit: 1) The audit events that are triggered due to calls to security_locked_down() can OOM kill a machine, see below details [0]. 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit() when trying to wake up kauditd, for example, when using trace_sched_switch() tracepoint, see details in [1]. Triggering this was not via some hypothetical corner case, but with existing tools like runqlat & runqslower from bcc, for example, which make use of this tracepoint. Rough call sequence goes like: rq_lock(rq) -> ————————-+ trace_sched_switch() -> \| bpf_prog_xyz() -> +-> deadlock selinux_lockdown() -> \| audit_log_end() -> \| wake_up_interruptible() -> \| try_to_wake_up() -> \| rq_lock(rq) ————–+ What’s worse is that the intention of 59438b46471a to further restrict lockdown settings for specific applications in respect to the global lockdown policy is completely broken for BPF. The SELinux policy rule for the current lockdown check looks something like this: allow <who> <who> : lockdown { <reason> }; However, this doesn’t match with the ‘current’ task where the security_locked_down() is executed, example: httpd does a syscall. There is a tracing program attached to the syscall which triggers a BPF program to run, which ends up doing a bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does the permission check against ‘current’, that is, httpd in this example. httpd has literally zero relation to this tracing program, and it would be nonsensical having to write an SELinux policy rule against httpd to let the tracing helper pass. The policy in this case needs to be against the entity that is installing the BPF program. For example, if bpftrace would generate a histogram of syscall counts by user space application: bpftrace -e ‘tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }’ bpftrace would then go and generate a BPF program from this internally. One way of doing it [for the sake of the example] could be to call bpf_get_current_task() helper and then access current->comm via one of bpf_probe_read_kernel{,_str}() helpers. So the program itself has nothing to do with httpd or any other random app doing a syscall here. The BPF program _explicitly initiated_ the lockdown check. The allow/deny policy belongs in the context of bpftrace: meaning, you want to grant bpftrace access to use these helpers, but other tracers on the system like my_random_tracer _not_. Therefore fix all three issues at the same time by taking a completely different approach for the security_locked_down() hook, that is, move the check into the program verification phase where we actually retrieve the BPF func proto. This also reliably gets the task (current) that is trying to install the BPF tracing program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since we’re moving this out of the BPF helper’s fast-path which can be called several millions of times per second. The check is then also in line with other security_locked_down() hooks in the system where the enforcement is performed at open/load time, for example, open_kcore() for /proc/kcore access or module_sig_check() for module signatures just to pick f —truncated—	2024-03-15	not yet calculated	CVE-2021-47128 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: skip expectations for confirmed conntrack nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed conntrack entry. However, nf_ct_ext_add() can only be called for !nf_ct_is_confirmed(). [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 [ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 [ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 [ 1825.352508] Call Trace: [ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] [ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] [ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] Add the ct helper extension only for unconfirmed conntrack. Skip rule evaluation if the ct helper extension does not exist. Thus, you can only create expectations from the first packet. It should be possible to remove this limitation by adding a new action to attach a generic ct helper to the first packet. Then, use this ct helper extension from follow up packets to create the ct expectation. While at it, add a missing check to skip the template conntrack too and remove check for IPCT_UNTRACK which is implicit to !ct.	2024-03-15	not yet calculated	CVE-2021-47129 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: nvmet: fix freeing unallocated p2pmem In case p2p device was found but the p2p pool is empty, the nvme target is still trying to free the sgl from the p2p pool instead of the regular sgl pool and causing a crash (BUG() is called). Instead, assign the p2p_dev for the request only if it was allocated from p2p pool. This is the crash that was caused: [Sun May 30 19:13:53 2021] ————[ cut here ]———— [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI … [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! … [Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0 … [Sun May 30 19:13:53 2021] Call Trace: [Sun May 30 19:13:53 2021] ————[ cut here ]———— [Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70 [Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80 [Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet] [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma] [Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma]	2024-03-15	not yet calculated	CVE-2021-47130 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context. This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode. On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets. The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del). A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It’s used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver).	2024-03-15	not yet calculated	CVE-2021-47131 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mptcp: fix sk_forward_memory corruption on retransmission MPTCP sk_forward_memory handling is a bit special, as such field is protected by the msk socket spin_lock, instead of the plain socket lock. Currently we have a code path updating such field without handling the relevant lock: __mptcp_retrans() -> __mptcp_clean_una_wakeup() Several helpers in __mptcp_clean_una_wakeup() will update sk_forward_alloc, possibly causing such field corruption, as reported by Matthieu. Address the issue providing and using a new variant of blamed function which explicitly acquires the msk spin lock.	2024-03-15	not yet calculated	CVE-2021-47132 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: efi/fdt: fix panic when no valid fdt found setup_arch() would invoke efi_init()->efi_get_fdt_params(). If no valid fdt found then initial_boot_params will be null. So we should stop further fdt processing here. I encountered this issue on risc-v.	2024-03-15	not yet calculated	CVE-2021-47134 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report Fix possible array out of bound access in mt7921_mcu_tx_rate_report. Remove unnecessary varibable in mt7921_mcu_tx_rate_report	2024-03-15	not yet calculated	CVE-2021-47135 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: drm: Don’t unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry the whole thing from the top. But we forget to reset the fb pointer back to NULL, and so if we then get another error during the retry, before the fb lookup, we proceed the unref the same fb again without having gotten another reference. The end result is that the fb will (eventually) end up being freed while it’s still in use. Reset fb to NULL once we’ve unreffed it to avoid doing it again until we’ve done another fb lookup. This turned out to be pretty easy to hit on a DG2 when doing async flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I saw that drm_closefb() simply got stuck in a busy loop while walking the framebuffer list. Fortunately I was able to convince it to oops instead, and from there it was easier to track down the culprit.	2024-03-11	not yet calculated	CVE-2023-52486 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. However, if any concurrent user holds a reference to a peer flow (for example, the neighbor update workqueue task is updating peer flow’s parent encap entry concurrently), then the flow will not be removed from the peer list and, consecutively, DUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm will try to remove the flow from eswitch instances that it has never peered with causing either NULL pointer dereference when trying to remove the flow peer list head of peer_index that was never initialized or a warning if the list debug config is enabled[0]. Fix the issue by always removing the peer flow from the list even when not releasing the last reference to it. [0]: [ 3102.985806] ————[ cut here ]———— [ 3102.986223] list_del corruption, ffff888139110698->next is NULL [ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg ss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding] [ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3 [ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b [ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286 [ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640 [ 3102.997188] DEL flow 00000000be367878 on port 0 [ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff [ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100 [ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240 [ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000 [ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0 [ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3103.003787] Call Trace: [ 3103.004055] <TASK> [ 3103.004297] ? __warn+0x7d/0x130 [ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.005094] ? report_bug+0xf1/0x1c0 [ 3103.005439] ? console_unlock+0x4a/0xd0 [ 3103.005806] ? handle_bug+0x3f/0x70 [ 3103.006149] ? exc_invalid_op+0x13/0x60 [ 3103.006531] ? asm_exc_invalid_op+0x16/0x20 [ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core] [ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] [ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core] [ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core] [ 3103.009901] tc_setup_cb_destroy+0xab/0x180 [ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower] [ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower] [ 3103.0 —truncated—	2024-03-11	not yet calculated	CVE-2023-52487 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO The SC16IS7XX IC supports a burst mode to access the FIFOs where the initial register address is sent ($00), followed by all the FIFO data without having to resend the register address each time. In this mode, the IC doesn’t increment the register address for each R/W byte. The regmap_raw_read() and regmap_raw_write() are functions which can perform IO over multiple registers. They are currently used to read/write from/to the FIFO, and although they operate correctly in this burst mode on the SPI bus, they would corrupt the regmap cache if it was not disabled manually. The reason is that when the R/W size is more than 1 byte, these functions assume that the register address is incremented and handle the cache accordingly. Convert FIFO R/W functions to use the regmap _noinc_ versions in order to remove the manual cache control which was a workaround when using the _raw_ versions. FIFO registers are properly declared as volatile so cache will not be used/updated for FIFO accesses.	2024-03-11	not yet calculated	CVE-2023-52488 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN’s are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN’s as well, the compaction triggered will try on the device memory PFN’s too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ————- ————— __pageblock_pfn_to_page …… (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af(“mm/sparse: fix kernel crash with pfn_section_valid check”) tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN’s as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=–) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 —truncated—	2024-03-11	not yet calculated	CVE-2023-52489 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 …… Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 …… After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page’s ->mapping field to save ‘anon_vma’ pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves ‘anon_vma’ pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page’s ->mapping when saving ‘anon_vma’, but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the ‘anon_vma’ pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.	2024-03-11	not yet calculated	CVE-2023-52490 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_… \| start worker \| \|mtk_jpeg_job_timeout_work mtk_jpeg_remove \| v4l2_m2m_release \| kfree(m2m_dev); \| \| \| v4l2_m2m_get_curr_priv \| m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.	2024-03-11	not yet calculated	CVE-2023-52491 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local is nullified. When dma_async_device_unregister() is called (because of managed API or intentionally by DMA controller driver), channels are unconditionally unregistered, leading to this NULL pointer: [ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 […] [ 1.484499] Call trace: [ 1.486930] device_del+0x40/0x394 [ 1.490314] device_unregister+0x20/0x7c [ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0 Look at dma_async_device_register() function error path, channel device unregistration is done only if chan->local is not NULL. Then add the same condition at the beginning of __dma_async_device_channel_unregister() function, to avoid NULL pointer issue whatever the API used to reach this function.	2024-03-11	not yet calculated	CVE-2023-52492 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Drop chan lock before queuing buffers Ensure read and write locks for the channel are not taken in succession by dropping the read lock from parse_xfer_event() such that a callback given to client can potentially queue buffers and acquire the write lock in that process. Any queueing of buffers should be done without channel read lock acquired as it can result in multiple locks and a soft lockup. [mani: added fixes tag and cc’ed stable]	2024-03-11	not yet calculated	CVE-2023-52493 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Add alignment check for event ring read pointer Though we do check the event ring read pointer by “is_valid_ring_ptr” to make sure it is in the buffer range, but there is another risk the pointer may be not aligned. Since we are expecting event ring elements are 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer could lead to multiple issues like DoS or ring buffer memory corruption. So add a alignment check for event ring read pointer.	2024-03-11	not yet calculated	CVE-2023-52494 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix port sanity check The PMIC GLINK altmode driver currently supports at most two ports. Fix the incomplete port sanity check on notifications to avoid accessing and corrupting memory beyond the port array if we ever get a notification for an unsupported port.	2024-03-11	not yet calculated	CVE-2023-52495 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: PM: sleep: Fix possible deadlocks in core system-wide PM code It is reported that in low-memory situations the system-wide resume core code deadlocks, because async_schedule_dev() executes its argument function synchronously if it cannot allocate memory (and not only in that case) and that function attempts to acquire a mutex that is already held. Executing the argument function synchronously from within dpm_async_fn() may also be problematic for ordering reasons (it may cause a consumer device’s resume callback to be invoked before a requisite supplier device’s one, for example). Address this by changing the code in question to use async_schedule_dev_nocall() for scheduling the asynchronous execution of device suspend and resume functions and to directly run them synchronously if async_schedule_dev_nocall() returns false.	2024-03-11	not yet calculated	CVE-2023-52498 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Check mailbox/SMT channel for consistency On reception of a completion interrupt the shared memory area is accessed to retrieve the message header at first and then, if the message sequence number identifies a transaction which is still pending, the related payload is fetched too. When an SCMI command times out the channel ownership remains with the platform until eventually a late reply is received and, as a consequence, any further transmission attempt remains pending, waiting for the channel to be relinquished by the platform. Once that late reply is received the channel ownership is given back to the agent and any pending request is then allowed to proceed and overwrite the SMT area of the just delivered late reply; then the wait for the reply to the new request starts. It has been observed that the spurious IRQ related to the late reply can be wrongly associated with the freshly enqueued request: when that happens the SCMI stack in-flight lookup procedure is fooled by the fact that the message header now present in the SMT area is related to the new pending transaction, even though the real reply has still to arrive. This race-condition on the A2P channel can be detected by looking at the channel status bits: a genuine reply from the platform will have set the channel free bit before triggering the completion IRQ. Add a consistency check to validate such condition in the A2P ISR.	2024-03-13	not yet calculated	CVE-2023-52608 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 (“net: qualcomm: rmnet: fix global oob in rmnet_policy”), my local fuzzer finds another global out-of-bounds read for policy ksmbd_nl_policy. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810 CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 __nlmsg_parse include/net/netlink.h:748 [inline] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdd66a8f359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003 RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: ksmbd_nl_policy+0x100/0xa80 The buggy address belongs to the physical page: page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b flags: 0x200000000001000(reserved\|node=0\|zone=2) raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9 ^ ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9 ================================================================== To fix it, add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value – 1 according to what other netlink families do. Also change two sites that refer the KSMBD_EVENT_MAX to correct value.	2024-03-11	not yet calculated	CVE-2024-26608 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in bytes, we’ll write past the buffer.	2024-03-11	not yet calculated	CVE-2024-26610 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Currently when packet is shrunk via bpf_xdp_adjust_tail() and memory type is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens: [1136314.192256] BUG: kernel NULL pointer dereference, address: 0000000000000034 [1136314.203943] #PF: supervisor read access in kernel mode [1136314.213768] #PF: error_code(0x0000) – not-present page [1136314.223550] PGD 0 P4D 0 [1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257 [1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210 [1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86 [1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246 [1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX: 0000000000000000 [1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc9003168c000 [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09: 0000000000010000 [1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12: 0000000000000001 [1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15: 0000000000000001 [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000) knlGS:0000000000000000 [1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4: 00000000007706f0 [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1136314.431890] PKRU: 55555554 [1136314.439143] Call Trace: [1136314.446058] <IRQ> [1136314.452465] ? __die+0x20/0x70 [1136314.459881] ? page_fault_oops+0x15b/0x440 [1136314.468305] ? exc_page_fault+0x6a/0x150 [1136314.476491] ? asm_exc_page_fault+0x22/0x30 [1136314.484927] ? __xdp_return+0x6c/0x210 [1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0 [1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60 [1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice] [1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice] [1136314.528506] ice_napi_poll+0x467/0x670 [ice] [1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0 [1136314.546010] __napi_poll+0x29/0x1b0 [1136314.553462] net_rx_action+0x133/0x270 [1136314.561619] __do_softirq+0xbe/0x28e [1136314.569303] do_softirq+0x3f/0x60 This comes from __xdp_return() call with xdp_buff argument passed as NULL which is supposed to be consumed by xsk_buff_free() call. To address this properly, in ZC case, a node that represents the frag being removed has to be pulled out of xskb_list. Introduce appropriate xsk helpers to do such node operation and use them accordingly within bpf_xdp_adjust_tail().	2024-03-11	not yet calculated	CVE-2024-26611 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: netfs, fscache: Prevent Oops in fscache_put_cache() This function dereferences “cache” and then checks if it’s IS_ERR_OR_NULL(). Check first, then dereference.	2024-03-11	not yet calculated	CVE-2024-26612 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue’s spinlocks once When I run syz’s reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: <IRQ> _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 </TASK> The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock … tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance … inet_csk_reqsk_queue_add —truncated—	2024-03-11	not yet calculated	CVE-2024-26614 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: – run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H ‘Connection: Close’ <URL> – continuously dump SMC-D connections in parallel: watch -n 1 ‘smcss -D’ BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.	2024-03-11	not yet calculated	CVE-2024-26615 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: move mmu notification mechanism inside mm lock Move mmu notification mechanism inside mm lock to prevent race condition in other components which depend on it. The notifier will invalidate memory range. Depending upon the number of iterations, different memory ranges would be invalidated. The following warning would be removed by this patch: WARNING: CPU: 0 PID: 5067 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 kvm_mmu_notifier_change_pte+0x860/0x960 arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 There is no behavioural and performance change with this patch when there is no component registered with the mmu notifier. [akpm@linux-foundation.org: narrow the scope of `range’, per Sean]	2024-03-11	not yet calculated	CVE-2024-26617 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Always exit sme_alloc() early with existing storage When sme_alloc() is called with existing storage and we are not flushing we will always allocate new storage, both leaking the existing storage and corrupting the state. Fix this by separating the checks for flushing and for existing storage as we do for SVE. Callers that reallocate (eg, due to changing the vector length) should call sme_free() themselves.	2024-03-11	not yet calculated	CVE-2024-26618 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: riscv: Fix module loading free order Reverse order of kfree calls to resolve use-after-free error.	2024-03-11	not yet calculated	CVE-2024-26619 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or domain is assigned to the mdev. The purpose of the function is to update the guest’s AP configuration by filtering the matrix of adapters and domains assigned to the mdev. When an adapter or domain is assigned, only the APQNs associated with the APID of the new adapter or APQI of the new domain are inspected. If an APQN does not reference a queue device bound to the vfio_ap device driver, then it’s APID will be filtered from the mdev’s matrix when updating the guest’s AP configuration. Inspecting only the APID of the new adapter or APQI of the new domain will result in passing AP queues through to a guest that are not bound to the vfio_ap device driver under certain circumstances. Consider the following: guest’s AP configuration (all also assigned to the mdev’s matrix): 14.0004 14.0005 14.0006 16.0004 16.0005 16.0006 unassign domain 4 unbind queue 16.0005 assign domain 4 When domain 4 is re-assigned, since only domain 4 will be inspected, the APQNs that will be examined will be: 14.0004 16.0004 Since both of those APQNs reference queue devices that are bound to the vfio_ap device driver, nothing will get filtered from the mdev’s matrix when updating the guest’s AP configuration. Consequently, queue 16.0005 will get passed through despite not being bound to the driver. This violates the linux device model requirement that a guest shall only be given access to devices bound to the device driver facilitating their pass-through. To resolve this problem, every adapter and domain assigned to the mdev will be inspected when filtering the mdev’s matrix.	2024-03-11	not yet calculated	CVE-2024-26620 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful. As is documented in the kdoc comment for nfsd4_release_lockowner(), the test on so_count can transiently return a false positive resulting in a return of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is clearly a protocol violation and with the Linux NFS client it can cause incorrect behaviour. If RELEASE_LOCKOWNER is sent while some other thread is still processing a LOCK request which failed because, at the time that request was received, the given owner held a conflicting lock, then the nfsd thread processing that LOCK request can hold a reference (conflock) to the lock owner that causes nfsd4_release_lockowner() to return an incorrect error. The Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it never sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so it knows that the error is impossible. It assumes the lock owner was in fact released so it feels free to use the same lock owner identifier in some later locking request. When it does reuse a lock owner identifier for which a previous RELEASE failed, it will naturally use a lock_seqid of zero. However the server, which didn’t release the lock owner, will expect a larger lock_seqid and so will respond with NFS4ERR_BAD_SEQID. So clearly it is harmful to allow a false positive, which testing so_count allows. The test is nonsense because … well… it doesn’t mean anything. so_count is the sum of three different counts. 1/ the set of states listed on so_stateids 2/ the set of active vfs locks owned by any of those states 3/ various transient counts such as for conflicting locks. When it is tested against ‘2’ it is clear that one of these is the transient reference obtained by find_lockowner_str_locked(). It is not clear what the other one is expected to be. In practice, the count is often 2 because there is precisely one state on so_stateids. If there were more, this would fail. In my testing I see two circumstances when RELEASE_LOCKOWNER is called. In one case, CLOSE is called before RELEASE_LOCKOWNER. That results in all the lock states being removed, and so the lockowner being discarded (it is removed when there are no more references which usually happens when the lock state is discarded). When nfsd4_release_lockowner() finds that the lock owner doesn’t exist, it returns success. The other case shows an so_count of ‘2’ and precisely one state listed in so_stateid. It appears that the Linux client uses a separate lock owner for each file resulting in one lock state per lock owner, so this test on ‘2’ is safe. For another client it might not be safe. So this patch changes check_for_locks() to use the (newish) find_any_file_locked() so that it doesn’t take a reference on the nfs4_file and so never calls nfsd_file_put(), and so never sleeps. With this check is it safe to restore the use of check_for_locks() rather than testing so_count against the mysterious ‘2’.	2024-03-13	not yet calculated	CVE-2024-26629 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix folio read-after-free in cache walk In cachestat, we access the folio from the page cache’s xarray to compute its page offset, and check for its dirty and writeback flags. However, we do not hold a reference to the folio before performing these actions, which means the folio can concurrently be released and reused as another folio/page/slab. Get around this altogether by just using xarray’s existing machinery for the folio page offsets and dirty/writeback states. This changes behavior for tmpfs files to now always report zeroes in their dirty and writeback counters. This is okay as tmpfs doesn’t follow conventional writeback cache behavior: its pages get “cleaned” during swapout, after which they’re no longer resident etc.	2024-03-13	not yet calculated	CVE-2024-26630 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
mas — masmobile_classic_android_app	An authorization bypass was discovered in the Carrier MASmobile Classic application through 1.16.18 for Android, MASmobile Classic app through 1.7.24 for iOS, and MAS ASP.Net Services through 1.9. It can be achieved via session ID prediction, allowing remote attackers to retrieve sensitive data including customer data, security system status, and event history. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The affected products cannot simply be updated; they must be removed, but can be replaced by other Carrier software as explained in the Carrier advisory.	2024-03-16	not yet calculated	CVE-2023-36483 productsecurity@carrier.com
nixos — nix	Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with editor or higher privilege who can login to the product may obtain arbitrary files on the server including password files.	2024-03-12	not yet calculated	CVE-2024-27279 vultures@jpcert.or.jp vultures@jpcert.or.jp
omron_corporation — machine_automation_controller_nj_series_	Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section.	2024-03-12	not yet calculated	CVE-2024-27121 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
sciener — gateway_g2	Sciener server does not validate connection requests from the GatewayG2, allowing an impersonation attack that provides the attacker the unlockKey field.	2024-03-15	not yet calculated	CVE-2023-7007 cret@cert.org
sciener — kontrol_lux	The AES key utilized in the pairing process between a lock using Sciener firmware and a wireless keypad is not unique, and can be reused to compromise other locks using the Sciener firmware.	2024-03-15	not yet calculated	CVE-2023-7003 cret@cert.org
sciener — kontrol_lux	The unlockKey character in a lock using Sciener firmware can be brute forced through repeated challenge requests, compromising the locks integrity.	2024-03-15	not yet calculated	CVE-2023-7006 cret@cert.org
sciener — kontrol_lux	Some Sciener-based locks support plaintext message processing over Bluetooth Low Energy, allowing unencrypted malicious commands to be passed to the lock. These malicious commands, less then 16 bytes in length, will be processed by the lock as if they were encrypted communications. This can be further exploited by an attacker to compromise the lock’s integrity.	2024-03-15	not yet calculated	CVE-2023-7009 cret@cert.org
sciener — kontrol_lux	Sciener locks’ firmware update mechanism do not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A challenge request can be sent to the lock with a command to prepare for an update, rather than an unlock request, allowing an attacker to compromise the device.	2024-03-15	not yet calculated	CVE-2023-7017 cret@cert.org
sciener — ttlock_app	TTLock App virtual keys and settings are only deleted client side, and if preserved, can access the lock after intended deletion.	2024-03-15	not yet calculated	CVE-2023-6960 cret@cert.org
sciener — ttlock_app	The TTLock App does not employ proper verification procedures to ensure that it is communicating with the expected device, allowing for connection to a device that spoofs the MAC address of a lock, which compromises the legitimate locks integrity.	2024-03-15	not yet calculated	CVE-2023-7004 cret@cert.org
sky_co.,ltd. — skysea_client_view	Improper access control vulnerability exists in the specific folder of SKYSEA Client View versions from Ver.16.100 prior to Ver.19.2. If this vulnerability is exploited, an arbitrary file may be placed in the specific folder by a user who can log in to the PC where the product’s Windows client is installed. In case the file is a specially crafted DLL file, arbitrary code may be executed with SYSTEM privilege.	2024-03-12	not yet calculated	CVE-2024-21805 vultures@jpcert.or.jp vultures@jpcert.or.jp
sky_co.,ltd. — skysea_client_view	Improper access control vulnerability exists in the resident process of SKYSEA Client View versions from Ver.11.220 prior to Ver.19.2. If this vulnerability is exploited, an arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product’s Windows client is installed.	2024-03-12	not yet calculated	CVE-2024-24964 vultures@jpcert.or.jp vultures@jpcert.or.jp
sonicwall — email_security	An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system.	2024-03-14	not yet calculated	CVE-2024-22398 PSIRT@sonicwall.com
sonicwall — sonicos	An Integer-based buffer overflow vulnerability in the SonicOS via IPSec allows a remote attacker in specific conditions to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a specially crafted IKEv2 payload.	2024-03-14	not yet calculated	CVE-2024-22396 PSIRT@sonicwall.com
sonicwall — sonicos	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in the SonicOS SSLVPN portal allows a remote authenticated attacker as a firewall ‘admin’ user to store and execute arbitrary JavaScript code.	2024-03-14	not yet calculated	CVE-2024-22397 PSIRT@sonicwall.com
the_libreswan_project_(www.libreswan.org) — libreswan	The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.	2024-03-11	not yet calculated	CVE-2024-2357 d42dc95b-23f1-4e06-9076-20753a0fb0df
toyoko_inn_it_solution_co.,_ltd. — toyoko_inn_official_app_for_ios	The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don’t properly verify server certificates, which allows a man-in-the-middle attacker to spoof servers and obtain sensitive information via a crafted certificate.	2024-03-13	not yet calculated	CVE-2024-27440 vultures@jpcert.or.jp vultures@jpcert.or.jp vultures@jpcert.or.jp
unknown — 404_solution	The 404 Solution WordPress plugin before 2.35.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins.	2024-03-11	not yet calculated	CVE-2024-1068 contact@wpscan.com
unknown — enhanced_text_widget	The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)	2024-03-11	not yet calculated	CVE-2024-0559 contact@wpscan.com contact@wpscan.com
unknown — login_as_user_or_customer	The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site.	2024-03-11	not yet calculated	CVE-2023-7247 contact@wpscan.com contact@wpscan.com
unknown — paid_memberships_pro	The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users’ sensitive metadata.	2024-03-11	not yet calculated	CVE-2024-1279 contact@wpscan.com
unknown — photos_and_files_contest_gallery	The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.	2024-03-11	not yet calculated	CVE-2024-1487 contact@wpscan.com
unknown — seriously_simple_podcasting	The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner’s email address (which by default is the admin email address) via an unauthenticated crafted request.	2024-03-11	not yet calculated	CVE-2023-6444 contact@wpscan.com
unknown — starbox	The Starbox WordPress plugin before 3.5.0 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks	2024-03-11	not yet calculated	CVE-2024-1273 contact@wpscan.com
unknown — ultimate_posts_widget	The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)	2024-03-11	not yet calculated	CVE-2024-0561 contact@wpscan.com
unknown — user_registration	The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.	2024-03-11	not yet calculated	CVE-2024-1290 contact@wpscan.com
veribo,_roland_murg — wp_simple_booking_calendar	Cross-Site Request Forgery (CSRF) vulnerability in Veribo, Roland Murg WP Simple Booking Calendar.This issue affects WP Simple Booking Calendar: from n/a through 2.0.8.4.	2024-03-15	not yet calculated	CVE-2023-51525 audit@patchstack.com

alerts

Repository for Software Attestation and Artifacts Now Live

Post author By admin
Post date March 18, 2024

Software producers who partner with the federal government can now upload their Secure Software Development Attestation Forms to CISA’s Repository for Software Attestation and Artifacts. Software producers that provide the government software can fill out the form to attest to implementation of specific security practices.

CISA and the Office of Management and Budget (OMB) released the form on March 11, 2024, following extensive stakeholder and industry engagement. See the recent blog post from Federal CISO and Deputy National Cyber Director Chris DeRusha and CISA Executive Assistant Director for Cybersecurity Eric Goldstein for additional information.

alerts

Cisco Releases Security Updates for IOS XR Software

Post author By admin
Post date March 14, 2024

Cisco released security updates to address vulnerabilities in Cisco IOS XR software. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected device.

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

alerts

Vulnerability Summary for the Week of March 4, 2024

Post author By admin
Post date March 11, 2024

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
acowebs — pdf_invoices_and_packing_slips_for_woocommerce	The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-07	8.8	CVE-2024-1773 security@wordfence.com security@wordfence.com security@wordfence.com
ailux — imx6_bundle	A CWE-798 “Use of Hard-coded Credentials” vulnerability in the MariaDB database of the web application allows a remote unauthenticated attacker to access the database service and all included data with the same privileges of the web application. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	8.1	CVE-2023-5456 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-122 “Heap-based Buffer Overflow” vulnerability in the “logger_generic” function of the “Ax_rtu” binary allows a remote authenticated attacker to trigger a memory corruption in the context of the binary. This may result in a Denial-of-Service (DoS) condition, possibly in the execution of arbitrary code with the same privileges of the process (root), or have other unspecified impacts on the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	7.5	CVE-2023-45591 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-1269 “Product Released in Non-Release Configuration” vulnerability in the Django web framework used by the web application (due to the “debug” configuration parameter set to “True”) allows a remote unauthenticated attacker to access critical information and have other unspecified impacts to the confidentiality, integrity, and availability of the application. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	7.5	CVE-2023-5457 prodsec@nozominetworks.com
apple — ipad_os	A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.	2024-03-05	7.8	CVE-2024-23225 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — ipad_os	A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.	2024-03-05	7.8	CVE-2024-23296 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
arista_networks — arista_edge_threat_management_-_arista_ng_firewall_(ngfw)	Multiple SQL Injection vulnerabilities exist in the reporting application of the Arista Edge Threat Management – Arista NG Firewall (NGFW). A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges.	2024-03-04	8.8	CVE-2024-27889 psirt@arista.com
blue_planet — inventory_(bpi)	In Blue Planet® products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected. Blue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.	2024-03-06	9	CVE-2024-2005 7bd90cf1-1651-495e-9ae8-9415fb3c9feb
boyiddha — automated-mess-management-system	A vulnerability was found in boyiddha Automated-Mess-Management-System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php of the component Login Page. The manipulation of the argument useremail leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256049 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	7.3	CVE-2024-2282 cna@vuldb.com cna@vuldb.com cna@vuldb.com
cdac — appsamvid_software	This vulnerability exists in AppSamvid software due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system. Successful exploitation of this vulnerability could allow the attacker to take complete control of the application on the targeted system.	2024-03-06	7.1	CVE-2024-25102 vdisclose@cert-in.org.in
cdac — usb_pratirodh	This vulnerability exists in USB Pratirodh due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. A local attacker with administrative privileges could exploit this vulnerability to obtain the password of USB Pratirodh on the targeted system. Successful exploitation of this vulnerability could allow the attacker to take control of the application and modify the access control of registered users or devices on the targeted system.	2024-03-06	7.1	CVE-2024-1224 vdisclose@cert-in.org.in
cisco — cisco_secure_client	A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.	2024-03-06	8.2	CVE-2024-20337 ykramarz@cisco.com
cisco — cisco_secure_client	A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to the use of an uncontrolled search path element. An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process. A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.	2024-03-06	7.3	CVE-2024-20338 ykramarz@cisco.com
cloudevents — sdk-go	Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.	2024-03-06	7.5	CVE-2024-28110 security-advisories@github.com security-advisories@github.com security-advisories@github.com
dalibo — postgresql_anonymizer	PostgreSQL Anonymizer v1.2 contains a SQL injection vulnerability that allows a user who owns a table to elevate to superuser when dynamic masking is enabled. PostgreSQL Anonymizer enables users to set security labels on tables to mask specified columns. There is a flaw that allows complex expressions to be provided as a value. This expression is then later used as it to create the masked views leading to SQL Injection. If dynamic masking is enabled, this will lead to privilege escalation to superuser after the label is created. Users that don’t own a table, especially masked users cannot exploit this vulnerability. The problem is resolved in v1.3.	2024-03-08	8	CVE-2024-2338 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
dalibo — postgresql_anonymizer	PostgreSQL Anonymizer v1.2 contains a vulnerability that allows a user who owns a table to elevate to superuser. A user can define a masking function for a column and place malicious code in that function. When a privileged user applies the masking rules using the static masking or the anonymous dump method, the malicious code is executed and can grant escalated privileges to the malicious user. PostgreSQL Anonymizer v1.2 does provide a protection against this risk with the restrict_to_trusted_schemas option, but that protection is incomplete. Users that don’t own a table, especially masked users cannot exploit this vulnerability. The problem is resolved in v1.3.	2024-03-08	8	CVE-2024-2339 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
dell — dell_digital_delivery_(d3)	Dell Digital Delivery, versions prior to 5.0.86.0, contain a Use After Free Vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to an application crash or execution of arbitrary code.	2024-03-04	7	CVE-2024-0155 security_alert@emc.com
dell — dell_digital_delivery_(d3)	Dell Digital Delivery, versions prior to 5.0.86.0, contain a Buffer Overflow vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to arbitrary code execution and/or privilege escalation.	2024-03-04	7	CVE-2024-0156 security_alert@emc.com
dell — dell_display_and_peripheral_manager	Dell Display and Peripheral Manager for macOS prior to 1.3 contains an improper access control vulnerability. A low privilege user could potentially exploit this vulnerability by modifying files in the installation folder to execute arbitrary code, leading to privilege escalation.	2024-03-04	7.3	CVE-2024-22452 security_alert@emc.com
dell — integrated_dell_remote_access_controller_8	A command injection vulnerability exists in local RACADM. A malicious authenticated user could gain control of the underlying operating system.	2024-03-09	8	CVE-2024-25951 security_alert@emc.com
dell– powerscale-onefs	Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken or risky cryptographic algorithm vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to compromise of confidentiality and integrity of sensitive information	2024-03-04	7.4	CVE-2024-22463 security_alert@emc.com
electron-userland — electron-builder	electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. A vulnerability that only affects eletron-builder prior to 24.13.2 in Windows, the NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. Version 24.13.2 fixes this issue. No known workaround exists. The code executes at the installer-level before the app is present on the system, so there’s no way to check if it exists in a current installer.	2024-03-06	7.3	CVE-2024-27303 security-advisories@github.com security-advisories@github.com security-advisories@github.com
eprosima — fast-dds	eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely terminated. If an invalid Data_Frag packet is sent, the `Inline_qos, SerializedPayload` member of object `ch` will attempt to release memory without initialization, resulting in a ‘bad-free’ error. Versions 2.13.0, 2.12.2, 2.11.3, 2.10.2, and 2.6.7 fix this issue.	2024-03-06	9.6	CVE-2023-50716 security-advisories@github.com
freertos — freertos-kernel	FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques should a vulnerability exist that allows code injection and execution. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled (i.e. `configENABLE_MPU` set to 1). These issues are fixed in version 10.6.2 with a new MPU wrapper.	2024-03-07	8.8	CVE-2024-28115 security-advisories@github.com security-advisories@github.com
galette — galette	Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it is possible to restrict to up-to-date members or to everyone. Version 1.0.2 fixes this issue.	2024-03-06	7.5	CVE-2024-24761 security-advisories@github.com security-advisories@github.com
gallagher — command_centre_server	Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.	2024-03-05	9.1	CVE-2024-21815 disclosures@gallagher.com
gitlab — gitlab	An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.	2024-03-07	7.7	CVE-2024-0199 cve@gitlab.com cve@gitlab.com cve@gitlab.com
hashicorp — vault	Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.	2024-03-04	8.1	CVE-2024-2048 security@hashicorp.com
hewlett_packard_enterprise_(hpe) — arubaos_wi-fi_controllers_and_campus/remote_access_points	Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.	2024-03-05	7.2	CVE-2024-1356 security-alert@hpe.com
hewlett_packard_enterprise_(hpe) — arubaos_wi-fi_controllers_and_campus/remote_access_points	Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.	2024-03-05	7.2	CVE-2024-25611 security-alert@hpe.com
hewlett_packard_enterprise_(hpe) — arubaos_wi-fi_controllers_and_campus/remote_access_points	Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.	2024-03-05	7.2	CVE-2024-25612 security-alert@hpe.com
hewlett_packard_enterprise_(hpe) — arubaos_wi-fi_controllers_and_campus/remote_access_points	Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.	2024-03-05	7.2	CVE-2024-25613 security-alert@hpe.com
ibm — mq	IBM MQ and IBM MQ Appliance 9.0, 9.1, 9.2, 9.3 LTS and 9.3 CD could allow a remote unauthenticated attacker to cause a denial of service due to incorrect buffering logic. IBM X-Force ID: 281279.	2024-03-03	7.5	CVE-2024-25016 psirt@us.ibm.com psirt@us.ibm.com
ibm — sterling_connect:express_for_unix	IBM Connect:Express for UNIX 1.5.0 is vulnerable to a buffer overflow that could allow a remote attacker to cause a denial of service through its browser UI. IBM X-Force ID: 254979.	2024-03-04	7.5	CVE-2023-32331 psirt@us.ibm.com psirt@us.ibm.com
icewhaletech — casaos-userservice	CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn’t defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.	2024-03-06	9.1	CVE-2024-24767 security-advisories@github.com security-advisories@github.com security-advisories@github.com
icewhaletech — casaos-userservice	CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.	2024-03-06	7.5	CVE-2024-24765 security-advisories@github.com security-advisories@github.com security-advisories@github.com
jackc — pgx	pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker’s control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.	2024-03-06	9.8	CVE-2024-27304 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
jackc — pgx	pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.	2024-03-06	8.1	CVE-2024-27289 security-advisories@github.com security-advisories@github.com
jetbrains — teamcity	In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible	2024-03-04	9.8	CVE-2024-27198 cve@jetbrains.com
jetbrains — teamcity	In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible	2024-03-04	7.3	CVE-2024-27199 cve@jetbrains.com
jfrog — artifactory	JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, 7.68.19, 7.71.8 are vulnerable to an issue whereby user interaction with specially crafted URLs could lead to exposure of user access tokens due to improper handling of the CLI / IDE browser based SSO integration.	2024-03-07	9.3	CVE-2023-42662 reefs@jfrog.com
jfrog — artifactory	JFrog Artifactory prior to version 7.76.2 is vulnerable to Arbitrary File Write of untrusted data, which may lead to DoS or Remote Code Execution when a specially crafted series of requests is sent by an authenticated user. This is due to insufficient validation of artifacts.	2024-03-07	7.2	CVE-2023-42661 reefs@jfrog.com
jkohlbach — auto_refresh_single_page	The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arsp_options post meta option. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-05	8.8	CVE-2024-1731 security@wordfence.com security@wordfence.com
jsonata-js — jsonata	JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.	2024-03-06	9.8	CVE-2024-27307 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
keerti1924 — php-mysql-user-login-system	A vulnerability, which was classified as critical, has been found in keerti1924 PHP-MYSQL-User-Login-System 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256034 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-07	7.3	CVE-2024-2264 cna@vuldb.com cna@vuldb.com cna@vuldb.com
kozea — weasyprint	WeasyPrint helps web developers to create PDF documents. Since version 61.0, there’s a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.	2024-03-09	7.4	CVE-2024-28184 security-advisories@github.com security-advisories@github.com
m-files_corporation — m-files_web	Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period.	2024-03-04	7.3	CVE-2023-4479 security@m-files.com
mongodb_inc — mongodb_server	Under certain configurations of –tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28. Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.	2024-03-07	8.8	CVE-2024-1351 cna@mongodb.com cna@mongodb.com cna@mongodb.com cna@mongodb.com cna@mongodb.com
moxa — nport_w2150a/w2250a_series	A stack-based buffer overflow in the built-in web server in Moxa NPort W2150A/W2250A Series firmware version 2.3 and prior allows a remote attacker to exploit the vulnerability by sending crafted payload to the web service. Successful exploitation of the vulnerability could result in denial of service.	2024-03-06	8.2	CVE-2024-1220 psirt@moxa.com
n/a — kubevirt-csi	A flaw was found in the kubevirt-csi component of OpenShift Virtualization’s Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node’s volume by creating a custom Persistent Volume that matches the name of a worker node.	2024-03-07	8.1	CVE-2024-1725 secalert@redhat.com secalert@redhat.com
n/a– n/a	In Veritas NetBackup before 8.1.2 and NetBackup Appliance before 3.1.2, the BPCD process inadequately validates the file path, allowing an unauthenticated attacker to upload and execute a custom file.	2024-03-07	9.8	CVE-2024-28222 cve@mitre.org
n/a– n/a	Archer Platform 6.x before 6.14 P2 HF2 (6.14.0.2.2) contains a stored cross-site scripting (XSS) vulnerability. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 6.13.P3 HF1 (6.13.0.3.1) is also a fixed release.	2024-03-08	7.3	CVE-2024-26313 cve@mitre.org cve@mitre.org
n/a — vmware_cloud_director	VMware Cloud Director contains a partial information disclosure vulnerability. A malicious actor can potentially gather information about organization names based on the behavior of the instance.	2024-03-07	10	CVE-2024-22256 security@vmware.com
n/a — vmware_esxi	VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.	2024-03-05	9.3	CVE-2024-22252 security@vmware.com
n/a — vmware_esxi	VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.	2024-03-05	9.3	CVE-2024-22253 security@vmware.com
n/a — vmware_esxi	VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.	2024-03-05	7.9	CVE-2024-22254 security@vmware.com
n/a — vmware_esxi	VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.	2024-03-05	7.1	CVE-2024-22255 security@vmware.com
netgear — rax30	A stack-based buffer overflow vulnerability exists in the JSON Parsing getblockschedule() functionality of Netgear RAX30 1.0.11.96 and 1.0.7.78. A specially crafted HTTP request can lead to code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.	2024-03-07	7.2	CVE-2023-48725 talos-cna@cisco.com talos-cna@cisco.com
nicdark — restaurant_reservations	The Restaurant Reservations plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the nd_rst_layout attribute of the nd_rst_search shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where an uploaded PHP file may not be directly accessible.	2024-03-07	8.8	CVE-2024-1382 security@wordfence.com security@wordfence.com security@wordfence.com
nlnet_labs — unbound	NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client’s advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client’s buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the ‘ede: yes’ option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.	2024-03-07	7.5	CVE-2024-1931 sep@nlnetlabs.nl
pluggabl — booster_elite_for_woocommerce	The Booster Elite for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wc_add_new_product() function in all versions up to, and including, 7.1.7. This makes it possible for customer-level attackers, and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. This is only exploitable when the user product upload functionality is enabled.	2024-03-07	8.8	CVE-2024-1986 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
qnap_systems_inc. — qts	An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later	2024-03-08	9.8	CVE-2024-21899 security@qnapsecurity.com.tw
qualcomm,_inc. — snapdragon	Memory corruption in Core Services while executing the command for removing a single event listener.	2024-03-04	9.3	CVE-2023-28578 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.	2024-03-04	9.8	CVE-2023-28582 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while processing MBSSID beacon containing several subelement IE.	2024-03-04	9.8	CVE-2023-43552 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while parsing beacon/probe response frame when AP sends more supported links in MLIE.	2024-03-04	9.8	CVE-2023-43553 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption in Audio while processing RT proxy port register driver.	2024-03-04	8.4	CVE-2023-33066 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while processing the IOCTL FM HCI WRITE request.	2024-03-04	8.4	CVE-2023-43540 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while invoking the SubmitCommands call on Gfx engine during the graphics render.	2024-03-04	8.4	CVE-2023-43541 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while invoking HGSL IOCTL context create.	2024-03-04	8.4	CVE-2023-43546 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while invoking IOCTLs calls in Automotive Multimedia.	2024-03-04	8.4	CVE-2023-43547 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while processing TPC target power table in FTM TPC.	2024-03-04	8.4	CVE-2023-43549 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing IE fragments from server during DTLS handshake.	2024-03-04	7.5	CVE-2023-33084 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing multiple IKEV2 Informational Request to device from IPSEC server with different identifiers.	2024-03-04	7.5	CVE-2023-33086 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing multiple payload container type with incorrect container length received in DL NAS transport OTA in NR.	2024-03-04	7.5	CVE-2023-33095 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing DL NAS Transport message, as specified in 3GPP 24.501 v16.	2024-03-04	7.5	CVE-2023-33096 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing CAG info IE received from NW.	2024-03-04	7.5	CVE-2023-33103 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing PDU Release command with a parameter PDU ID out of range.	2024-03-04	7.5	CVE-2023-33104 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS in WLAN Host and Firmware when large number of open authentication frames are sent with an invalid transaction sequence number.	2024-03-04	7.5	CVE-2023-33105 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing an improperly formatted 802.11az Fine Time Measurement protocol frame.	2024-03-04	7.5	CVE-2023-43539 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while parsing qcp clip with invalid chunk data size.	2024-03-04	7.3	CVE-2023-43548 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Memory corruption while processing a QMI request for allocating memory from a DHMS supported subsystem.	2024-03-04	7.8	CVE-2023-43550 product-security@qualcomm.com
robotsandpencils — go-saml	RobotsAndPencils go-saml, a SAML client library written in Go, contains an authentication bypass vulnerability in all known versions. This is due to how the `xmlsec1` command line tool is called internally to verify the signature of SAML assertions. When `xmlsec1` is used without defining the enabled key data, the origin of the public key for the signature verification is, unfortunately, not restricted. That means an attacker can sign the SAML assertions themselves and provide the required public key (e.g. an RSA key) directly embedded in the SAML token. Projects still using RobotsAndPencils/go-saml should move to another SAML library or alternatively remove support for SAML from their projects. The vulnerability can likely temporarily be fixed by forking the go-saml project and adding the command line argument `–enabled-key-data` and specifying a value such as `x509` or `raw-x509-cert` when calling the `xmlsec1` binary in the verify function. Please note that this workaround must be carefully tested before it can be used.	2024-03-06	7.5	CVE-2023-48703 security-advisories@github.com
schoolbox_pty_ltd — schoolbox	Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database records.	2024-03-07	8.8	CVE-2024-28094 vdp@themissinglink.com.au vdp@themissinglink.com.au
schoolbox_pty_ltd — schoolbox	News functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected users.	2024-03-07	7.3	CVE-2024-28095 vdp@themissinglink.com.au vdp@themissinglink.com.au
schoolbox_pty_ltd — schoolbox	Class functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected users.	2024-03-07	7.3	CVE-2024-28096 vdp@themissinglink.com.au vdp@themissinglink.com.au
schoolbox_pty_ltd — schoolbox	Calendar functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected users.	2024-03-07	7.3	CVE-2024-28097 vdp@themissinglink.com.au vdp@themissinglink.com.au
shopware — shopware	Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. When Redis is in use for Sessions using the PHP Redis extension, this exploiting code is not used. Shopware version 6.5.8.7 contains a patch for this issue. As a workaround, use Redis for Sessions, as this does not trigger the exploit code.	2024-03-06	7.5	CVE-2024-27917 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
silicon_labs — z-wave_sdk	The vulnerability described by CVE-2023-0972 has been additionally discovered in Silicon Labs Z-Wave end devices. This vulnerability may allow an unauthenticated attacker within Z-Wave range to overflow a stack buffer, leading to arbitrary code execution.	2024-03-07	8.8	CVE-2023-51395 product-security@silabs.com
sixlabors — imagesharp	ImageSharp is a managed, cross-platform, 2D graphics library. A heap-use-after-free flaw was found in ImageSharp’s InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure. This issue has been patched in versions 3.1.3 and 2.1.7.	2024-03-05	7.1	CVE-2024-27929 security-advisories@github.com
sourcecodester — online_mobile_management_store	A vulnerability was found in SourceCodester Online Mobile Management Store 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/login.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255500.	2024-03-03	7.3	CVE-2024-2147 cna@vuldb.com cna@vuldb.com cna@vuldb.com
squid-cache — squid	Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid’s patch archives. There is no workaround for this issue.	2024-03-06	8.6	CVE-2024-25111 security-advisories@github.com security-advisories@github.com
svenl77 — post_form_â€“_registration_form_â€“_profile_form_for_user_profiles_â€“_frontend_content_forms_for_user_submissions_(ugc)	The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to delete arbitrary media files.	2024-03-07	8.2	CVE-2024-1170 security@wordfence.com security@wordfence.com security@wordfence.com
svenl77 — post_form_â€“_registration_form_â€“_profile_form_for_user_profiles_â€“_frontend_content_forms_for_user_submissions_(ugc)	The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to upload media files.	2024-03-07	7.5	CVE-2024-1169 security@wordfence.com security@wordfence.com security@wordfence.com
tokio-rs — mio	Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free. For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio. The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected. This vulnerability has been fixed in mio v0.8.11. All versions of mio between v0.7.2 and v0.8.10 are vulnerable. Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable. Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.	2024-03-06	7.5	CVE-2024-27308 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
unitedover — digits:_wordpress_mobile_number_signup_and_login	The Digits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.1. This is due to missing nonce validation in the ‘digits_save_settings’ function. This makes it possible for unauthenticated attackers to modify the default role of registered users to elevate user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-07	8.8	CVE-2024-0203 security@wordfence.com security@wordfence.com
videogallery — vimeography:_vimeo_video_gallery_wordpress_plugin	The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via the vimeography_duplicate_gallery_serialized in the duplicate_gallery function. This makes it possible for authenticated attackers attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-03-05	8.8	CVE-2024-0825 security@wordfence.com security@wordfence.com
zeromicro — go-zero	go-zero is a web and rpc framework. Go-zero allows user to specify a CORS Filter with a configurable allows param – which is an array of domains allowed in CORS policy. However, the `isOriginAllowed` uses `strings.HasSuffix` to check the origin, which leads to bypass via a malicious domain. This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and/or retrieve data on behalf of other users. Version 1.4.4 fixes this issue.	2024-03-06	9.1	CVE-2024-27302 security-advisories@github.com security-advisories@github.com
zksoftware_biometric_security_solutions — uface_5	Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass.This issue affects UFace 5: through 12022024.	2024-03-05	9.8	CVE-2023-7103 iletisim@usom.gov.tr

Medium Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
1panel-dev — 1panel	1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.10.1-lts, users can use Burp to obtain unauthorized access to the console page. The vulnerability has been fixed in v1.10.1-lts. There are no known workarounds.	2024-03-06	6.3	CVE-2024-27288 security-advisories@github.com security-advisories@github.com
ailux — imx6_bundle	A CWE-613 “Insufficient Session Expiration” vulnerability in the web application, due to the session cookie “sessionid” lasting two weeks, facilitates session hijacking attacks against victims. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	5.6	CVE-2023-45600 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-250 “Execution with Unnecessary Privileges” vulnerability in the embedded Chromium browser (due to the binary being executed with the “–no-sandbox” option and with root privileges) exacerbates the impacts of successful attacks executed against the browser. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	6.8	CVE-2023-45592 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-693 “Protection Mechanism Failure” vulnerability in the embedded Chromium browser (concerning the handling of alternative URLs, other than ” http://localhost” http://localhost” ) allows a physical attacker to read arbitrary files on the file system, alter the configuration of the embedded browser, and have other unspecified impacts to the confidentiality, integrity, and availability of the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	6.8	CVE-2023-45593 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-552 “Files or Directories Accessible to External Parties” vulnerability in the embedded Chromium browser allows a physical attacker to arbitrarily download/upload files to/from the file system, with unspecified impacts to the confidentiality, integrity, and availability of the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	6.8	CVE-2023-45594 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-434 “Unrestricted Upload of File with Dangerous Type” vulnerability in the “file_configuration” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	5.9	CVE-2023-45595 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-862 “Missing Authorization” vulnerability in the “file_configuration” functionality of the web application allows a remote unauthenticated attacker to access confidential configuration files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	5.3	CVE-2023-45596 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “file_configuration” functionality of the web application (concerning the function “export_file”) allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	5.9	CVE-2023-45597 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-862 “Missing Authorization” vulnerability in the “measure” functionality of the web application allows a remote unauthenticated attacker to access confidential measure information. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	5.3	CVE-2023-45598 prodsec@nozominetworks.com
ailux — imx6_bundle	A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.	2024-03-05	5.5	CVE-2023-45599 prodsec@nozominetworks.com
alextselegidis — easy!appointments	The Easy!Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-05	6.4	CVE-2024-0698 security@wordfence.com security@wordfence.com
bdtask — g-prescription_gynaecology_&_obs_consultation_software	A vulnerability was found in Bdtask G-Prescription Gynaecology & OBS Consultation Software 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /Setting/change_password_save of the component Password Reset Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256046 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	4.3	CVE-2024-2277 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdtask — hospita_automanager	A vulnerability has been found in Bdtask Hospita AutoManager up to 20240223 and classified as problematic. This vulnerability affects unknown code of the file /investigation/delete/ of the component Investigation Report Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255496. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-03	4.3	CVE-2024-2134 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdtask — hospital_automanager	A vulnerability has been found in Bdtask Hospital AutoManager up to 20240227 and classified as problematic. This vulnerability affects unknown code of the file /billing/bill/edit/ of the component Update Bill Page. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	4.3	CVE-2024-2316 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdthemes — prime_slider_â€“_addons_for_elementor_(revolution_of_a_slider,_hero_slider,_ecommerce_slider)	The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tags’ attribute of the Fiestar widget in all versions up to, and including, 3.13.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-1506 security@wordfence.com security@wordfence.com
boyiddha — automated-mess-management-system	A vulnerability was found in boyiddha Automated-Mess-Management-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256048. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	6.3	CVE-2024-2281 cna@vuldb.com cna@vuldb.com cna@vuldb.com
boyiddha — automated-mess-management-system	A vulnerability classified as critical has been found in boyiddha Automated-Mess-Management-System 1.0. Affected is an unknown function of the file /member/view.php. The manipulation of the argument date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256050 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	6.3	CVE-2024-2283 cna@vuldb.com cna@vuldb.com cna@vuldb.com
cbutlerjr — wp-members_membership_plugin	The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 3.4.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-08	6.4	CVE-2024-1987 security@wordfence.com security@wordfence.com
cdac — appsamvid_software	This vulnerability exists in AppSamvid software due to the usage of vulnerable and outdated components. An attacker with local administrative privileges could exploit this by placing malicious DLLs on the targeted system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.	2024-03-06	6.3	CVE-2024-25103 vdisclose@cert-in.org.in
cisco — cisco_appdynamics	A vulnerability in the file upload functionality of Cisco AppDynamics Controller could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to access sensitive data on an affected device.	2024-03-06	6.5	CVE-2024-20345 ykramarz@cisco.com
cisco — cisco_appdynamics	A vulnerability in the web-based management interface of Cisco AppDynamics Controller could allow an authenticated, remote attacker to perform a reflected cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.	2024-03-06	5.4	CVE-2024-20346 ykramarz@cisco.com
cisco — cisco_business_wireless_access_point_software	A vulnerability in the web-based management interface of Cisco Small Business 100, 300, and 500 Series Wireless APs could allow an authenticated, remote attacker to perform command injection attacks against an affected device. In order to exploit this vulnerability, the attacker must have valid administrative credentials for the device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.	2024-03-06	6.5	CVE-2024-20335 ykramarz@cisco.com
cisco — cisco_business_wireless_access_point_software	A vulnerability in the web-based user interface of Cisco Small Business 100, 300, and 500 Series Wireless APs could allow an authenticated, remote attacker to perform buffer overflow attacks against an affected device. In order to exploit this vulnerability, the attacker must have valid administrative credentials for the device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.	2024-03-06	6.5	CVE-2024-20336 ykramarz@cisco.com
cisco — cisco_duo	A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device. This vulnerability is due to a failure to invalidate locally created trusted sessions after a reboot of the affected device. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permissions.	2024-03-06	6.2	CVE-2024-20301 ykramarz@cisco.com
cisco — cisco_duo	A vulnerability in the logging component of Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, local attacker to view sensitive information in clear text on an affected system. This vulnerability is due to improper storage of an unencrypted registry key in certain logs. An attacker could exploit this vulnerability by accessing the logs on an affected system. A successful exploit could allow the attacker to view sensitive information in clear text.	2024-03-06	4.4	CVE-2024-20292 ykramarz@cisco.com
codeastro — ecommerce_site	A vulnerability classified as critical was found in CodeAstro Ecommerce Site 1.0. Affected by this vulnerability is an unknown functionality of the file action.php of the component Search. The manipulation of the argument cat_id/brand_id/keyword leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256303.	2024-03-09	6.3	CVE-2024-2351 cna@vuldb.com cna@vuldb.com cna@vuldb.com
codeastro — membership_management_system	A vulnerability classified as critical has been found in CodeAstro Membership Management System 1.0. Affected is an unknown function of the file /add_members.php. The manipulation of the argument fullname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256284.	2024-03-09	6.3	CVE-2024-2333 cna@vuldb.com cna@vuldb.com cna@vuldb.com
codeastro — membership_management_system	A vulnerability classified as critical was found in CodeAstro Membership Management System 1.0. This vulnerability affects unknown code of the file settings.php. The manipulation of the argument currency leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-255502 is the identifier assigned to this vulnerability.	2024-03-03	4.7	CVE-2024-2149 cna@vuldb.com cna@vuldb.com cna@vuldb.com
creativethemeshq — blocksy	The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s blocks in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes like ‘className’ and ‘radius’. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-09	6.4	CVE-2024-1767 security@wordfence.com security@wordfence.com
croixhaug — appointment_booking_calendar_â€”_simply_schedule_appointments_booking_plugin	The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.6.20. This is due to missing or incorrect nonce validation on the ssa_factory_reset() function. This makes it possible for unauthenticated attackers to reset the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-03-06	4.3	CVE-2024-1760 security@wordfence.com security@wordfence.com security@wordfence.com
cservit — affiliate-toolkit_â€“_wordpress_affiliate_plugin	The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.	2024-03-08	6.3	CVE-2024-1851 security@wordfence.com security@wordfence.com
cservit — affiliate-toolkit_â€“_wordpress_affiliate_plugin	The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products.	2024-03-08	4.3	CVE-2024-2298 security@wordfence.com security@wordfence.com
denoland — deno	Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp` API containing path traversal characters. This is fixed in Deno 1.41.1.	2024-03-05	5.8	CVE-2024-27931 security-advisories@github.com
django_markdownx — django_markdownx	Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. An attacker could store a specially crafted JavaScript payload in the upload functionality due to lack of proper sanitisation of JavaScript elements.	2024-03-08	5.4	CVE-2024-2319 cve-coordination@incibe.es
esphome — esphome	ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.	2024-03-06	6.5	CVE-2024-27287 security-advisories@github.com security-advisories@github.com
extendthemes — colibri_page_builder	The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key.	2024-03-09	4.3	CVE-2024-1870 security@wordfence.com security@wordfence.com security@wordfence.com
forcepoint — next_generation_firewall_security_management_center_	Forcepoint NGFW Security Management Center Management Server has SMC Downloads optional feature to offer standalone Management Client downloads and ECA configuration downloads. Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Forcepoint Next Generation Firewall Security Management Center (SMC Downloads feature) allows Reflected XSS. This issue affects Next Generation Firewall Security Management Center : before 6.10.13, from 6.11.0 before 7.1.2.	2024-03-04	6.1	CVE-2023-5451 psirt@forcepoint.com
gallagher — controller_7000	Missing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. This issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)), 8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).	2024-03-05	6.2	CVE-2024-22383 disclosures@gallagher.com
gallagher_ — command_centre_server	Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.	2024-03-05	6.8	CVE-2024-21838 disclosures@gallagher.com
gitlab — gitlab	A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.	2024-03-07	6.5	CVE-2024-1299 cve@gitlab.com cve@gitlab.com cve@gitlab.com
go-jose — go-jose	Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.	2024-03-09	4.3	CVE-2024-28180 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com
gophish — admin_panel	Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.	2024-03-06	4.6	CVE-2024-2211 cve-coordination@incibe.es
grafana — grafana	A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.	2024-03-07	6	CVE-2024-1442 security@grafana.com
hashthemes — total	The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.	2024-03-06	5.3	CVE-2024-1771 security@wordfence.com security@wordfence.com security@wordfence.com
heateor — social_sharing_plugin_â€“_sassy_social_share	The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘Sassy_Social_Share’ shortcode in all versions up to, and including, 3.3.58 due to insufficient input sanitization and output escaping on user supplied attributes such as ‘url’. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-06	6.4	CVE-2024-1989 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
helderk — maintenance_mode	The Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.0 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content via API thus bypassing the content protection provided by the plugin.	2024-03-05	5.3	CVE-2024-1478 security@wordfence.com security@wordfence.com
hewlett_packard_enterprise_(hpe) — arubaos_wi-fi_controllers_and_campus/remote_access_points	There is an arbitrary file deletion vulnerability in the CLI used by ArubaOS. Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to denial-of-service conditions and impact the integrity of the controller.	2024-03-05	5.5	CVE-2024-25614 security-alert@hpe.com
hewlett_packard_enterprise_(hpe) — arubaos_wi-fi_controllers_and_campus/remote_access_points	An unauthenticated Denial-of-Service (DoS) vulnerability exists in the Spectrum service accessed via the PAPI protocol in ArubaOS 8.x. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected service.	2024-03-05	5.3	CVE-2024-25615 security-alert@hpe.com
ibm — aspera_faspex	IBM Aspera Faspex 5.0.0 and 5.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 222562.	2024-03-05	5.4	CVE-2022-22399 psirt@us.ibm.com psirt@us.ibm.com
ibm — cics_tx_advanced	IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260769.	2024-03-04	6.1	CVE-2023-38360 psirt@us.ibm.com psirt@us.ibm.com
ibm — cics_tx_advanced	IBM CICS TX Advanced 10.1 could disclose sensitive information to a remote attacker due to observable discrepancy in HTTP responses. IBM X-Force ID: 260814.	2024-03-04	5.3	CVE-2023-38362 psirt@us.ibm.com psirt@us.ibm.com
ibm — ds8900f	IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily delete a file. IBM X-Force ID: 269406.	2024-03-07	6.5	CVE-2023-46169 psirt@us.ibm.com psirt@us.ibm.com
ibm — ds8900f	IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily read files after enumerating file names. IBM X-Force ID: 269407.	2024-03-07	6.5	CVE-2023-46170 psirt@us.ibm.com psirt@us.ibm.com
ibm — ds8900f	IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow a remote attacker to bypass authentication restrictions for authorized user. IBM X-Force ID: 269409.	2024-03-07	5.6	CVE-2023-46172 psirt@us.ibm.com psirt@us.ibm.com
ibm — ds8900f	IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to view sensitive log information after enumerating filenames. IBM X-Force ID: 269408.	2024-03-07	4.3	CVE-2023-46171 psirt@us.ibm.com psirt@us.ibm.com
ibm — engineering_test_management	IBM Engineering Test Management 7.0.2 and 7.0.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 267459.	2024-03-03	6.4	CVE-2023-43054 psirt@us.ibm.com psirt@us.ibm.com
ibm — mq_operator	IBM MQ Operator 2.0.0 LTS, 2.0.18 LTS, 3.0.0 CD, 3.0.1 CD, 2.4.0 through 2.4.7, 2.3.0 through 2.3.3, 2.2.0 through 2.2.2, and 2.3.0 through 2.3.3 stores or transmits user credentials in plain clear text which can be read by a local user using a trace command. IBM X-Force ID: 272638.	2024-03-03	6.2	CVE-2023-47745 psirt@us.ibm.com psirt@us.ibm.com
ibm — mq_operator	IBM MQ Operator 2.0.0 LTS, 2.0.18 LTS, 3.0.0 CD, 3.0.1 CD, 2.4.0 through 2.4.7, 2.3.0 through 2.3.3, 2.2.0 through 2.2.2, and 2.3.0 through 2.3.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 283905.	2024-03-03	5.9	CVE-2024-27255 psirt@us.ibm.com psirt@us.ibm.com
ibm — qradar_suite_products	IBM QRadar Suite Products 1.10.12.0 through 1.10.18.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could disclose sensitive information using man in the middle techniques due to not correctly enforcing all aspects of certificate validation in some circumstances. IBM X-Force ID: 272533.	2024-03-03	5.9	CVE-2023-47742 psirt@us.ibm.com psirt@us.ibm.com
ibm — qradar_suite_products	IBM QRadar Suite Products 1.10.12.0 through 1.10.18.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 280781.	2024-03-03	5.9	CVE-2024-22355 psirt@us.ibm.com psirt@us.ibm.com
ibm — qradar_wincollect_agent_	IBM QRadar WinCollect Agent 10.0 through 10.1.2 could allow a privileged user to cause a denial of service. IBM X-Force ID: 240151.	2024-03-03	4.4	CVE-2022-43880 psirt@us.ibm.com psirt@us.ibm.com
ibm — security_verify_privilege_on-premises	IBM Security Verify Privilege On-Premises 11.5 could disclose sensitive information through an HTTP request that could aid an attacker in further attacks against the system. IBM X-Force ID: 240453.	2024-03-04	5.3	CVE-2022-43890 psirt@us.ibm.com psirt@us.ibm.com
ibm — spectrum_virtualize	LDAP users on IBM Spectrum Virtualize 8.5 which are configured to require multifactor authentication can still authenticate to the CIM interface using only username and password. This does not affect local users with MFA configured or remote users authenticating via single sign-on. IBM X-Force ID: 247033.	2024-03-05	5.3	CVE-2023-25681 psirt@us.ibm.com psirt@us.ibm.com
ibm — spss_statistics	IBM SPSS Statistics 26.0, 27.0.1, and 28.0 could allow a local user to create multiple files that could exhaust the file handles capacity and cause a denial of service. IBM X-Force ID: 230235.	2024-03-08	6.2	CVE-2022-43855 psirt@us.ibm.com psirt@us.ibm.com
ibm — watson_cp4d_data_stores	IBM Watson CP4D Data Stores 4.6.0, 4.6.1, and 4.6.2 could allow an attacker with specific knowledge about the system to manipulate data due to improper input validation. IBM X-Force ID: 250396.	2024-03-03	5.9	CVE-2023-28512 psirt@us.ibm.com psirt@us.ibm.com
ibm — watson_cp4d_data_stores	IBM Watson CP4D Data Stores 4.6.0 through 4.6.3 could allow a user with physical access and specific knowledge of the system to modify files or data on the system. IBM X-Force ID: 248415.	2024-03-05	4.2	CVE-2023-26282 psirt@us.ibm.com psirt@us.ibm.com
ibm — watson_cp4d_data_stores	IBM Watson CP4D Data Stores 4.6.0, 4.6.1, 4.6.2, and 4.6.3 does not encrypt sensitive or critical information before storage or transmission which could allow an attacker to obtain sensitive information. IBM X-Force ID: 248740.	2024-03-03	4.5	CVE-2023-27291 psirt@us.ibm.com psirt@us.ibm.com
icewhaletech — casaos-userservice	CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `User does not exist`. If the password is incorrect application gives the error `Invalid password`. Version 0.4.7 fixes this issue.	2024-03-06	6.2	CVE-2024-24766 security-advisories@github.com security-advisories@github.com security-advisories@github.com
jbahlquist — blue_triad_ezanalytics	The Blue Triad EZAnalytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘bt_webid’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-03-05	6.1	CVE-2024-1782 security@wordfence.com security@wordfence.com
jetbrains — teamcity	In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly	2024-03-06	5.8	CVE-2024-28174 cve@jetbrains.com
jetbrains — teamcity	In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the “password” type could be disclosed	2024-03-06	4.3	CVE-2024-28173 cve@jetbrains.com
jetbrains — youtrack	In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles	2024-03-07	6.5	CVE-2024-28229 cve@jetbrains.com
jetbrains — youtrack	In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions	2024-03-07	6.5	CVE-2024-28230 cve@jetbrains.com
jetbrains — youtrack	In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible	2024-03-07	5.3	CVE-2024-28228 cve@jetbrains.com
jfrog — artifactory	JFrog Artifactory later than version 7.17.4 but prior to version 7.77.0 is vulnerable to an issue whereby a sequence of improperly handled exceptions in repository configuration initialization steps may lead to exposure of sensitive data.	2024-03-07	6.6	CVE-2023-42509 reefs@jfrog.com
jmlapam — jm_twitter_cards	The JM Twitter Cards plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 12 via the meta description data. This makes it possible for unauthenticated attackers to view password protected post content when viewing the page source.	2024-03-05	5.3	CVE-2024-1769 security@wordfence.com security@wordfence.com
keerti1924 — online-book-store-website	A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /search.php. The manipulation of the argument search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256039. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-07	6.3	CVE-2024-2269 cna@vuldb.com cna@vuldb.com cna@vuldb.com
keerti1924 — online-book-store-website	A vulnerability classified as critical has been found in keerti1924 Online-Book-Store-Website 1.0. This affects an unknown part of the file /shop.php of the component HTTP POST Request Handler. The manipulation of the argument product_name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256041 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	6.3	CVE-2024-2271 cna@vuldb.com cna@vuldb.com cna@vuldb.com
keerti1924 — online-book-store-website	A vulnerability classified as critical was found in keerti1924 Online-Book-Store-Website 1.0. This vulnerability affects unknown code of the file /home.php of the component HTTP POST Request Handler. The manipulation of the argument product_name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256042 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	6.3	CVE-2024-2272 cna@vuldb.com cna@vuldb.com cna@vuldb.com
keerti1924 — online-book-store-website	A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0 and classified as problematic. This issue affects some unknown processing of the file /shop.php. The manipulation of the argument product_price leads to business logic errors. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256037 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-07	4.3	CVE-2024-2267 cna@vuldb.com cna@vuldb.com cna@vuldb.com
keerti1924 — online-book-store-website	A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0. It has been classified as critical. Affected is an unknown function of the file /product_update.php?update=1. The manipulation of the argument update_image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256038 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-07	4.7	CVE-2024-2268 cna@vuldb.com cna@vuldb.com cna@vuldb.com
keerti1924 — online-book-store-website	A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /signup.php. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256040. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-07	4.3	CVE-2024-2270 cna@vuldb.com cna@vuldb.com cna@vuldb.com
keerti1924 — php-mysql-user-login-system	A vulnerability, which was classified as problematic, was found in keerti1924 PHP-MYSQL-User-Login-System 1.0. This affects an unknown part of the file login.sql. The manipulation leads to inclusion of sensitive information in source code. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256035. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-07	5.3	CVE-2024-2265 cna@vuldb.com cna@vuldb.com cna@vuldb.com
lestrrat-go — jwx	JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.	2024-03-09	6.8	CVE-2024-28122 security-advisories@github.com security-advisories@github.com security-advisories@github.com
metagauss — eventprime_â€“_events_calendar,_bookings_and_tickets	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_frontend_event_submission() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the title and content of arbitrary posts. This can also be exploited by unauthenticated attackers when the allow_submission_by_anonymous_user setting is enabled.	2024-03-09	6.5	CVE-2024-1123 security@wordfence.com security@wordfence.com
metagauss — eventprime_â€“_events_calendar,_bookings_and_tickets	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendar_events_delete() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.	2024-03-09	6.5	CVE-2024-1125 security@wordfence.com security@wordfence.com
metagauss — eventprime_â€“_events_calendar,_bookings_and_tickets	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘offline_status’ parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-09	6.5	CVE-2024-1320 security@wordfence.com security@wordfence.com
metagauss — eventprime_â€“_events_calendar,_bookings_and_tickets	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site.	2024-03-09	4.3	CVE-2024-1124 security@wordfence.com security@wordfence.com
microsoft — microsoft_edge_for_android	Microsoft Edge for Android Spoofing Vulnerability	2024-03-07	4.3	CVE-2024-26167 secure@microsoft.com
motorola — phones	An improper export vulnerability was reported in the Motorola OTA update application, that could allow a malicious, local application to inject an HTML-based message on screen UI.	2024-03-04	5.1	CVE-2023-41827 psirt@lenovo.com
motorola — phones	An improper export vulnerability was reported in the Motorola Carrier Services application that could allow a malicious, local application to read files without authorization.	2024-03-04	5	CVE-2023-41829 psirt@lenovo.com
mozilocms — mozilocms	Cross-Site Scripting vulnerability in moziloCMS version 2.0. By sending a POST request to the ‘/install.php’ endpoint, a JavaScript payload could be executed in the ‘username’ parameter.	2024-03-07	5.4	CVE-2024-2245 cve-coordination@incibe.es
msi — msi_afterburner	MSI Afterburner v4.6.5.16370 is vulnerable to a Kernel Memory Leak vulnerability by triggering the 0x80002040 IOCTL code of the RTCore64.sys driver. The handle to the driver can only be obtained from a high integrity process.	2024-03-07	5.6	CVE-2024-1460 help@fluidattacks.com help@fluidattacks.com
msi — msi_afterburner	MSI Afterburner v4.6.5.16370 is vulnerable to a Denial of Service vulnerability by triggering the 0x80002000 IOCTL code of the RTCore64.sys driver. The handle to the driver can only be obtained from a high integrity process.	2024-03-07	4.4	CVE-2024-1443 help@fluidattacks.com help@fluidattacks.com
n/a –n/a	Archer Platform 6.x before 6.14 P2 HF2 (6.14.0.2.2) contains a sensitive information disclosure vulnerability. An unauthenticated attacker could potentially obtain access to sensitive information via an internal URL.	2024-03-08	5.3	CVE-2024-26309 cve@mitre.org cve@mitre.org
n/a — upstream	A timing-based side-channel flaw was found in libgcrypt’s RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.	2024-03-06	5.9	CVE-2024-2236 secalert@redhat.com secalert@redhat.com
netentsec — ns-asg_application_security_gateway	A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/list_resource_icon.php?action=delete. The manipulation of the argument IconId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256280. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-09	6.3	CVE-2024-2329 cna@vuldb.com cna@vuldb.com cna@vuldb.com
netentsec — ns-asg_application_security_gateway	A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256281 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-09	6.3	CVE-2024-2330 cna@vuldb.com cna@vuldb.com cna@vuldb.com
ninjateam — wp_chat_app	The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widget/block in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes such as ‘buttonColor’ and ‘phoneNumber’. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-1761 security@wordfence.com security@wordfence.com
openharmony — openharmony	in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after free.	2024-03-04	4.3	CVE-2023-46708 scy@openharmony.io
openharmony — openharmony	in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through improper preservation of permissions.	2024-03-04	4	CVE-2024-21816 scy@openharmony.io
openharmony — openharmony	in OpenHarmony v3.2.4 and prior versions allow a local attacker cause sensitive information leak through insecure storage.	2024-03-04	4.3	CVE-2024-21826 scy@openharmony.io
opentext — documentum_d2	CWE-1385 vulnerability in OpenText Documentum D2 affecting versions16.5.1 to CE 23.2. The vulnerability could allow upload arbitrary code and execute it on the client’s computer.	2024-03-08	5.8	CVE-2023-32264 security@opentext.com
pagebuildersandwich — page_builder_sandwich_â€“_front_end_wordpress_page_builder_plugin	The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘gambit_builder_save_content’ function in all versions up to, and including, 5.1.0. This makes it possible for authenticated attackers, with subscriber access and above, to insert arbitrary content into existing posts.	2024-03-05	6.5	CVE-2024-1285 security@wordfence.com security@wordfence.com
pagebuildersandwich — page_builder_sandwich_â€“_front_end_wordpress_page_builder_plugin	The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.0. This makes it possible for authenticated attackers, with subscriber access and higher, to extract sensitive user or configuration data.	2024-03-05	6.5	CVE-2024-1381 security@wordfence.com security@wordfence.com
panva — jose	jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user’s environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.	2024-03-09	4.9	CVE-2024-28176 security-advisories@github.com security-advisories@github.com security-advisories@github.com
pegasystems — pega_platform	Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.	2024-03-06	5.4	CVE-2023-50167 security@pega.com
pgadmin.org — pgadmin_4	pgAdmin 4 uses a file-based session management approach. The session files are saved on disk as pickle objects. When a user performs a request, the value of the session cookie ‘pga4_session’ is used to retrieve the file, then its content is deserialised, and finally its signature verified. The cookie value is split in 2 parts at the first ‘!’ character. The first part is the session ID (sid), while the second is the session digest. The vulnerability lies in versions of pgAdmin prior to 8.4 where a method loads session files by concatenating the sessions folder – located inside the pgAdmin 4 DATA_DIR – with the session ID. Precisely, the two values are concatenated using the [‘os.path.join’] function. It does not set a trusted base-path which should not be escaped	2024-03-07	4.6	CVE-2024-2044 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
pluggabl — booster_for_woocommerce	The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-1534 security@wordfence.com security@wordfence.com
podlove — podlove_web_player	Missing Authorization vulnerability in Podlove Podlove Web Player.This issue affects Podlove Web Player: from n/a through 5.7.3.	2024-03-07	5.3	CVE-2023-47691 audit@patchstack.com
posimyththemes — the_plus_addons_for_elementor	The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ attribute of the Header Meta Content widget in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-1419 security@wordfence.com security@wordfence.com
qnap_systems_inc. — myqnapcloud	A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: myQNAPcloud 1.0.52 ( 2023/11/24 ) and later QTS 4.5.4.2627 build 20231225 and later	2024-03-08	4.7	CVE-2024-21901 security@qnapsecurity.com.tw
qnap_systems_inc. — photo_station	A path traversal vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later	2024-03-08	5.5	CVE-2023-47221 security@qnapsecurity.com.tw
qnap_systems_inc. — qts	An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2627 build 20231225 and later QuTS hero h4.5.4.2626 build 20231225 and later	2024-03-08	5.9	CVE-2023-34980 security@qnapsecurity.com.tw
qnap_systems_inc. — qts	An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later	2024-03-08	4.3	CVE-2024-21900 security@qnapsecurity.com.tw
qnap_systems_inc. — qutscloud	A cross-site scripting (XSS) vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QuTScloud c5.1.5.2651 and later QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later	2024-03-08	4.9	CVE-2023-32969 security@qnapsecurity.com.tw
qualcomm,_inc. — snapdragon	Information Disclosure while processing IOCTL request in FastRPC.	2024-03-04	5.1	CVE-2023-33078 product-security@qualcomm.com
qualcomm,_inc. — snapdragon	Transient DOS while processing channel information for speaker protection v2 module in ADSP.	2024-03-04	5.5	CVE-2023-33090 product-security@qualcomm.com
rajkakadiya — password_protected_store_for_woocommerce	The Password Protected Store for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including post titles and content.	2024-03-05	5.3	CVE-2024-1088 security@wordfence.com security@wordfence.com
razib_ — build_&_control_block_patterns_â€“_boost_up_gutenberg_editor	The Build & Control Block Patterns – Boost up Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the settings_export() function in all versions up to, and including, 1.3.5.4. This makes it possible for unauthenticated attackers to export the plugin’s settings.	2024-03-05	5.3	CVE-2024-1095 security@wordfence.com security@wordfence.com
samsung_mobile — samnsung_account	Improper Handling of Insufficient Privileges in Samsung Account prior to version 14.8.00.3 allows local attackers to access data.	2024-03-05	5.1	CVE-2024-20841 mobile.security@samsung.com
samsung_mobile — samsung_internet	Improper validation vulnerability in Samsung Internet prior to version 24.0.3.2 allows local attackers to execute arbitrary code.	2024-03-05	6.8	CVE-2024-20838 mobile.security@samsung.com
samsung_mobile — samsung_internet	Missing proper interaction for opening deeplink in Samsung Internet prior to version v24.0.0.0 allows remote attackers to open an application without proper interaction.	2024-03-05	5.4	CVE-2024-20829 mobile.security@samsung.com
samsung_mobile — samsung_internet	Improper handling of granting permission for Trusted Web Activities in Samsung Internet prior to version 24.0.0.41 allows local attackers to grant permission to their own TWA WebApps without user interaction.	2024-03-05	5.3	CVE-2024-20837 mobile.security@samsung.com
samsung_mobile — samsung_mobile_devices	Stack overflow in Little Kernel in bootloader prior to SMR Mar-2024 Release 1 allows a privileged attackers to execute arbitrary code.	2024-03-05	6.4	CVE-2024-20831 mobile.security@samsung.com
samsung_mobile — samsung_mobile_devices	Heap overflow in Little Kernel in bootloader prior to SMR Mar-2024 Release 1 allows a privileged attacker to execute arbitrary code.	2024-03-05	6.4	CVE-2024-20832 mobile.security@samsung.com
samsung_mobile — samsung_mobile_devices	Improper input validation in IpcTxSndSetLoopbackCtrl in libsec-ril prior to SMR Sep-2023 Release 1 allows local attackers to write out-of-bounds memory.	2024-03-05	5.9	CVE-2023-52432 mobile.security@samsung.com
samsung_mobile — samsung_mobile_devices	Incorrect default permission in AppLock prior to SMR MAr-2024 Release 1 allows local attackers to configure AppLock settings.	2024-03-05	5.3	CVE-2024-20830 mobile.security@samsung.com
samsung_mobile — samsung_mobile_devices	Use after free vulnerability in pub_crypto_recv_msg prior to SMR Mar-2024 Release 1 due to race condition allows local attackers with system privilege to cause memory corruption.	2024-03-05	4.1	CVE-2024-20833 mobile.security@samsung.com
samsung_mobile — samsung_mobile_devices	Improper access control vulnerability in CustomFrequencyManagerService prior to SMR Mar-2024 Release 1 allows local attackers to execute privileged behaviors.	2024-03-05	4	CVE-2024-20835 mobile.security@samsung.com
samsung_mobile — samsung_voice_recorder	Improper access control in Samsung Voice Recorder prior to versions 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14 allows physical attackers using hardware keyboard to use VoiceRecorder on the lock screen.	2024-03-05	5.7	CVE-2024-20840 mobile.security@samsung.com
samsung_mobile — samsung_voice_recorder	Improper access control in Samsung Voice Recorder prior to versions 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14 allows physical attackers to access recording files on the lock screen.	2024-03-05	4.6	CVE-2024-20839 mobile.security@samsung.com
simon99 — change_memory_limit	The Change Memory Limit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_logic() function hooked via admin_init in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update the memory limit.	2024-03-05	5.3	CVE-2024-1093 security@wordfence.com security@wordfence.com
softaculous — page_builder:_pagelayer_â€“_drag_and_drop_website_builder	The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom attributes in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-2127 security@wordfence.com security@wordfence.com
sourcecodester — best_pos_management_system	A vulnerability was found in SourceCodester Best POS Management System 1.0. It has been classified as critical. Affected is an unknown function of the file admin_class.php. The manipulation of the argument img leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255588.	2024-03-04	6.3	CVE-2024-2156 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — best_pos_management_system	A vulnerability was found in SourceCodester Best POS Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file index.php. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255587.	2024-03-04	4.3	CVE-2024-2155 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — insurance_management_system	A vulnerability, which was classified as critical, has been found in SourceCodester Insurance Management System 1.0. This issue affects some unknown processing. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255503.	2024-03-03	5.3	CVE-2024-2150 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_mobile_management_store	A vulnerability classified as critical has been found in SourceCodester Online Mobile Management Store 1.0. This affects an unknown part of the file /classes/Users.php. The manipulation of the argument img leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255501 was assigned to this vulnerability.	2024-03-03	6.3	CVE-2024-2148 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_mobile_management_store	A vulnerability, which was classified as critical, was found in SourceCodester Online Mobile Management Store 1.0. This affects an unknown part of the file /admin/orders/view_order.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255585 was assigned to this vulnerability.	2024-03-04	6.3	CVE-2024-2153 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_mobile_management_store	A vulnerability has been found in SourceCodester Online Mobile Management Store 1.0 and classified as critical. This vulnerability affects unknown code of the file view_product.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-255586 is the identifier assigned to this vulnerability.	2024-03-04	6.3	CVE-2024-2154 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_mobile_management_store	A vulnerability was found in SourceCodester Online Mobile Management Store 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/maintenance/manage_category.php of the component HTTP GET Request Handler. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256283.	2024-03-09	6.3	CVE-2024-2332 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_mobile_management_store	A vulnerability classified as problematic was found in SourceCodester Online Mobile Management Store 1.0. Affected by this vulnerability is an unknown functionality of the component Product Price Handler. The manipulation of the argument quantity with the input -1 leads to business logic errors. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255583.	2024-03-04	4.3	CVE-2024-2151 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_mobile_management_store	A vulnerability, which was classified as critical, has been found in SourceCodester Online Mobile Management Store 1.0. Affected by this issue is some unknown functionality of the file /admin/product/manage_product.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255584.	2024-03-04	4.7	CVE-2024-2152 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_tours_&_travels_management_system	A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/operations/expense_category.php of the component HTTP POST Request Handler. The manipulation of the argument status leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255678 is the identifier assigned to this vulnerability.	2024-03-04	4.7	CVE-2024-2168 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — tourist_reservation_system	A vulnerability was found in SourceCodester Tourist Reservation System 1.0. It has been declared as critical. This vulnerability affects the function ad_writedata of the file System.cpp. The manipulation of the argument ad_code leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256282 is the identifier assigned to this vulnerability.	2024-03-09	6.3	CVE-2024-2331 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sulu — sulu	Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.	2024-03-06	6.8	CVE-2024-27915 security-advisories@github.com security-advisories@github.com
thehappymonster — happy_addons_for_elementor	The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘archive_title_tag’ attribute of the Archive Title widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-1366 security@wordfence.com security@wordfence.com
thehappymonster — happy_addons_for_elementor	The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_meta_tag’ attribute of the Author Meta widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-1377 security@wordfence.com security@wordfence.com
themeboy — sportspress_â€“_sports_club_&_league_manager	The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings_save() function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to update the permalink structure for the clubs	2024-03-05	5.3	CVE-2024-1178 security@wordfence.com security@wordfence.com
thinkst — canarytokens	Canarytokens helps track activity and actions on a network. Canarytokens.org supports exporting the history of a Canarytoken’s incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability. This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken’s owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to code execution on the machine on which the CSV file is opened. Version sha-c595a1f8 contains a fix for this issue.	2024-03-06	6.5	CVE-2024-28111 security-advisories@github.com security-advisories@github.com
tp-link — archer_ax50	Cross-Site Scripting (XSS) vulnerability stored in TP-Link Archer AX50 affecting firmware version 1.0.11 build 2022052. This vulnerability could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule, which could result in an execution of the JavaScript payload when the rule is loaded.	2024-03-05	6.1	CVE-2024-2188 cve-coordination@incibe.es
wpdevteam — embedpress_â€“_embed_pdf,_google_docs,_vimeo,_wistia,_embed_youtube_videos,_audios,_maps_&_embed_any_documents_in_gutenberg_&_elementor	The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Wistia embed block in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the user supplied url. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-1802 security@wordfence.com security@wordfence.com
wpdevteam — embedpress_â€“_embed_pdf,_google_docs,_vimeo,_wistia,_embed_youtube_videos,_audios,_maps_&_embed_any_documents_in_gutenberg_&_elementor	The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s embed widget in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-2128 security@wordfence.com security@wordfence.com security@wordfence.com
wpeverest — user_registration_â€“_custom_registration_form,_login_form,_and_user_profile_wordpress_plugin	The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Display Name’ parameter in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution.	2024-03-07	4.7	CVE-2024-1720 security@wordfence.com security@wordfence.com security@wordfence.com
wpkoithemes — wpkoi_templates_for_elementor	The WPKoi Templates for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	6.4	CVE-2024-2136 security@wordfence.com security@wordfence.com
wproyal — royal_elementor_addons_and_templates	The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Logo Widget in all versions up to, and including, 1.3.91 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-03-07	5.4	CVE-2024-1500 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com
zkteco — zkbio_media	A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: ‘../filedir’. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256272. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	4.3	CVE-2024-2318 cna@vuldb.com cna@vuldb.com cna@vuldb.com

Low Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
arista_networks — mos	On affected 7130 Series FPGA platforms running MOS and recent versions of the MultiAccess FPGA, application of ACL’s may result in incorrect operation of the configured ACL for a port resulting in some packets that should be denied being permitted and some	2024-03-04	3.1	CVE-2023-6068 psirt@arista.com
bdtask — g-prescription_gynaecology_&_obs_consultation_software	A vulnerability, which was classified as problematic, has been found in Bdtask G-Prescription Gynaecology & OBS Consultation Software 1.0. This issue affects some unknown processing of the file /Home/Index of the component Prescription Dashboard. The manipulation of the argument Title leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256043. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	2.4	CVE-2024-2274 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdtask — g-prescription_gynaecology_&_obs_consultation_software	A vulnerability, which was classified as problematic, was found in Bdtask G-Prescription Gynaecology & OBS Consultation Software 1.0. Affected is an unknown function of the component OBS Patient/Gynee Prescription. The manipulation of the argument Patient Title/Full Name/Address/Cheif Complain/LMP/Menstrual Edd/OBS P/OBS Alc/Medicine Name/Medicine Type/Ml/Dose/Days/Comments/Template Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256044. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	2.4	CVE-2024-2275 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdtask — g-prescription_gynaecology_&_obs_consultation_software	A vulnerability has been found in Bdtask G-Prescription Gynaecology & OBS Consultation Software 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /Venue_controller/edit_venue/ of the component Edit Venue Page. The manipulation of the argument Venue map leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256045 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	2.4	CVE-2024-2276 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdtask — hospita_automanager	A vulnerability was found in Bdtask Hospita AutoManager up to 20240223 and classified as problematic. This issue affects some unknown processing of the file /hospital_activities/birth/form of the component Hospital Activities Page. The manipulation of the argument Description with the input <img src=a onerror=alert(1)> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255497 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-03	2.4	CVE-2024-2135 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdtask — hospital_automanager	A vulnerability was found in Bdtask Hospital AutoManager up to 20240227 and classified as problematic. This issue affects some unknown processing of the file /prescription/prescription/delete/ of the component Prescription Page. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	3.8	CVE-2024-2317 cna@vuldb.com cna@vuldb.com cna@vuldb.com
bdtask — isshue_multi_store_ecommerce_shopping_cart_solution	A vulnerability, which was classified as problematic, was found in Bdtask Isshue Multi Store eCommerce Shopping Cart Solution 4.0. This affects an unknown part of the file /dashboard/Cinvoice/manage_invoice of the component Manage Sale Page. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255495.	2024-03-03	2.4	CVE-2024-2133 cna@vuldb.com cna@vuldb.com cna@vuldb.com
boyiddha — automated-mess-management-system	A vulnerability classified as problematic was found in boyiddha Automated-Mess-Management-System 1.0. Affected by this vulnerability is an unknown functionality of the file /member/chat.php of the component Chat Book. The manipulation of the argument msg leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256051. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	3.5	CVE-2024-2284 cna@vuldb.com cna@vuldb.com cna@vuldb.com
boyiddha — automated-mess-management-system	A vulnerability, which was classified as problematic, has been found in boyiddha Automated-Mess-Management-System 1.0. Affected by this issue is some unknown functionality of the file /member/member_edit.php. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-256052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-08	3.5	CVE-2024-2285 cna@vuldb.com cna@vuldb.com cna@vuldb.com
concrete_cms — concrete_cms	Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting.	2024-03-05	2.2	CVE-2024-2179 ff5b8ace-8b95-4078-9743-eac1ca5451de
cybellum — maintenance_server	Maintenance Server, in Cybellum’s QCOW air-gapped distribution (China Edition), versions 2.15.5 through 2.27, was compiled with a hard-coded private cryptographic key. An attacker with administrative privileges & access to the air-gapped server could potentially use this key to run commands on the server. The issue was resolved in version 2.28. Earlier versions, including all Cybellum 1.x versions, and distributions for the rest of the world remain unaffected.	2024-03-05	3.8	CVE-2023-42419 info@cybellum.com
dell — powerscale_onefs	Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient logging vulnerability. A local malicious user with high privileges could potentially exploit this vulnerability, causing audit messages lost and not recorded for a specific time period.	2024-03-04	3	CVE-2024-24901 security_alert@emc.com
hewlett_packard_enterprise_(hpe) — arubaos_wi-fi_controllers_and_campus/remote_access_points	Aruba has identified certain configurations of ArubaOS that can lead to partial disclosure of sensitive information in the IKE_AUTH negotiation process. The scenarios in which disclosure of potentially sensitive information can occur are complex, and depend on factors beyond the control of attackers.	2024-03-05	3.7	CVE-2024-25616 security-alert@hpe.com
keerti1924 — secret-coder-php-project	A vulnerability has been found in keerti1924 Secret-Coder-PHP-Project 1.0 and classified as problematic. This vulnerability affects unknown code of the file /login.php of the component Login Page. The manipulation of the argument emailcookie/passwordcookie leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256036. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-03-07	3.5	CVE-2024-2266 cna@vuldb.com cna@vuldb.com cna@vuldb.com
openharmony — openharmony	in OpenHarmony v3.2.4 and prior versions allow a local attacker cause information leak through out-of-bounds Read.	2024-03-04	2.9	CVE-2023-25176 scy@openharmony.io
openharmony — openharmony	in OpenHarmony v3.2.4 and prior versions allow a local attacker cause apps crash through type confusion.	2024-03-04	2.9	CVE-2023-49602 scy@openharmony.io
samsung_mobile — samsung_mobile_devices	The sensitive information exposure vulnerability in WlanTest prior to SMR Mar-2024 Release 1 allows local attackers to access MAC address without proper permission.	2024-03-05	3.3	CVE-2024-20834 mobile.security@samsung.com
samsung_mobile — samsung_mobile_devices	Out of bounds Read vulnerability in ssmis_get_frm in libsubextractor.so prior to SMR Mar-2024 Release 1 allows local attackers to read out of bounds memory.	2024-03-05	3.3	CVE-2024-20836 mobile.security@samsung.com
sourcecodester — online_mobile_management_store	A vulnerability was found in SourceCodester Online Mobile Management Store 1.0. It has been classified as problematic. Affected is an unknown function of the file /endpoint/update-tracker.php. The manipulation of the argument firstname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255498 is the identifier assigned to this vulnerability.	2024-03-03	3.5	CVE-2024-2145 cna@vuldb.com cna@vuldb.com cna@vuldb.com
sourcecodester — online_mobile_management_store	A vulnerability was found in SourceCodester Online Mobile Management Store 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /?p=products. The manipulation of the argument search leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255499.	2024-03-03	3.5	CVE-2024-2146 cna@vuldb.com cna@vuldb.com cna@vuldb.com

Severity Not Yet Assigned

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
N/A — N/A	An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the –dry-run flag is used. This is a security concern in some use cases, such as a –dry-run call by a CI/CD tool. NOTE: the vendor’s position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).	2024-03-03	not yet calculated	CVE-2019-25210 cve@mitre.org cve@mitre.org
N/A — N/A	RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.	2024-03-08	not yet calculated	CVE-2019-6268 cve@mitre.org cve@mitre.org
N/A — N/A	Online Flight Booking Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the feedback form.	2024-03-05	not yet calculated	CVE-2022-46088 cve@mitre.org cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in the add-airline form of Online Flight Booking Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the airline parameter.	2024-03-07	not yet calculated	CVE-2022-46089 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in the feedback form of Online Flight Booking Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the airline parameter.	2024-03-07	not yet calculated	CVE-2022-46091 cve@mitre.org
N/A — N/A	Hospital Management System 1.0 was discovered to contain a SQL injection vulnerability via the pat_number parameter at his_doc_view_single_patien.php.	2024-03-07	not yet calculated	CVE-2022-46497 cve@mitre.org
N/A — N/A	Hospital Management System 1.0 was discovered to contain a SQL injection vulnerability via the doc_number parameter at his_admin_view_single_employee.php.	2024-03-07	not yet calculated	CVE-2022-46498 cve@mitre.org
N/A — N/A	Hospital Management System 1.0 was discovered to contain a SQL injection vulnerability via the pat_number parameter at his_admin_view_single_patient.php.	2024-03-07	not yet calculated	CVE-2022-46499 cve@mitre.org
N/A — N/A	Sourcecodester Lost and Found Information System’s Version 1.0 is vulnerable to unauthenticated SQL Injection at “?page=items/view&id=*” which can be escalated to the remote command execution.	2024-03-07	not yet calculated	CVE-2023-33676 cve@mitre.org
N/A — N/A	Sourcecodester Lost and Found Information System’s Version 1.0 is vulnerable to unauthenticated SQL Injection at “?page=items/view&id=*”.	2024-03-06	not yet calculated	CVE-2023-33677 cve@mitre.org cve@mitre.org
N/A — N/A	An issue in Multilaser RE160V firmware v12.03.01.09_pt and Multilaser RE163V firmware v12.03.01.10_pt allows attackers to bypass the access control and gain complete access to the application via modifying a HTTP header.	2024-03-06	not yet calculated	CVE-2023-38944 cve@mitre.org
N/A — N/A	Multilaser RE160 v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01, Multilaser RE160V v12.03.01.08_pt and V12.03.01.09_pt, and Multilaser RE163V v12.03.01.08_pt allows attackers to bypass the access control and gain complete access to the application via supplying a crafted URL.	2024-03-06	not yet calculated	CVE-2023-38945 cve@mitre.org
N/A — N/A	An issue in Multilaser RE160 firmware v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01 allows attackers to bypass the access control and gain complete access to the application via supplying a crafted cookie.	2024-03-06	not yet calculated	CVE-2023-38946 cve@mitre.org
N/A — N/A	code-projects.org Online Job Portal 1.0 is vulnerable to SQL Injection via the Username parameter for “Employer.”	2024-03-07	not yet calculated	CVE-2023-41014 cve@mitre.org
N/A — N/A	code-projects.org Online Job Portal 1.0 is vulnerable to SQL Injection via /Employer/DeleteJob.php?JobId=1.	2024-03-07	not yet calculated	CVE-2023-41015 cve@mitre.org
N/A — N/A	Student Enrollment In PHP v1.0 was discovered to contain a SQL injection vulnerability via the Login function.	2024-03-07	not yet calculated	CVE-2023-41503 cve@mitre.org
N/A — N/A	TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows attackers to escalate privileges via modification of the ‘tid’ and ‘usrlvl’ values in GET requests.	2024-03-06	not yet calculated	CVE-2023-43318 cve@mitre.org cve@mitre.org
N/A — N/A	Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV-rev588-g7edc40fee-master, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) via gf_fwrite component in at utils/os_file.c.	2024-03-09	not yet calculated	CVE-2023-46426 cve@mitre.org
N/A — N/A	An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee-master, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), and obtain sensitive information via null pointer deference in gf_dash_setup_period component in media_tools/dash_client.c.	2024-03-09	not yet calculated	CVE-2023-46427 cve@mitre.org
N/A — N/A	Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered to contain an OS command injection vulnerability via the cli_text parameter.	2024-03-07	not yet calculated	CVE-2023-47415 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in the Archibus app 4.0.3 for iOS. There is an XSS vulnerability in the create work request feature of the maintenance module, via the description field. This allows an attacker to perform an action on behalf of the user, exfiltrate data, and so on.	2024-03-05	not yet calculated	CVE-2023-48644 cve@mitre.org
N/A — N/A	An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to escalate privileges and bypass authentication via incorrect access control in the web management portal.	2024-03-09	not yet calculated	CVE-2023-49340 cve@mitre.org
N/A — N/A	An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to obtain sensitive information via cleartext credential storage in backup.htm component.	2024-03-09	not yet calculated	CVE-2023-49341 cve@mitre.org
N/A — N/A	Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.	2024-03-05	not yet calculated	CVE-2023-49546 cve@mitre.org cve@mitre.org
N/A — N/A	Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.	2024-03-05	not yet calculated	CVE-2023-49547 cve@mitre.org cve@mitre.org
N/A — N/A	Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.	2024-03-05	not yet calculated	CVE-2023-49548 cve@mitre.org cve@mitre.org
N/A — N/A	Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.	2024-03-05	not yet calculated	CVE-2023-49968 cve@mitre.org cve@mitre.org
N/A — N/A	Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.	2024-03-05	not yet calculated	CVE-2023-49969 cve@mitre.org cve@mitre.org
N/A — N/A	Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.	2024-03-05	not yet calculated	CVE-2023-49970 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter at /customer_support/index.php?page=customer_list.	2024-03-06	not yet calculated	CVE-2023-49971 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter at /customer_support/index.php?page=customer_list.	2024-03-06	not yet calculated	CVE-2023-49973 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list.	2024-03-06	not yet calculated	CVE-2023-49974 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket.	2024-03-06	not yet calculated	CVE-2023-49976 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer.	2024-03-06	not yet calculated	CVE-2023-49977 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in the component /admin/parent of School Fees Management System 1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.	2024-03-07	not yet calculated	CVE-2023-49986 cve@mitre.org cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in the component /management/term of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tname parameter.	2024-03-07	not yet calculated	CVE-2023-49987 cve@mitre.org cve@mitre.org
N/A — N/A	Hotel Booking Management v1.0 was discovered to contain a SQL injection vulnerability via the npss parameter at rooms.php.	2024-03-07	not yet calculated	CVE-2023-49988 cve@mitre.org cve@mitre.org
N/A — N/A	Hotel Booking Management v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at update.php.	2024-03-07	not yet calculated	CVE-2023-49989 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in Grandstream GXP14XX 1.0.8.9 and GXP16XX 1.0.7.13, allows remote attackers to escalate privileges via incorrect access control using an end-user session-identity token.	2024-03-09	not yet calculated	CVE-2023-50015 cve@mitre.org
N/A — N/A	Cross Site Scripting vulnerability in Customer Support System v.1.0 allows a remote attacker to escalate privileges via a crafted script firstname, “lastname”, “middlename”, “contact” and address parameters.	2024-03-07	not yet calculated	CVE-2023-51281 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2.15.x before 2.15.4, allows attackers to escalate privileges and obtain sensitive information via Incorrect Access Control.	2024-03-07	not yet calculated	CVE-2023-51786 cve@mitre.org
N/A — N/A	TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1.	2024-03-05	not yet calculated	CVE-2024-22188 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 allows attackers to gain escalated privileges via use of crafted executable launched from the application installation directory.	2024-03-07	not yet calculated	CVE-2024-22752 cve@mitre.org
N/A — N/A	zlog 1.2.16 has a heap-based buffer overflow in struct zlog_rule_s while creating a new rule that is already defined in the provided configuration file. A regular user can achieve arbitrary code execution.	2024-03-07	not yet calculated	CVE-2024-22857 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.	2024-03-06	not yet calculated	CVE-2024-22889 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Setor Informatica SIL 3.1 allows attackers to run arbitrary code via the hmessage parameter.	2024-03-07	not yet calculated	CVE-2024-24035 cve@mitre.org
N/A — N/A	Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed.	2024-03-05	not yet calculated	CVE-2024-24098 cve@mitre.org cve@mitre.org
N/A — N/A	Cross Site Scripting vulnerability in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 allows a remote attacker to obtain sensitive information via a crafted payload to the global search function.	2024-03-05	not yet calculated	CVE-2024-24275 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 allows a remote attacker to obtain sensitive information via a crafted payload to the chat name, message preview, username and group name components.	2024-03-05	not yet calculated	CVE-2024-24276 cve@mitre.org
N/A — N/A	An issue in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 allows a remote attacker to obtain sensitive information via a crafted payload to the message function.	2024-03-05	not yet calculated	CVE-2024-24278 cve@mitre.org
N/A — N/A	An issue was discovered in Tunis Soft “Product Designer” (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the postProcess() method.	2024-03-03	not yet calculated	CVE-2024-24302 cve@mitre.org
N/A — N/A	Path Traversal vulnerability in Tunis Soft “Product Designer” (productdesigner) module for PrestaShop before version 1.178.36, allows a remote attacker to escalate privileges and obtain sensitive information via the ajaxProcessCropImage() method.	2024-03-03	not yet calculated	CVE-2024-24307 cve@mitre.org
N/A — N/A	SQL injection vulnerability in Jfinalcms v.5.0.0 allows a remote attacker to obtain sensitive information via /admin/admin name parameter.	2024-03-07	not yet calculated	CVE-2024-24375 cve@mitre.org
N/A — N/A	A cross-site scripting (XSS) vulnerability in XunRuiCMS up to v4.6.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Add Column Name parameter.	2024-03-07	not yet calculated	CVE-2024-24389 cve@mitre.org
N/A — N/A	iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality.	2024-03-05	not yet calculated	CVE-2024-25164 cve@mitre.org cve@mitre.org
N/A — N/A	libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.	2024-03-05	not yet calculated	CVE-2024-25269 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in Justice Systems FullCourt Enterprise v.8.2 allows a remote attacker to execute arbitrary code via the formatCaseNumber parameter of the Citation search function.	2024-03-08	not yet calculated	CVE-2024-25327 cve@mitre.org
N/A — N/A	An issue WinMail v.7.1 and v.5.1 and before allows a remote attacker to execute arbitrary code via a crafted script to the email parameter.	2024-03-09	not yet calculated	CVE-2024-25501 cve@mitre.org
N/A — N/A	Cross Site Scripting (XSS) vulnerability in sourcecodester Simple Student Attendance System v1.0 allows attackers to execute arbitrary code via crafted GET request to web application URL.	2024-03-03	not yet calculated	CVE-2024-25551 cve@mitre.org
N/A — N/A	Arris SBG6580 devices have predictable default WPA2 security passwords that could lead to unauthorized remote access. (They use the first 6 characters of the SSID and the last 6 characters of the BSSID, decrementing the last octet.)	2024-03-08	not yet calculated	CVE-2024-25729 cve@mitre.org cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	The Elink Smart eSmartCam (com.cn.dq.ipc) application 2.1.5 for Android contains hardcoded AES encryption keys that can be extracted from a binary file. Thus, encryption can be defeated by an attacker who can observe packet data (e.g., over Wi-Fi).	2024-03-05	not yet calculated	CVE-2024-25731 cve@mitre.org cve@mitre.org
N/A — N/A	Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.	2024-03-06	not yet calculated	CVE-2024-25817 cve@mitre.org cve@mitre.org
N/A — N/A	An issue was discovered in Webbax “Super Newsletter” (supernewsletter) module for PrestaShop versions 1.4.21 and before, allows local attackers to escalate privileges and obtain sensitive information.	2024-03-03	not yet calculated	CVE-2024-25839 cve@mitre.org
N/A — N/A	An issue was discovered in Presta World “Account Manager – Sales Representative & Dealers – CRM” (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sensitive information via the uploadLogo() and postProcess methods.	2024-03-03	not yet calculated	CVE-2024-25842 cve@mitre.org
N/A — N/A	An issue was discovered in Common-Services “So Flexibilite” (soflexibilite) module for PrestaShop before version 4.1.26, allows remote attackers to escalate privileges and obtain sensitive information via debug file.	2024-03-03	not yet calculated	CVE-2024-25844 cve@mitre.org
N/A — N/A	In the module “CD Custom Fields 4 Orders” (cdcustomfields4orders) <= 1.0.0 from Cleanpresta.com for PrestaShop, a guest can perform SQL injection in affected versions.	2024-03-08	not yet calculated	CVE-2024-25845 cve@mitre.org cve@mitre.org
N/A — N/A	SQL Injection vulnerability in MyPrestaModules “Product Catalog (CSV, Excel) Import” (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive information via Send::__construct() and importProducts::_addDataToDb methods.	2024-03-03	not yet calculated	CVE-2024-25847 cve@mitre.org
N/A — N/A	In the module “Ever Ultimate SEO” (everpsseo) <= 8.1.2 from Team Ever for PrestaShop, a guest can perform SQL injection in affected versions.	2024-03-08	not yet calculated	CVE-2024-25848 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	In the module “Make an offer” (makeanoffer) <= 1.7.1 from PrestaToolKit for PrestaShop, a guest can perform SQL injection via MakeOffers::checkUserExistingOffer()` and `MakeOffers::addUserOffer()` .	2024-03-08	not yet calculated	CVE-2024-25849 cve@mitre.org cve@mitre.org
N/A — N/A	In Foxit PDF Reader before 2024.1 and PDF Editor before 2024.1, code execution via JavaScript could occur because of an unoptimized prompt message for users to review parameters of commands.	2024-03-05	not yet calculated	CVE-2024-25858 cve@mitre.org
N/A — N/A	swftools v0.9.2 was discovered to contain a segmentation violation via the function free_lines at swftools/lib/modules/swfshape.c.	2024-03-05	not yet calculated	CVE-2024-26333 cve@mitre.org
N/A — N/A	swftools v0.9.2 was discovered to contain a segmentation violation via the function compileSWFActionCode at swftools/lib/action/actioncompiler.c.	2024-03-05	not yet calculated	CVE-2024-26334 cve@mitre.org
N/A — N/A	swftools v0.9.2 was discovered to contain a segmentation violation via the function state_free at swftools/src/swfc-history.c.	2024-03-05	not yet calculated	CVE-2024-26335 cve@mitre.org
N/A — N/A	swftools v0.9.2 was discovered to contain a segmentation violation via the function s_font at swftools/src/swfc.c.	2024-03-05	not yet calculated	CVE-2024-26337 cve@mitre.org
N/A — N/A	swftools v0.9.2 was discovered to contain a strcpy parameter overlap via /home/swftools/src/swfc+0x48318a.	2024-03-05	not yet calculated	CVE-2024-26339 cve@mitre.org
N/A — N/A	Server-Side Request Forgery (SSRF) vulnerability in Tunis Soft “Product Designer” (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to cause a denial of service (DoS) and escalate privileges via the url parameter in the postProcess() method.	2024-03-03	not yet calculated	CVE-2024-26469 cve@mitre.org
N/A — N/A	An issue in Online Diagnostic Lab Management System 1.0 allows a remote attacker to gain control of a ‘Staff’ user account via a crafted POST request using the id, email, password, and cpass parameters.	2024-03-07	not yet calculated	CVE-2024-26492 cve@mitre.org cve@mitre.org
N/A — N/A	An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component.	2024-03-07	not yet calculated	CVE-2024-26566 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.	2024-03-04	not yet calculated	CVE-2024-26622 416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A — N/A	A Server-Side Request Forgery (SSRF) in the installUpdateThemePluginAction function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the installThemePlugin parameter.	2024-03-05	not yet calculated	CVE-2024-27561 cve@mitre.org
N/A — N/A	A Server-Side Request Forgery (SSRF) in the getFileFromRepo function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.	2024-03-05	not yet calculated	CVE-2024-27563 cve@mitre.org
N/A — N/A	A Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the urlparameter.	2024-03-05	not yet calculated	CVE-2024-27564 cve@mitre.org
N/A — N/A	A Server-Side Request Forgery (SSRF) in weixin.php of ChatGPT-wechat-personal commit a0857f6 allows attackers to force the application to make arbitrary requests.	2024-03-05	not yet calculated	CVE-2024-27565 cve@mitre.org
N/A — N/A	Numbas editor before 7.3 mishandles editing of themes and extensions.	2024-03-08	not yet calculated	CVE-2024-27612 cve@mitre.org cve@mitre.org
N/A — N/A	Numbas editor before 7.3 mishandles reading of themes and extensions.	2024-03-08	not yet calculated	CVE-2024-27613 cve@mitre.org cve@mitre.org
N/A — N/A	A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19. This vulnerability arises from inadequate sanitization of user-supplied input in the ‘Code’ section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.	2024-03-05	not yet calculated	CVE-2024-27622 cve@mitre.org
N/A — N/A	CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs.	2024-03-05	not yet calculated	CVE-2024-27623 cve@mitre.org
N/A — N/A	CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the “New directory” field.	2024-03-05	not yet calculated	CVE-2024-27625 cve@mitre.org
N/A — N/A	A reflected cross-site scripting (XSS) vulnerability exists in SuperCali version 1.1.0, allowing remote attackers to execute arbitrary JavaScript code via the email parameter in the bad_password.php page.	2024-03-05	not yet calculated	CVE-2024-27627 cve@mitre.org
N/A — N/A	Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in ‘Custom Blocks.’	2024-03-04	not yet calculated	CVE-2024-27668 cve@mitre.org
N/A — N/A	Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the “Contact form.”	2024-03-04	not yet calculated	CVE-2024-27680 cve@mitre.org
N/A — N/A	A Cross-site scripting (XSS) vulnerability in dlapn.cgi, dldongle.cgi, dlcfg.cgi, fwup.cgi and seama.cgi in D-Link GORTAC750_A1_FW_v101b03 allows remote attackers to inject arbitrary web script or HTML via the url parameter.	2024-03-04	not yet calculated	CVE-2024-27684 cve@mitre.org cve@mitre.org
N/A — N/A	FlyCms v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the /system/share/ztree_category_edit.	2024-03-04	not yet calculated	CVE-2024-27694 cve@mitre.org
N/A — N/A	Server Side Request Forgery (SSRF) vulnerability in hcengineering Huly Platform v.0.6.202 allows attackers to run arbitrary code via upload of crafted SVG file.	2024-03-07	not yet calculated	CVE-2024-27707 cve@mitre.org
N/A — N/A	SQL Injection vulnerability in Baizhuo Network Smart s200 Management Platform v.S200 allows a local attacker to obtain sensitive information and escalate privileges via the /importexport.php component.	2024-03-05	not yet calculated	CVE-2024-27718 cve@mitre.org
N/A — N/A	File Upload vulnerability in Byzro Network Smart s42 Management Platform v.S42 allows a local attacker to execute arbitrary code via the useratte/userattestation.php component.	2024-03-07	not yet calculated	CVE-2024-27733 cve@mitre.org
N/A — N/A	An issue in Jeewms v.3.7 and before allows a remote attacker to escalate privileges via the AuthInterceptor component.	2024-03-05	not yet calculated	CVE-2024-27764 cve@mitre.org
N/A — N/A	Directory Traversal vulnerability in Jeewms v.3.7 and before allows a remote attacker to obtain sensitive information via the cgformTemplateController component.	2024-03-05	not yet calculated	CVE-2024-27765 cve@mitre.org
N/A — N/A	p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact because of initialization issues in situations where parsing of advertised service information fails.	2024-03-03	not yet calculated	CVE-2024-28084 cve@mitre.org cve@mitre.org
N/A — N/A	LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.	2024-03-04	not yet calculated	CVE-2024-28088 cve@mitre.org cve@mitre.org
N/A — N/A	Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 devices allow a remote attacker within Wi-Fi proximity (who has access to the router admin panel) to conduct a DOM-based stored XSS attack that can fetch remote resources. The payload is executed at index.html#advanced_location (aka the Device Location page). This can cause a denial of service or lead to information disclosure.	2024-03-09	not yet calculated	CVE-2024-28089 cve@mitre.org cve@mitre.org cve@mitre.org
N/A — N/A	RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request.	2024-03-09	not yet calculated	CVE-2024-28753 cve@mitre.org
N/A — N/A	RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.	2024-03-09	not yet calculated	CVE-2024-28754 cve@mitre.org
apache_software_foundation — apache_inlong	Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong’s 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673	2024-03-06	not yet calculated	CVE-2024-26580 security@apache.org
apache_software_foundation — apache_linkis_datasource	In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0	2024-03-06	not yet calculated	CVE-2023-50740 security@apache.org
apple — ios_and_ipados	A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.7.4, watchOS 10.3, tvOS 17.3, macOS Ventura 13.6.5, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3. An app may be able to cause a denial-of-service.	2024-03-08	not yet calculated	CVE-2024-23201 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — ios_and_ipados	A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An app may be able to access sensitive user data.	2024-03-08	not yet calculated	CVE-2024-23205 product-security@apple.com product-security@apple.com
apple — ios_and_ipados	A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to access user-sensitive data.	2024-03-08	not yet calculated	CVE-2024-23231 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — ios_and_ipados	The issue was addressed with improved checks. This issue is fixed in iOS 17.4 and iPadOS 17.4. Shake-to-undo may allow a deleted photo to be re-surfaced without authentication.	2024-03-08	not yet calculated	CVE-2024-23240 product-security@apple.com
apple — ios_and_ipados	A privacy issue was addressed by not logging contents of text fields. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An app may be able to view Mail data.	2024-03-08	not yet calculated	CVE-2024-23242 product-security@apple.com product-security@apple.com
apple — ios_and_ipados	A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 17.4 and iPadOS 17.4. An app may be able to read sensitive location information.	2024-03-05	not yet calculated	CVE-2024-23243 product-security@apple.com
apple — ios_and_ipados	The issue was addressed with improved memory handling. This issue is fixed in Safari 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Processing web content may lead to a denial-of-service.	2024-03-08	not yet calculated	CVE-2024-23252 product-security@apple.com product-security@apple.com product-security@apple.com
apple — ios_and_ipados	An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. Photos in the Hidden Photos Album may be viewed without authentication.	2024-03-08	not yet calculated	CVE-2024-23255 product-security@apple.com product-security@apple.com
apple — ios_and_ipados	A logic issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4. A user’s locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled.	2024-03-05	not yet calculated	CVE-2024-23256 product-security@apple.com
apple — ios_and_ipados	The issue was addressed with improved checks. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Processing web content may lead to a denial-of-service.	2024-03-08	not yet calculated	CVE-2024-23259 product-security@apple.com product-security@apple.com product-security@apple.com
apple — ios_and_ipados	This issue was addressed through improved state management. This issue is fixed in Safari 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Private Browsing tabs may be accessed without authentication.	2024-03-08	not yet calculated	CVE-2024-23273 product-security@apple.com product-security@apple.com product-security@apple.com
apple — ios_and_ipados	The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard.	2024-03-08	not yet calculated	CVE-2024-23277 product-security@apple.com product-security@apple.com
apple — ios_and_ipados	A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4. An app may be able to access user-sensitive data.	2024-03-08	not yet calculated	CVE-2024-23287 product-security@apple.com product-security@apple.com product-security@apple.com
apple — ios_and_ipados	A lock screen issue was addressed with improved state management. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. A person with physical access to a device may be able to use Siri to access private calendar information.	2024-03-08	not yet calculated	CVE-2024-23289 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — ios_and_ipados	This issue was addressed with improved data protection. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An app may be able to access information about a user’s contacts.	2024-03-08	not yet calculated	CVE-2024-23292 product-security@apple.com product-security@apple.com
apple — macos	This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, macOS Monterey 12.7.4, macOS Sonoma 14.1, macOS Ventura 13.6.5. An app may be able to access sensitive user data.	2024-03-08	not yet calculated	CVE-2023-28826 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	A path handling issue was addressed with improved validation. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to overwrite arbitrary files.	2024-03-08	not yet calculated	CVE-2024-23216 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to read sensitive location information.	2024-03-08	not yet calculated	CVE-2024-23227 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	This issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access sensitive user data.	2024-03-08	not yet calculated	CVE-2024-23230 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14.4. An app may be able to capture a user’s screen.	2024-03-08	not yet calculated	CVE-2024-23232 product-security@apple.com
apple — macos	This issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4. Entitlements and privacy permissions granted to this app may be used by a malicious app.	2024-03-08	not yet calculated	CVE-2024-23233 product-security@apple.com
apple — macos	An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to execute arbitrary code with kernel privileges.	2024-03-08	not yet calculated	CVE-2024-23234 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	An access issue was addressed with improved access restrictions. This issue is fixed in macOS Sonoma 14.4. An app may be able to edit NVRAM variables.	2024-03-08	not yet calculated	CVE-2024-23238 product-security@apple.com
apple — macos	A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4. An app from a standard user account may be able to escalate privilege after admin user login.	2024-03-08	not yet calculated	CVE-2024-23244 product-security@apple.com product-security@apple.com
apple — macos	This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent.	2024-03-08	not yet calculated	CVE-2024-23245 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. Processing a file may lead to unexpected app termination or arbitrary code execution.	2024-03-08	not yet calculated	CVE-2024-23247 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.4. Processing a file may lead to a denial-of-service or potentially disclose memory contents.	2024-03-08	not yet calculated	CVE-2024-23248 product-security@apple.com
apple — macos	The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.4. Processing a file may lead to a denial-of-service or potentially disclose memory contents.	2024-03-08	not yet calculated	CVE-2024-23249 product-security@apple.com
apple — macos	A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.4. An app may be able to access a user’s Photos Library.	2024-03-08	not yet calculated	CVE-2024-23253 product-security@apple.com
apple — macos	This issue was addressed by removing additional entitlements. This issue is fixed in macOS Sonoma 14.4. An app may be able to access user-sensitive data.	2024-03-08	not yet calculated	CVE-2024-23260 product-security@apple.com
apple — macos	The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to modify protected parts of the file system.	2024-03-08	not yet calculated	CVE-2024-23266 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to bypass certain Privacy preferences.	2024-03-08	not yet calculated	CVE-2024-23267 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	An injection issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to elevate privileges.	2024-03-08	not yet calculated	CVE-2024-23268 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to modify protected parts of the file system.	2024-03-08	not yet calculated	CVE-2024-23269 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. A user may gain access to protected parts of the file system.	2024-03-08	not yet calculated	CVE-2024-23272 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	An injection issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to elevate privileges.	2024-03-08	not yet calculated	CVE-2024-23274 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	A race condition was addressed with additional validation. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access protected user data.	2024-03-08	not yet calculated	CVE-2024-23275 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to elevate privileges.	2024-03-08	not yet calculated	CVE-2024-23276 product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.4. An app may be able to access user-sensitive data.	2024-03-08	not yet calculated	CVE-2024-23279 product-security@apple.com
apple — macos	This issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.4. An app may be able to access sensitive user data.	2024-03-08	not yet calculated	CVE-2024-23281 product-security@apple.com
apple — macos	A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to access user-sensitive data.	2024-03-08	not yet calculated	CVE-2024-23283 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — macos	This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sonoma 14.4. An app may be able to create symlinks to protected regions of the disk.	2024-03-08	not yet calculated	CVE-2024-23285 product-security@apple.com
apple — macos	This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.4. Processing malicious input may lead to code execution.	2024-03-08	not yet calculated	CVE-2024-23294 product-security@apple.com
apple — tvos	The issue was addressed with improved memory handling. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.	2024-03-08	not yet calculated	CVE-2024-0258 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	A race condition was addressed with improved state handling. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to leak sensitive user information.	2024-03-08	not yet calculated	CVE-2024-23239 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	This issue was addressed through improved state management. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. An app may be able to leak sensitive user information.	2024-03-08	not yet calculated	CVE-2024-23241 product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	An access issue was addressed with improved access restrictions. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to access Bluetooth-connected microphones without user permission.	2024-03-08	not yet calculated	CVE-2024-23250 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	The issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, tvOS 17.4. An app may be able to execute arbitrary code with kernel privileges.	2024-03-08	not yet calculated	CVE-2024-23270 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.	2024-03-08	not yet calculated	CVE-2024-23278 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	An injection issue was addressed with improved validation. This issue is fixed in Safari 17.4, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, tvOS 17.4. A maliciously crafted webpage may be able to fingerprint the user.	2024-03-08	not yet calculated	CVE-2024-23280 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to elevate privileges.	2024-03-08	not yet calculated	CVE-2024-23288 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to access user-sensitive data.	2024-03-08	not yet calculated	CVE-2024-23290 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. A malicious app may be able to observe user data in log entries related to accessibility notifications.	2024-03-08	not yet calculated	CVE-2024-23291 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	This issue was addressed through improved state management. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An attacker with physical access may be able to use Siri to access sensitive user data.	2024-03-08	not yet calculated	CVE-2024-23293 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — tvos	The issue was addressed with improved checks. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4. A malicious application may be able to access private information.	2024-03-08	not yet calculated	CVE-2024-23297 product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	The issue was addressed with improved handling of caches. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4. An app may be able to fingerprint the user.	2024-03-08	not yet calculated	CVE-2024-23220 product-security@apple.com product-security@apple.com
apple — visionos	The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, tvOS 17.4. Processing web content may lead to arbitrary code execution.	2024-03-08	not yet calculated	CVE-2024-23226 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	A race condition was addressed with additional validation. This issue is fixed in macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to access user-sensitive data.	2024-03-08	not yet calculated	CVE-2024-23235 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.	2024-03-08	not yet calculated	CVE-2024-23246 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	The issue was addressed with improved UI handling. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, Safari 17.4. A malicious website may exfiltrate audio data cross-origin.	2024-03-08	not yet calculated	CVE-2024-23254 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	The issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, visionOS 1.1, iOS 16.7.6 and iPadOS 16.7.6. Processing an image may result in disclosure of process memory.	2024-03-08	not yet calculated	CVE-2024-23257 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	An out-of-bounds read was addressed with improved input validation. This issue is fixed in visionOS 1.1, macOS Sonoma 14.4. Processing an image may lead to arbitrary code execution.	2024-03-08	not yet calculated	CVE-2024-23258 product-security@apple.com product-security@apple.com
apple — visionos	This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to spoof system notifications and UI.	2024-03-08	not yet calculated	CVE-2024-23262 product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	A logic issue was addressed with improved validation. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, Safari 17.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.	2024-03-08	not yet calculated	CVE-2024-23263 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An application may be able to read restricted memory.	2024-03-08	not yet calculated	CVE-2024-23264 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to cause unexpected system termination or write kernel memory.	2024-03-08	not yet calculated	CVE-2024-23265 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	A logic issue was addressed with improved state management. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, Safari 17.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.	2024-03-08	not yet calculated	CVE-2024-23284 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. Processing an image may lead to arbitrary code execution.	2024-03-08	not yet calculated	CVE-2024-23286 product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com product-security@apple.com
apple — visionos	A permissions issue was addressed to help ensure Personas are always protected This issue is fixed in visionOS 1.1. An unauthenticated user may be able to use an unprotected Persona.	2024-03-08	not yet calculated	CVE-2024-23295 product-security@apple.com
arm_ltd — midgard_gpu_kernel_driver	Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user and the system is under heavy load, then this in turn cause a use-after-free.This issue affects Midgard GPU Kernel Driver: from r13p0 through r32p0; Bifrost GPU Kernel Driver: from r1p0 through r18p0; Valhall GPU Kernel Driver: from r37p0 through r46p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r46p0.	2024-03-04	not yet calculated	CVE-2023-6143 arm-security@arm.com
arm_ltd — midgard_gpu_kernel_driver	Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user, then this in turn cause a use-after-free.This issue affects Midgard GPU Kernel Driver: from r13p0 through r32p0; Bifrost GPU Kernel Driver: from r11p0 through r25p0; Valhall GPU Kernel Driver: from r19p0 through r25p0, from r29p0 through r46p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r46p0.	2024-03-04	not yet calculated	CVE-2023-6241 arm-security@arm.com
artica_tech — artica_proxy	The “Rich Filemanager” feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user.	2024-03-05	not yet calculated	CVE-2024-2055 cve@takeonme.org cve@takeonme.org
artica_tech — artica_proxy	Services that are running and bound to the loopback interface on the Artica Proxy are accessible through the proxy service. In particular, the “tailon” service is running, running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Security issues associated with exposing this network service are documented at gvalkov’s ‘tailon’ GitHub repo. Using the tailon service, the contents of any file on the Artica Proxy can be viewed.	2024-03-05	not yet calculated	CVE-2024-2056 cve@takeonme.org cve@takeonme.org cve@takeonme.org
devolutions — server	Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumstances	2024-03-05	not yet calculated	CVE-2024-1764 security@devolutions.net
devolutions — server	Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.	2024-03-05	not yet calculated	CVE-2024-1898 security@devolutions.net
devolutions — server	Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The user will stay authenticated until the Devolutions Server token expiration.	2024-03-05	not yet calculated	CVE-2024-1900 security@devolutions.net
devolutions — server	Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated user with specific PAM permissions to make PAM credentials unavailable.	2024-03-05	not yet calculated	CVE-2024-1901 security@devolutions.net
devolutions — workspace	Improper access control in the user interface in Devolutions Workspace 2024.1.0 and earlier allows an authenticated user to perform unintended actions via specific permissions	2024-03-07	not yet calculated	CVE-2024-2241 security@devolutions.net
go_standard_library — crypto/x509	Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.	2024-03-05	not yet calculated	CVE-2024-24783 security@golang.org security@golang.org security@golang.org security@golang.org
go_standard_library — html/template	If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.	2024-03-05	not yet calculated	CVE-2024-24785 security@golang.org security@golang.org security@golang.org security@golang.org
go_standard_library — net/http	When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as “Authorization” or “Cookie”. For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.	2024-03-05	not yet calculated	CVE-2023-45289 security@golang.org security@golang.org security@golang.org security@golang.org
go_standard_library — net/mail	The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.	2024-03-05	not yet calculated	CVE-2024-24784 security@golang.org security@golang.org security@golang.org security@golang.org
go_standard_library — net/textproto	When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.	2024-03-05	not yet calculated	CVE-2023-45290 security@golang.org security@golang.org security@golang.org security@golang.org
google — chrome	Out of bounds memory access in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)	2024-03-06	not yet calculated	CVE-2024-2173 chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Inappropriate implementation in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-03-06	not yet calculated	CVE-2024-2174 chrome-cve-admin@google.com chrome-cve-admin@google.com
google — chrome	Use after free in FedCM in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-03-06	not yet calculated	CVE-2024-2176 chrome-cve-admin@google.com chrome-cve-admin@google.com
google.golang.org/protobuf — google.golang.org/protobuf/encoding/protojson	The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.	2024-03-05	not yet calculated	CVE-2024-24786 security@golang.org security@golang.org
jenkins_project — jenkins_appspider_plugin	Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.	2024-03-06	not yet calculated	CVE-2024-28155 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_bitbucket_branch_source_plugin	In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy “Forks in the same account” allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.	2024-03-06	not yet calculated	CVE-2024-28152 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_build_monitor_view_plugin	Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.	2024-03-06	not yet calculated	CVE-2024-28156 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_delphix_plugin	In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default.	2024-03-06	not yet calculated	CVE-2024-28161 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_delphix_plugin	In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation to enabled validation.	2024-03-06	not yet calculated	CVE-2024-28162 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_docker-build-step_plugin	A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.	2024-03-06	not yet calculated	CVE-2024-2215 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_docker-build-step_plugin	A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.	2024-03-06	not yet calculated	CVE-2024-2216 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_gitbucket_plugin	Jenkins GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.	2024-03-06	not yet calculated	CVE-2024-28157 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_html_publisher_plugin	Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.	2024-03-06	not yet calculated	CVE-2024-28149 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_html_publisher_plugin	Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.	2024-03-06	not yet calculated	CVE-2024-28150 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_html_publisher_plugin	Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it.	2024-03-06	not yet calculated	CVE-2024-28151 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_icescrum_plugin	Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.	2024-03-06	not yet calculated	CVE-2024-28160 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_mq_notifier_plugin	Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.	2024-03-06	not yet calculated	CVE-2024-28154 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_owasp_dependency-check_plugin	Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability.	2024-03-06	not yet calculated	CVE-2024-28153 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_subversion_partial_release_manager_plugin	A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build.	2024-03-06	not yet calculated	CVE-2024-28158 jenkinsci-cert@googlegroups.com
jenkins_project — jenkins_subversion_partial_release_manager_plugin	A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build.	2024-03-06	not yet calculated	CVE-2024-28159 jenkinsci-cert@googlegroups.com
linux — linux	In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix incorrect structure access In line: upper = info->upper_dev; We access upper_dev field, which is related only for particular events (e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory access for another events, when ptr is not netdev_notifier_changeupper_info. The KASAN logs are as follows: [ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778 [ 30.139866] [ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6 [ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 30.153056] Call trace: [ 30.155547] dump_backtrace+0x0/0x2c0 [ 30.159320] show_stack+0x18/0x30 [ 30.162729] dump_stack_lvl+0x68/0x84 [ 30.166491] print_address_description.constprop.0+0x74/0x2b8 [ 30.172346] kasan_report+0x1e8/0x250 [ 30.176102] __asan_load8+0x98/0xe0 [ 30.179682] prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera] [ 30.193313] raw_notifier_call_chain+0x74/0xa0 [ 30.197860] call_netdevice_notifiers_info+0x68/0xc0 [ 30.202924] register_netdevice+0x3cc/0x760 [ 30.207190] register_netdev+0x24/0x50 [ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera]	2024-03-04	not yet calculated	CVE-2021-47102 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: spmi: mediatek: Fix UAF on device remove The pmif driver data that contains the clocks is allocated along with spmi_controller. On device remove, spmi_controller will be freed first, and then devres , including the clocks, will be cleanup. This leads to UAF because putting the clocks will access the clocks in the pmif driver data, which is already freed along with spmi_controller. This can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and building the kernel with KASAN. Fix the UAF issue by using unmanaged clk_bulk_get() and putting the clocks before freeing spmi_controller.	2024-03-06	not yet calculated	CVE-2023-52584 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there’s an error in register_netdevice() the destructor will handle the frees. BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 ____kasan_slab_free mm/kasan/common.c:346 [inline] __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae	2024-03-04	not yet calculated	CVE-2021-47082 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: pinctrl: mediatek: fix global-out-of-bounds issue When eint virtual eint number is greater than gpio number, it maybe produce ‘desc[eint_n]’ size globle-out-of-bounds issue.	2024-03-04	not yet calculated	CVE-2021-47083 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: hamradio: defer ax25 kfree after unregister_netdev There is a possible race condition (use-after-free) like below (USE) \| (FREE) ax25_sendmsg \| ax25_queue_xmit \| dev_queue_xmit \| __dev_queue_xmit \| __dev_xmit_skb \| sch_direct_xmit \| … xmit_one \| netdev_start_xmit \| tty_ldisc_kill __netdev_start_xmit \| mkiss_close ax_xmit \| kfree ax_encaps \| \| Even though there are two synchronization primitives before the kfree: 1. wait_for_completion(&ax->dead). This can prevent the race with routines from mkiss_ioctl. However, it cannot stop the routine coming from upper layer, i.e., the ax25_sendmsg. 2. netif_stop_queue(ax->dev). It seems that this line of code aims to halt the transmit queue but it fails to stop the routine that already being xmit. This patch reorder the kfree after the unregister_netdev to avoid the possible UAF as the unregister_netdev() is well synchronized and won’t return if there is a running routine.	2024-03-04	not yet calculated	CVE-2021-47084 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: hamradio: improve the incomplete fix to avoid NPD The previous commit 3e0588c291d6 (“hamradio: defer ax25 kfree after unregister_netdev”) reorder the kfree operations and unregister_netdev operation to prevent UAF. This commit improves the previous one by also deferring the nullify of the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs. Partial of the stack trace is shown below. BUG: kernel NULL pointer dereference, address: 0000000000000538 RIP: 0010:ax_xmit+0x1f9/0x400 … Call Trace: dev_hard_start_xmit+0xec/0x320 sch_direct_xmit+0xea/0x240 __qdisc_run+0x166/0x5c0 __dev_queue_xmit+0x2c7/0xaf0 ax25_std_establish_data_link+0x59/0x60 ax25_connect+0x3a0/0x500 ? security_socket_connect+0x2b/0x40 __sys_connect+0x96/0xc0 ? __hrtimer_init+0xc0/0xc0 ? common_nsleep+0x2e/0x50 ? switch_fpu_return+0x139/0x1a0 __x64_sys_connect+0x11/0x20 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The crash point is shown as below static void ax_encaps(…) { … set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL! … } By placing the nullify action after the unregister_netdev, the ax->tty pointer won’t be assigned as NULL net_device framework layer is well synchronized.	2024-03-04	not yet calculated	CVE-2021-47085 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: phonet/pep: refuse to enable an unbound pipe This ioctl() implicitly assumed that the socket was already bound to a valid local socket name, i.e. Phonet object. If the socket was not bound, two separate problems would occur: 1) We’d send an pipe enablement request with an invalid source object. 2) Later socket calls could BUG on the socket unexpectedly being connected yet not bound to a valid object.	2024-03-04	not yet calculated	CVE-2021-47086 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the allocated pages (struct page *page) has already progressed towards the end of allocation. It is incorrect to perform __free_pages(page, order) using this pointer as we would free any arbitrary pages. Fix this by stop modifying the page pointer.	2024-03-04	not yet calculated	CVE-2021-47087 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: protect targets destructions with kdamond_lock DAMON debugfs interface iterates current monitoring targets in ‘dbgfs_target_ids_read()’ while holding the corresponding ‘kdamond_lock’. However, it also destructs the monitoring targets in ‘dbgfs_before_terminate()’ without holding the lock. This can result in a use_after_free bug. This commit avoids the race by protecting the destruction with the corresponding ‘kdamond_lock’.	2024-03-04	not yet calculated	CVE-2021-47088 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: kfence: fix memory leak when cat kfence objects Hulk robot reported a kmemleak problem: unreferenced object 0xffff93d1d8cc02e8 (size 248): comm “cat”, pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@………….. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: seq_open+0x2a/0x80 full_proxy_open+0x167/0x1e0 do_dentry_open+0x1e1/0x3a0 path_openat+0x961/0xa20 do_filp_open+0xae/0x120 do_sys_openat2+0x216/0x2f0 do_sys_open+0x57/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 unreferenced object 0xffff93d419854000 (size 4096): comm “cat”, pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250: 0x0 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d 0000000754bda12- backtrace: seq_read_iter+0x313/0x440 seq_read+0x14b/0x1a0 full_proxy_read+0x56/0x80 vfs_read+0xa5/0x1b0 ksys_read+0xa0/0xf0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I find that we can easily reproduce this problem with the following commands: cat /sys/kernel/debug/kfence/objects echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak The leaked memory is allocated in the stack below: do_syscall_64 do_sys_open do_dentry_open full_proxy_open seq_open —> alloc seq_file vfs_read full_proxy_read seq_read seq_read_iter traverse —> alloc seq_buf And it should have been released in the following process: do_syscall_64 syscall_exit_to_user_mode exit_to_user_mode_prepare task_work_run ____fput __fput full_proxy_release —> free here However, the release function corresponding to file_operations is not implemented in kfence. As a result, a memory leak occurs. Therefore, the solution to this problem is to implement the corresponding release function.	2024-03-04	not yet calculated	CVE-2021-47089 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Hulk Robot reported a panic in put_page_testzero() when testing madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying get_any_page(). This is because we keep MF_COUNT_INCREASED flag in second try but the refcnt is not increased. page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) ————[ cut here ]———— kernel BUG at include/linux/mm.h:737! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: release_pages+0x53f/0x840 Call Trace: free_pages_and_swap_cache+0x64/0x80 tlb_flush_mmu+0x6f/0x220 unmap_page_range+0xe6c/0x12c0 unmap_single_vma+0x90/0x170 unmap_vmas+0xc4/0x180 exit_mmap+0xde/0x3a0 mmput+0xa3/0x250 do_exit+0x564/0x1470 do_group_exit+0x3b/0x100 __do_sys_exit_group+0x13/0x20 __x64_sys_exit_group+0x16/0x20 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Modules linked in: —[ end trace e99579b570fe0649 ]— RIP: 0010:release_pages+0x53f/0x840	2024-03-04	not yet calculated	CVE-2021-47090 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: mac80211: fix locking in ieee80211_start_ap error path We need to hold the local->mtx to release the channel context, as even encoded by the lockdep_assert_held() there. Fix it.	2024-03-04	not yet calculated	CVE-2021-47091 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Always clear vmx->fail on emulation_required Revert a relatively recent change that set vmx->fail if the vCPU is in L2 and emulation_required is true, as that behavior is completely bogus. Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong: (a) it’s impossible to have both a VM-Fail and VM-Exit (b) vmcs.EXIT_REASON is not modified on VM-Fail (c) emulation_required refers to guest state and guest state checks are always VM-Exits, not VM-Fails. For KVM specifically, emulation_required is handled before nested exits in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect, i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored. Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit() firing when tearing down the VM as KVM never expects vmx->fail to be set when L2 is active, KVM always reflects those errors into L1. ————[ cut here ]———— WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548 nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Modules linked in: CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80 Call Trace: vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline] nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330 vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799 kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989 kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline] kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline] kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220 kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489 __fput+0x3fc/0x870 fs/file_table.c:280 task_work_run+0x146/0x1c0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x705/0x24f0 kernel/exit.c:832 do_group_exit+0x168/0x2d0 kernel/exit.c:929 get_signal+0x1740/0x2120 kernel/signal.c:2852 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae	2024-03-04	not yet calculated	CVE-2021-47092 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel_pmc_core: fix memleak on registration failure In case device registration fails during module initialisation, the platform device structure needs to be freed using platform_device_put() to properly free all resources (e.g. the device name).	2024-03-04	not yet calculated	CVE-2021-47093 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Don’t advance iterator after restart due to yielding After dropping mmu_lock in the TDP MMU, restart the iterator during tdp_iter_next() and do not advance the iterator. Advancing the iterator results in skipping the top-level SPTE and all its children, which is fatal if any of the skipped SPTEs were not visited before yielding. When zapping all SPTEs, i.e. when min_level == root_level, restarting the iter and then invoking tdp_iter_next() is always fatal if the current gfn has as a valid SPTE, as advancing the iterator results in try_step_side() skipping the current gfn, which wasn’t visited before yielding. Sprinkle WARNs on iter->yielded being true in various helpers that are often used in conjunction with yielding, and tag the helper with __must_check to reduce the probabily of improper usage. Failing to zap a top-level SPTE manifests in one of two ways. If a valid SPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(), the shadow page will be leaked and KVM will WARN accordingly. WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm] RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm] Call Trace: <TASK> kvm_arch_destroy_vm+0x130/0x1b0 [kvm] kvm_destroy_vm+0x162/0x2a0 [kvm] kvm_vcpu_release+0x34/0x60 [kvm] __fput+0x82/0x240 task_work_run+0x5c/0x90 do_exit+0x364/0xa10 ? futex_unqueue+0x38/0x60 do_group_exit+0x33/0xa0 get_signal+0x155/0x850 arch_do_signal_or_restart+0xed/0x750 exit_to_user_mode_prepare+0xc5/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae If kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by kvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of marking a struct page as dirty/accessed after it has been put back on the free list. This directly triggers a WARN due to encountering a page with page_count() == 0, but it can also lead to data corruption and additional errors in the kernel. WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171 RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm] Call Trace: <TASK> kvm_set_pfn_dirty+0x120/0x1d0 [kvm] __handle_changed_spte+0x92e/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] zap_gfn_range+0x549/0x620 [kvm] kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm] mmu_free_root_page+0x219/0x2c0 [kvm] kvm_mmu_free_roots+0x1b4/0x4e0 [kvm] kvm_mmu_unload+0x1c/0xa0 [kvm] kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm] kvm_put_kvm+0x3b1/0x8b0 [kvm] kvm_vcpu_release+0x4e/0x70 [kvm] __fput+0x1f7/0x8c0 task_work_run+0xf8/0x1a0 do_exit+0x97b/0x2230 do_group_exit+0xda/0x2a0 get_signal+0x3be/0x1e50 arch_do_signal_or_restart+0x244/0x17f0 exit_to_user_mode_prepare+0xcb/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x4d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Note, the underlying bug existed even before commit 1af4a96025b3 (“KVM: x86/mmu: Yield in TDU MMU iter even if no SPTES changed”) moved calls to tdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still incorrectly advance past a top-level entry when yielding on a lower-level entry. But with respect to leaking shadow pages, the bug was introduced by yielding before processing the current gfn. Alternatively, tdp_mmu_iter_cond_resched() could simply fall through, or callers could jump to their “retry” label. The downside of that approach is that tdp_mmu_iter_cond_resched() _must_ be called before anything else in the loop, and there’s no easy way to enfornce that requirement. Ideally, KVM would handling the cond_resched() fully within the iterator macro (the code is actually quite clean) and avoid this entire class of bugs, but that is extremely difficult do wh —truncated—	2024-03-04	not yet calculated	CVE-2021-47094 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This causes following kernel crash if an error path is taken: [ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present [ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 … [ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 … [ 30.657772][ T674] Call trace: [ 30.657775][ T674] __dev_printk+0x28/0xa0 [ 30.657778][ T674] _dev_err+0x7c/0xa0 [ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0 … Initialize ssif_info->client before any error path can be taken. Clear i2c_client data in the error path to prevent the dangling pointer from leaking.	2024-03-04	not yet calculated	CVE-2021-47095 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ALSA: rawmidi – fix the uninitalized user_pversion The user_pversion was uninitialized for the user space file structure in the open function, because the file private structure use kmalloc for the allocation. The kernel ALSA sequencer code clears the file structure, so no additional fixes are required. BugLink: https://github.com/alsa-project/alsa-lib/issues/178	2024-03-04	not yet calculated	CVE-2021-47096 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: Input: elantech – fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but it’s defined in the stack as an array of 2 bytes, therefore we have a potential stack out-of-bounds access here, also confirmed by KASAN: [ 6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0 [ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118 [ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110 [ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020 [ 6.512436] Workqueue: events_long serio_handle_event [ 6.512453] Call Trace: [ 6.512462] show_stack+0x52/0x58 [ 6.512474] dump_stack+0xa1/0xd3 [ 6.512487] print_address_description.constprop.0+0x1d/0x140 [ 6.512502] ? __ps2_command+0x372/0x7e0 [ 6.512516] __kasan_report.cold+0x7d/0x112 [ 6.512527] ? _raw_write_lock_irq+0x20/0xd0 [ 6.512539] ? __ps2_command+0x372/0x7e0 [ 6.512552] kasan_report+0x3c/0x50 [ 6.512564] __asan_load1+0x6a/0x70 [ 6.512575] __ps2_command+0x372/0x7e0 [ 6.512589] ? ps2_drain+0x240/0x240 [ 6.512601] ? dev_printk_emit+0xa2/0xd3 [ 6.512612] ? dev_vprintk_emit+0xc5/0xc5 [ 6.512621] ? __kasan_check_write+0x14/0x20 [ 6.512634] ? mutex_lock+0x8f/0xe0 [ 6.512643] ? __mutex_lock_slowpath+0x20/0x20 [ 6.512655] ps2_command+0x52/0x90 [ 6.512670] elantech_ps2_command+0x4f/0xc0 [psmouse] [ 6.512734] elantech_change_report_id+0x1e6/0x256 [psmouse] [ 6.512799] ? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse] [ 6.512863] ? ps2_command+0x7f/0x90 [ 6.512877] elantech_query_info.cold+0x6bd/0x9ed [psmouse] [ 6.512943] ? elantech_setup_ps2+0x460/0x460 [psmouse] [ 6.513005] ? psmouse_reset+0x69/0xb0 [psmouse] [ 6.513064] ? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse] [ 6.513122] ? phys_pmd_init+0x30e/0x521 [ 6.513137] elantech_init+0x8a/0x200 [psmouse] [ 6.513200] ? elantech_init_ps2+0xf0/0xf0 [psmouse] [ 6.513249] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513296] ? synaptics_send_cmd+0x60/0x60 [psmouse] [ 6.513342] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513388] ? psmouse_try_protocol+0x11e/0x170 [psmouse] [ 6.513432] psmouse_extensions+0x65d/0x6e0 [psmouse] [ 6.513476] ? psmouse_try_protocol+0x170/0x170 [psmouse] [ 6.513519] ? mutex_unlock+0x22/0x40 [ 6.513526] ? ps2_command+0x7f/0x90 [ 6.513536] ? psmouse_probe+0xa3/0xf0 [psmouse] [ 6.513580] psmouse_switch_protocol+0x27d/0x2e0 [psmouse] [ 6.513624] psmouse_connect+0x272/0x530 [psmouse] [ 6.513669] serio_driver_probe+0x55/0x70 [ 6.513679] really_probe+0x190/0x720 [ 6.513689] driver_probe_device+0x160/0x1f0 [ 6.513697] device_driver_attach+0x119/0x130 [ 6.513705] ? device_driver_attach+0x130/0x130 [ 6.513713] __driver_attach+0xe7/0x1a0 [ 6.513720] ? device_driver_attach+0x130/0x130 [ 6.513728] bus_for_each_dev+0xfb/0x150 [ 6.513738] ? subsys_dev_iter_exit+0x10/0x10 [ 6.513748] ? _raw_write_unlock_bh+0x30/0x30 [ 6.513757] driver_attach+0x2d/0x40 [ 6.513764] serio_handle_event+0x199/0x3d0 [ 6.513775] process_one_work+0x471/0x740 [ 6.513785] worker_thread+0x2d2/0x790 [ 6.513794] ? process_one_work+0x740/0x740 [ 6.513802] kthread+0x1b4/0x1e0 [ 6.513809] ? set_kthread_struct+0x80/0x80 [ 6.513816] ret_from_fork+0x22/0x30 [ 6.513832] The buggy address belongs to the page: [ 6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7 [ 6.513847] flags: 0x17ffffc0000000(node=0\|zone=2\|lastcpupid=0x1fffff) [ 6.513860] raw: 0 —truncated—	2024-03-04	not yet calculated	CVE-2021-47097 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Commit b50aa49638c7 (“hwmon: (lm90) Prevent integer underflows of temperature calculations”) addressed a number of underflow situations when writing temperature limits. However, it missed one situation, seen when an attempt is made to set the hysteresis value to MAX_LONG and the critical temperature limit is negative. Use clamp_val() when setting the hysteresis temperature to ensure that the provided value can never overflow or underflow.	2024-03-04	not yet calculated	CVE-2021-47098 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b (“veth: allow enabling NAPI even without XDP”), if GRO is enabled on a veth device and TSO is disabled on the peer device, TCP skbs will go through the NAPI callback. If there is no XDP program attached, the veth code does not perform any share check, and shared/cloned skbs could enter the GRO engine. Ignat reported a BUG triggered later-on due to the above condition: [ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574! [ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25 [ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 [ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0 [ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 [ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000 [ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 [ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 [ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000 [ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0 [ 53.982634][ C1] Call Trace: [ 53.982634][ C1] <TASK> [ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0 [ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460 [ 53.982634][ C1] tcp_ack+0x2666/0x54b0 [ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0 [ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810 [ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0 [ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0 [ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0 [ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440 [ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660 [ 53.982634][ C1] ip_list_rcv+0x2c8/0x410 [ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910 [ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0 [ 53.982634][ C1] napi_complete_done+0x188/0x6e0 [ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0 [ 53.982634][ C1] __napi_poll+0xa1/0x530 [ 53.982634][ C1] net_rx_action+0x567/0x1270 [ 53.982634][ C1] __do_softirq+0x28a/0x9ba [ 53.982634][ C1] run_ksoftirqd+0x32/0x60 [ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0 [ 53.982634][ C1] kthread+0x3b9/0x490 [ 53.982634][ C1] ret_from_fork+0x22/0x30 [ 53.982634][ C1] </TASK> Address the issue by skipping the GRO stage for shared or cloned skbs. To reduce the chance of OoO, try to unclone the skbs before giving up. v1 -> v2: – use avoid skb_copy and fallback to netif_receive_skb – Eric	2024-03-04	not yet calculated	CVE-2021-47099 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, the system crashed. The log as follows: [ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a [ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 [ 141.087464] Oops: 0010 [#1] SMP NOPTI [ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 [ 141.088009] Workqueue: events 0xffffffffc09b3a40 [ 141.088009] RIP: 0010:0xffffffffc09b3a5a [ 141.088009] Code: Bad RIP value. [ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 [ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 [ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 [ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 [ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 [ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 [ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 [ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 141.088009] PKRU: 55555554 [ 141.088009] Call Trace: [ 141.088009] ? process_one_work+0x195/0x390 [ 141.088009] ? worker_thread+0x30/0x390 [ 141.088009] ? process_one_work+0x390/0x390 [ 141.088009] ? kthread+0x10d/0x130 [ 141.088009] ? kthread_flush_work_fn+0x10/0x10 [ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a [ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 [ 200.223464] Oops: 0010 [#1] SMP NOPTI [ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 [ 200.224008] Workqueue: events 0xffffffffc0b28a40 [ 200.224008] RIP: 0010:0xffffffffc0b28a5a [ 200.224008] Code: Bad RIP value. [ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 [ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 [ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 [ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 [ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 [ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 [ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 [ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 200.224008] PKRU: 55555554 [ 200.224008] Call Trace: [ 200.224008] ? process_one_work+0x195/0x390 [ 200.224008] ? worker_thread+0x30/0x390 [ 200.224008] ? process_one_work+0x390/0x390 [ 200.224008] ? kthread+0x10d/0x130 [ 200.224008] ? kthread_flush_work_fn+0x10/0x10 [ 200.224008] ? ret_from_fork+0x35/0x40 [ 200.224008] kernel fault(0x1) notification starting on CPU 63 [ 200.224008] kernel fault(0x1) notification finished on CPU 63 [ 200.224008] CR2: ffffffffc0b28a5a [ 200.224008] —[ end trace c82a412d93f57412 ]— The reason is as follows: T1: rmmod ipmi_si. ->ipmi_unregister_smi() -> ipmi_bmc_unregister() -> __ipmi_bmc_unregister() -> kref_put(&bmc->usecount, cleanup_bmc_device); -> schedule_work(&bmc->remove_work); T2: rmmod ipmi_msghandl —truncated—	2024-03-04	not yet calculated	CVE-2021-47100 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497	2024-03-04	not yet calculated	CVE-2021-47101 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: inet: fully convert sk->sk_rx_dst to RCU rules syzbot reported various issues around early demux, one being included in this changelog [1] sk->sk_rx_dst is using RCU protection without clearly documenting it. And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv() are not following standard RCU rules. [a] dst_release(dst); [b] sk->sk_rx_dst = NULL; They look wrong because a delete operation of RCU protected pointer is supposed to clear the pointer before the call_rcu()/synchronize_rcu() guarding actual memory freeing. In some cases indeed, dst could be freed before [b] is done. We could cheat by clearing sk_rx_dst before calling dst_release(), but this seems the right time to stick to standard RCU annotations and debugging facilities. [1] BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline] BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204 CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 dst_check include/net/dst.h:470 [inline] tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340 ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583 ip_sublist_rcv net/ipv4/ip_input.c:609 [inline] ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644 __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline] __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556 __netif_receive_skb_list net/core/dev.c:5608 [inline] netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699 gro_normal_list net/core/dev.c:5853 [inline] gro_normal_list net/core/dev.c:5849 [inline] napi_complete_done+0x1f1/0x880 net/core/dev.c:6590 virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline] virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557 __napi_poll+0xaf/0x440 net/core/dev.c:7023 napi_poll net/core/dev.c:7090 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7177 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240 asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629 RIP: 0033:0x7f5e972bfd57 Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73 RSP: 002b:00007fff8a413210 EFLAGS: 00000283 RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45 RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45 RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9 R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0 R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019 </TASK> Allocated by task 13: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:259 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:3234 [inline] slab_alloc mm/slub.c:3242 [inline] kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247 dst_alloc+0x146/0x1f0 net/core/dst.c:92 rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613 ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:234 —truncated—	2024-03-04	not yet calculated	CVE-2021-47103 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of the pkt allocation. Addresses-Coverity-ID: 1493352 (“Resource leak”)	2024-03-04	not yet calculated	CVE-2021-47104 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ice: xsk: return xsk buffers back to pool when cleaning the ring Currently we only NULL the xdp_buff pointer in the internal SW ring but we never give it back to the xsk buffer pool. This means that buffers can be leaked out of the buff pool and never be used again. Add missing xsk_buff_free() call to the routine that is supposed to clean the entries that are left in the ring so that these buffers in the umem can be used by other sockets. Also, only go through the space that is actually left to be cleaned instead of a whole ring.	2024-03-04	not yet calculated	CVE-2021-47105 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() We need to use list_for_each_entry_safe() iterator because we can not access @catchall after kfree_rcu() call. syzbot reported: BUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] BUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] BUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 Read of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871 CPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626 nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:318 [inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306 netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788 __sock_release+0xcd/0x280 net/socket.c:649 sock_close+0x18/0x20 net/socket.c:1314 __fput+0x286/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f75fbf28adb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb RDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830 R10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3 R13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032 </TASK> Allocated by task 8886: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:269 [inline] kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575 kmalloc include/linux/slab.h:590 [inline] nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline] nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline] nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936 nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032 nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/ —truncated—	2024-03-04	not yet calculated	CVE-2021-47106 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix READDIR buffer overflow If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist helper functions results in an underflow, allowing the XDR stream functions to write beyond the actual buffer. This calculation has always been suspect. NFSD has never sanity- checked the READDIR count argument, but the old entry encoders managed the problem correctly. With the commits below, entry encoding changed, exposing the underflow to the pointer arithmetic in xdr_reserve_space(). Modern NFS clients attempt to retrieve as much data as possible for each READDIR request. Also, we have no unit tests that exercise the behavior of READDIR at the lower bound of @count values. Thus this case was missed during testing.	2024-03-04	not yet calculated	CVE-2021-47107 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf In commit 41ca9caaae0b (“drm/mediatek: hdmi: Add check for CEA modes only”) a check for CEA modes was added to function mtk_hdmi_bridge_mode_valid() in order to address possible issues on MT8167; moreover, with commit c91026a938c2 (“drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock”) another similar check was introduced. Unfortunately though, at the time of writing, MT8173 does not provide any mtk_hdmi_conf structure and this is crashing the kernel with NULL pointer upon entering mtk_hdmi_bridge_mode_valid(), which happens as soon as a HDMI cable gets plugged in. To fix this regression, add a NULL pointer check for hdmi->conf in the said function, restoring HDMI functionality and avoiding NULL pointer kernel panics.	2024-03-04	not yet calculated	CVE-2021-47108 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: crypto: qcom-rng – ensure buffer for generate is completely filled The generate function in struct rng_alg expects that the destination buffer is completely filled if the function returns 0. qcom_rng_read() can run into a situation where the buffer is partially filled with randomness and the remaining part of the buffer is zeroed since qcom_rng_generate() doesn’t check the return value. This issue can be reproduced by running the following from libkcapi: kcapi-rng -b 9000000 > OUTFILE The generated OUTFILE will have three huge sections that contain all zeros, and this is caused by the code where the test ‘val & PRNG_STATUS_DATA_AVAIL’ fails. Let’s fix this issue by ensuring that qcom_rng_read() always returns with a full buffer if the function returns success. Let’s also have qcom_rng_generate() return the correct value. Here’s some statistics from the ent project (https://www.fourmilab.ch/random/) that shows information about the quality of the generated numbers: $ ent -c qcom-random-before Value Char Occurrences Fraction 0 606748 0.067416 1 33104 0.003678 2 33001 0.003667 … 253 ? 32883 0.003654 254 ? 33035 0.003671 255 ? 33239 0.003693 Total: 9000000 1.000000 Entropy = 7.811590 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 2 percent. Chi square distribution for 9000000 samples is 9329962.81, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 119.3731 (127.5 = random). Monte Carlo value for Pi is 3.197293333 (error 1.77 percent). Serial correlation coefficient is 0.159130 (totally uncorrelated = 0.0). Without this patch, the results of the chi-square test is 0.01%, and the numbers are certainly not random according to ent’s project page. The results improve with this patch: $ ent -c qcom-random-after Value Char Occurrences Fraction 0 35432 0.003937 1 35127 0.003903 2 35424 0.003936 … 253 ? 35201 0.003911 254 ? 34835 0.003871 255 ? 35368 0.003930 Total: 9000000 1.000000 Entropy = 7.999979 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 0 percent. Chi square distribution for 9000000 samples is 258.77, and randomly would exceed this value 42.24 percent of the times. Arithmetic mean value of data bytes is 127.5006 (127.5 = random). Monte Carlo value for Pi is 3.141277333 (error 0.01 percent). Serial correlation coefficient is 0.000468 (totally uncorrelated = 0.0). This change was tested on a Nexus 5 phone (msm8974 SoC).	2024-03-05	not yet calculated	CVE-2022-48629 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: crypto: qcom-rng – fix infinite loop on requests not multiple of WORD_SZ The commit referenced in the Fixes tag removed the ‘break’ from the else branch in qcom_rng_read(), causing an infinite loop whenever ‘max’ is not a multiple of WORD_SZ. This can be reproduced e.g. by running: kcapi-rng -b 67 >/dev/null There are many ways to fix this without adding back the ‘break’, but they all seem more awkward than simply adding it back, so do just that. Tested on a machine with Qualcomm Amberwing processor.	2024-03-05	not yet calculated	CVE-2022-48630 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ceph: fix deadlock or deadcode of misusing dget() The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let’s just remove it.	2024-03-06	not yet calculated	CVE-2023-52583 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Return invalid error code -EINVAL for invalid block id. Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed ‘info’ could be null (see line 1176)	2024-03-06	not yet calculated	CVE-2023-52585 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add mutex lock in control vblank irq Add a mutex lock to control vblank irq to synchronize vblank enable/disable operations happening from different threads to prevent race conditions while registering/unregistering the vblank irq callback. v4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a parameter of dpu_encoder_phys. -Switch from atomic refcnt to a simple int counter as mutex has now been added v3: Mistakenly did not change wording in last version. It is done now. v2: Slightly changed wording of commit message Patchwork: https://patchwork.freedesktop.org/patch/571854/	2024-03-06	not yet calculated	CVE-2023-52586 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the `priv->lock` while iterating the `priv->multicast_list` in `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to remove the items while in the middle of iteration. If the mcast is removed while the lock was dropped, the for loop spins forever resulting in a hard lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel): Task A (kworker/u72:2 below) \| Task B (kworker/u72:0 below) ———————————–+———————————– ipoib_mcast_join_task(work) \| ipoib_ib_dev_flush_light(work) spin_lock_irq(&priv->lock) \| __ipoib_ib_dev_flush(priv, …) list_for_each_entry(mcast, \| ipoib_mcast_dev_flush(dev = priv->dev) &priv->multicast_list, list) \| ipoib_mcast_join(dev, mcast) \| spin_unlock_irq(&priv->lock) \| \| spin_lock_irqsave(&priv->lock, flags) \| list_for_each_entry_safe(mcast, tmcast, \| &priv->multicast_list, list) \| list_del(&mcast->list); \| list_add_tail(&mcast->list, &remove_list) \| spin_unlock_irqrestore(&priv->lock, flags) spin_lock_irq(&priv->lock) \| \| ipoib_mcast_remove_list(&remove_list) (Here, `mcast` is no longer on the \| list_for_each_entry_safe(mcast, tmcast, `priv->multicast_list` and we keep \| remove_list, list) spinning on the `remove_list` of \| >>> wait_for_completion(&mcast->done) the other thread which is blocked \| and the list is still valid on \| it’s stack.) Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent eventual sleeps. Unfortunately we could not reproduce the lockup and confirm this fix but based on the code review I think this fix should address such lockups. crash> bc 31 PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: “kworker/u72:2” — [exception RIP: ipoib_mcast_join_task+0x1b1] RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002 RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000 work (&priv->mcast_task{,.work}) RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 &mcast->list RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000 R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 mcast R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 dev priv (&priv->lock) &priv->multicast_list (aka head) ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 — <NMI exception stack> — #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib] #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967 crash> rx ff646f199a8c7e68 ff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work crash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000 (empty) crash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000 mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>, mcast_mutex.owner.counter = 0xff1c69998efec000 crash> b 8 PID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: “kworker/u72:0” — #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646 #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib] #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib] #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib] #7 [ff —truncated—	2024-03-06	not yet calculated	CVE-2023-52587 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to tag gcing flag on page during block migration It needs to add missing gcing flag on page during block migration, in order to garantee migrated data be persisted during checkpoint, otherwise out-of-order persistency between data and node may cause data corruption after SPOR. Similar issue was fixed by commit 2d1fe8a86bf5 (“f2fs: fix to tag gcing flag on page during file defragment”).	2024-03-06	not yet calculated	CVE-2023-52588 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: media: rkisp1: Fix IRQ disable race issue In rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the interrupts and then apparently assumes that the interrupt handler won’t be running, and proceeds in the stop procedure. This is not the case, as the interrupt handler can already be running, which would lead to the ISP being disabled while the interrupt handler handling a captured frame. This brings up two issues: 1) the ISP could be powered off while the interrupt handler is still running and accessing registers, leading to board lockup, and 2) the interrupt handler code and the code that disables the streaming might do things that conflict. It is not clear to me if 2) causes a real issue, but 1) can be seen with a suitable delay (or printk in my case) in the interrupt handler, leading to board lockup.	2024-03-06	not yet calculated	CVE-2023-52589 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ocfs2: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change ocfs2 rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem.	2024-03-06	not yet calculated	CVE-2023-52590 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: reiserfs: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change reiserfs rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem.	2024-03-06	not yet calculated	CVE-2023-52591 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap() Since ‘ieee80211_beacon_get()’ can return NULL, ‘wfx_set_mfp_ap()’ should check the return value before examining skb data. So convert the latter to return an appropriate error code and propagate it to return from ‘wfx_start_ap()’ as well. Compile tested only.	2024-03-06	not yet calculated	CVE-2023-52593 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug occurs when txs->cnt, data from a URB provided by a USB device, is bigger than the size of the array txs->txstatus, which is HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug handling code after the check. Make the function return if that is the case. Found by a modified version of syzkaller. UBSAN: array-index-out-of-bounds in htc_drv_txrx.c index 13 is out of range for type ‘__wmi_event_txstatus [12]’ Call Trace: ath9k_htc_txstatus ath9k_wmi_event_tasklet tasklet_action_common __do_softirq irq_exit_rxu sysvec_apic_timer_interrupt	2024-03-06	not yet calculated	CVE-2023-52594 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00: restart beacon queue when hardware reset When a hardware reset is triggered, all registers are reset, so all queues are forced to stop in hardware interface. However, mac80211 will not automatically stop the queue. If we don’t manually stop the beacon queue, the queue will be deadlocked and unable to start again. This patch fixes the issue where Apple devices cannot connect to the AP after calling ieee80211_restart_hw().	2024-03-06	not yet calculated	CVE-2023-52595 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: sysctl: Fix out of bounds access for empty sysctl registers When registering tables to the sysctl subsystem there is a check to see if header is a permanently empty directory (used for mounts). This check evaluates the first element of the ctl_table. This results in an out of bounds evaluation when registering empty directories. The function register_sysctl_mount_point now passes a ctl_table of size 1 instead of size 0. It now relies solely on the type to identify a permanently empty register. Make sure that the ctl_table has at least one element before testing for permanent emptiness.	2024-03-06	not yet calculated	CVE-2023-52596 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space / host process fpc register value, however it will be discarded, when returning to user space. In result the host process will incorrectly continue to run with the value that was supposed to be used for a guest cpu. Fix this by simply removing the test. There is another test right before the SIE context is entered which will handles invalid values. This results in a change of behaviour: invalid values will now be accepted instead of that the ioctl fails with -EINVAL. This seems to be acceptable, given that this interface is most likely not used anymore, and this is in addition the same behaviour implemented with the memory mapped interface (replace invalid values with zero) – see sync_regs() in kvm-s390.c.	2024-03-06	not yet calculated	CVE-2023-52597 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: s390/ptrace: handle setting of fpc register correctly If the content of the floating point control (fpc) register of a traced process is modified with the ptrace interface the new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the tracing process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space fpc register value, however it will be discarded, when returning to user space. In result the tracer will incorrectly continue to run with the value that was supposed to be used for the traced process. Fix this by saving fpu register contents with save_fpu_regs() before using test_fp_ctl().	2024-03-06	not yet calculated	CVE-2023-52598 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in diNewExt [Syz report] UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2 index -878706688 is out of range for type ‘struct iagctl[128]’ CPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360 diAllocExt fs/jfs/jfs_imap.c:1949 [inline] diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666 diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587 ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225 vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106 do_mkdirat+0x264/0x3a0 fs/namei.c:4129 __do_sys_mkdir fs/namei.c:4149 [inline] __se_sys_mkdir fs/namei.c:4147 [inline] __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fcb7e6a0b57 Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053 RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57 RDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140 RBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [Analysis] When the agstart is too large, it can cause agno overflow. [Fix] After obtaining agno, if the value is invalid, exit the subsequent process. Modified the test from agno > MAXAG to agno >= MAXAG based on linux-next report by kernel test robot (Dan Carpenter).	2024-03-06	not yet calculated	CVE-2023-52599 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.	2024-03-06	not yet calculated	CVE-2023-52600 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in dbAdjTree Currently there is a bound check missing in the dbAdjTree while accessing the dmt_stree. To add the required check added the bool is_ctl which is required to determine the size as suggest in the following commit. https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/	2024-03-06	not yet calculated	CVE-2023-52601 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds Read in dtSearch Currently while searching for current page in the sorted entry table of the page there is a out of bound access. Added a bound check to fix the error. Dave: Set return code to -EIO	2024-03-06	not yet calculated	CVE-2023-52602 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type ‘struct dtslot [128]’ CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 </TASK> The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.	2024-03-06	not yet calculated	CVE-2023-52603 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6 index 196694 is out of range for type ‘s8[1365]’ (aka ‘signed char[1365]’) CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> ================================================================================ Kernel panic – not syncing: UBSAN: panic_on_warn set … CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 panic+0x30f/0x770 kernel/panic.c:340 check_panic_on_warn+0x82/0xa0 kernel/panic.c:236 ubsan_epilogue lib/ubsan.c:223 [inline] __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> Kernel Offset: disabled Rebooting in 86400 seconds.. The issue is caused when the value of lp becomes greater than CTLTREESIZE which is the max size of stree. Adding a simple check solves this issue. Dave: As the function returns a void, good error handling would require a more intrusive code reorganization, so I modified Osama’s patch at use WARN_ON_ONCE for lack of a cleaner option. The patch is tested via syzbot.	2024-03-06	not yet calculated	CVE-2023-52604 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ACPI: extlog: fix NULL pointer dereference check The gcc plugin -fanalyzer [1] tries to detect various patterns of incorrect behaviour. The tool reports: drivers/acpi/acpi_extlog.c: In function ‘extlog_exit’: drivers/acpi/acpi_extlog.c:307:12: warning: check of ‘extlog_l1_addr’ for NULL after already dereferencing it [-Wanalyzer-deref-before-check] \| \| 306 \| ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; \| \| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ \| \| \| \| \| (1) pointer ‘extlog_l1_addr’ is dereferenced here \| 307 \| if (extlog_l1_addr) \| \| ~ \| \| \| \| \| (2) pointer ‘extlog_l1_addr’ is checked for NULL here but it was already dereferenced at (1) \| Fix the NULL pointer dereference check in extlog_exit().	2024-03-06	not yet calculated	CVE-2023-52605 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: powerpc/lib: Validate size for vector operations Some of the fp/vmx code in sstep.c assume a certain maximum size for the instructions being emulated. The size of those operations however is determined separately in analyse_instr(). Add a check to validate the assumption on the maximum size of the operations, so as to prevent any unintended kernel stack corruption.	2024-03-06	not yet calculated	CVE-2023-52606 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.	2024-03-06	not yet calculated	CVE-2023-52607 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc’s adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e. pdsc_work_thread()->pdsc_process_adminq() [2] pdsc_adminq_post() When the device goes through reset via PCIe reset and/or a fw_down/fw_up cycle due to bad PCIe state or bad device state the adminq is destroyed and recreated. A NULL pointer dereference can happen if [1] or [2] happens after the adminq is already destroyed. In order to fix this, add some further state checks and implement reference counting for adminq uses. Reference counting was used because multiple threads can attempt to access the adminq at the same time via [1] or [2]. Additionally, multiple clients (i.e. pds-vfio-pci) can be using [2] at the same time. The adminq_refcnt is initialized to 1 when the adminq has been allocated and is ready to use. Users/clients of the adminq (i.e. [1] and [2]) will increment the refcnt when they are using the adminq. When the driver goes into a fw_down cycle it will set the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt to hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent any further adminq_refcnt increments. Waiting for the adminq_refcnt to hit 1 allows for any current users of the adminq to finish before the driver frees the adminq. Once the adminq_refcnt hits 1 the driver clears the refcnt to signify that the adminq is deleted and cannot be used. On the fw_up cycle the driver will once again initialize the adminq_refcnt to 1 allowing the adminq to be used again.	2024-03-06	not yet calculated	CVE-2024-26623 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: af_unix: fix lockdep positive in sk_diag_dump_icons() syzbot reported a lockdep splat [1]. Blamed commit hinted about the possible lockdep violation, and code used unix_state_lock_nested() in an attempt to silence lockdep. It is not sufficient, because unix_state_lock_nested() is already used from unix_state_double_lock(). We need to use a separate subclass. This patch adds a distinct enumeration to make things more explicit. Also use swap() in unix_state_double_lock() as a clean up. v2: add a missing inline keyword to unix_state_lock_nested() [1] WARNING: possible circular locking dependency detected 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not tainted syz-executor.1/2542 is trying to acquire lock: ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 but task is already holding lock: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&u->lock/1){+.+.}-{2:2}: lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 sk_diag_dump_icons net/unix/diag.c:87 [inline] sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157 sk_diag_dump net/unix/diag.c:196 [inline] unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220 netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264 __netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:338 [inline] unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319 sock_diag_rcv_msg+0xe3/0x400 netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x39a/0x520 net/socket.c:1160 call_write_iter include/linux/fs.h:2085 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa74/0xca0 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b -> #0 (rlock-AF_UNIX){+.+.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x592/0x890 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724 __do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg net/socket.c:2750 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b other info that might help us debug this: Possible unsafe locking scenario: CPU0 —truncated—	2024-03-06	not yet calculated	CVE-2024-26624 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wq pointer in a closed llc socket. In commit ff7b11aa481f (“net: socket: set sock->sk to NULL after calling proto_ops::release()”) Eric Biggers hinted that some protocols are missing a sock_orphan(), we need to perform a full audit. In net-next, I plan to clear sock->sk from sock_orphan() and amend Eric patch to add a warning. [1] BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline] BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline] BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline] BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27 CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 list_empty include/linux/list.h:373 [inline] waitqueue_active include/linux/wait.h:127 [inline] sock_def_write_space_wfree net/core/sock.c:3384 [inline] sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080 skb_release_all net/core/skbuff.c:1092 [inline] napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404 e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline] e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x956/0xe90 net/core/dev.c:6778 __do_softirq+0x21a/0x8de kernel/softirq.c:553 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 </TASK> Allocated by task 5167: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3019 [inline] sock_alloc_inode+0x25/0x1c0 net/socket.c:308 alloc_inode+0x5d/0x220 fs/inode.c:260 new_inode_pseudo+0x16/0x80 fs/inode.c:1005 sock_alloc+0x40/0x270 net/socket.c:634 __sock_create+0xbc/0x800 net/socket.c:1535 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x14c/0x260 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 0: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inlin —truncated—	2024-03-06	not yet calculated	CVE-2024-26625 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: ipmr: fix kernel panic when forwarding mcast packets The stacktrace was: [ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092 [ 86.306815] #PF: supervisor read access in kernel mode [ 86.307717] #PF: error_code(0x0000) – not-present page [ 86.308624] PGD 0 P4D 0 [ 86.309091] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 86.309883] CPU: 2 PID: 3139 Comm: pimd Tainted: G U 6.8.0-6wind-knet #1 [ 86.311027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014 [ 86.312728] RIP: 0010:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985) [ 86.313399] Code: f9 1f 0f 87 85 03 00 00 48 8d 04 5b 48 8d 04 83 49 8d 44 c5 00 48 8b 40 70 48 39 c2 0f 84 d9 00 00 00 49 8b 46 58 48 83 e0 fe <80> b8 92 00 00 00 00 0f 84 55 ff ff ff 49 83 47 38 01 45 85 e4 0f [ 86.316565] RSP: 0018:ffffad21c0583ae0 EFLAGS: 00010246 [ 86.317497] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 86.318596] RDX: ffff9559cb46c000 RSI: 0000000000000000 RDI: 0000000000000000 [ 86.319627] RBP: ffffad21c0583b30 R08: 0000000000000000 R09: 0000000000000000 [ 86.320650] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 86.321672] R13: ffff9559c093a000 R14: ffff9559cc00b800 R15: ffff9559c09c1d80 [ 86.322873] FS: 00007f85db661980(0000) GS:ffff955a79d00000(0000) knlGS:0000000000000000 [ 86.324291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.325314] CR2: 0000000000000092 CR3: 000000002f13a000 CR4: 0000000000350ef0 [ 86.326589] Call Trace: [ 86.327036] <TASK> [ 86.327434] ? show_regs (/build/work/knet/arch/x86/kernel/dumpstack.c:479) [ 86.328049] ? __die (/build/work/knet/arch/x86/kernel/dumpstack.c:421 /build/work/knet/arch/x86/kernel/dumpstack.c:434) [ 86.328508] ? page_fault_oops (/build/work/knet/arch/x86/mm/fault.c:707) [ 86.329107] ? do_user_addr_fault (/build/work/knet/arch/x86/mm/fault.c:1264) [ 86.329756] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.330350] ? __irq_work_queue_local (/build/work/knet/kernel/irq_work.c:111 (discriminator 1)) [ 86.331013] ? exc_page_fault (/build/work/knet/./arch/x86/include/asm/paravirt.h:693 /build/work/knet/arch/x86/mm/fault.c:1515 /build/work/knet/arch/x86/mm/fault.c:1563) [ 86.331702] ? asm_exc_page_fault (/build/work/knet/./arch/x86/include/asm/idtentry.h:570) [ 86.332468] ? ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985) [ 86.333183] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.333920] ipmr_mfc_add (/build/work/knet/./include/linux/rcupdate.h:782 /build/work/knet/net/ipv4/ipmr.c:1009 /build/work/knet/net/ipv4/ipmr.c:1273) [ 86.334583] ? __pfx_ipmr_hash_cmp (/build/work/knet/net/ipv4/ipmr.c:363) [ 86.335357] ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470) [ 86.336135] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.336854] ? ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470) [ 86.337679] do_ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:944) [ 86.338408] ? __pfx_unix_stream_read_actor (/build/work/knet/net/unix/af_unix.c:2862) [ 86.339232] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.339809] ? aa_sk_perm (/build/work/knet/security/apparmor/include/cred.h:153 /build/work/knet/security/apparmor/net.c:181) [ 86.340342] ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:1415) [ 86.340859] raw_setsockopt (/build/work/knet/net/ipv4/raw.c:836) [ 86.341408] ? security_socket_setsockopt (/build/work/knet/security/security.c:4561 (discriminator 13)) [ 86.342116] sock_common_setsockopt (/build/work/knet/net/core/sock.c:3716) [ 86.342747] do_sock_setsockopt (/build/work/knet/net/socket.c:2313) [ 86.343363] __sys_setsockopt (/build/work/knet/./include/linux/file.h:32 /build/work/kn —truncated—	2024-03-06	not yet calculated	CVE-2024-26626 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host lock every time for deciding if error handler kthread needs to be waken up. This can be too heavy in case of recovery, such as: – N hardware queues – queue depth is M for each hardware queue – each scsi_host_busy() iterates over (N * M) tag/requests If recovery is triggered in case that all requests are in-flight, each scsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called for the last in-flight request, scsi_host_busy() has been run for (N * M – 1) times, and request has been iterated for (NM – 1) (N * M) times. If both N and M are big enough, hard lockup can be triggered on acquiring host lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169). Fix the issue by calling scsi_host_busy() outside the host lock. We don’t need the host lock for getting busy count because host the lock never covers that. [mkp: Drop unnecessary ‘busy’ variables pointed out by Bart]	2024-03-06	not yet calculated	CVE-2024-26627 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux	In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix lock dependency warning ====================================================== WARNING: possible circular locking dependency detected 6.5.0-kfd-fkuehlin #276 Not tainted —————————————————— kworker/8:2/2676 is trying to acquire lock: ffff9435aae95c88 ((work_completion)(&svm_bo->eviction_work)){+.+.}-{0:0}, at: __flush_work+0x52/0x550 but task is already holding lock: ffff9435cd8e1720 (&svms->lock){+.+.}-{3:3}, at: svm_range_deferred_list_work+0xe8/0x340 [amdgpu] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&svms->lock){+.+.}-{3:3}: __mutex_lock+0x97/0xd30 kfd_ioctl_alloc_memory_of_gpu+0x6d/0x3c0 [amdgpu] kfd_ioctl+0x1b2/0x5d0 [amdgpu] __x64_sys_ioctl+0x86/0xc0 do_syscall_64+0x39/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #1 (&mm->mmap_lock){++++}-{3:3}: down_read+0x42/0x160 svm_range_evict_svm_bo_worker+0x8b/0x340 [amdgpu] process_one_work+0x27a/0x540 worker_thread+0x53/0x3e0 kthread+0xeb/0x120 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x11/0x20 -> #0 ((work_completion)(&svm_bo->eviction_work)){+.+.}-{0:0}: __lock_acquire+0x1426/0x2200 lock_acquire+0xc1/0x2b0 __flush_work+0x80/0x550 __cancel_work_timer+0x109/0x190 svm_range_bo_release+0xdc/0x1c0 [amdgpu] svm_range_free+0x175/0x180 [amdgpu] svm_range_deferred_list_work+0x15d/0x340 [amdgpu] process_one_work+0x27a/0x540 worker_thread+0x53/0x3e0 kthread+0xeb/0x120 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x11/0x20 other info that might help us debug this: Chain exists of: (work_completion)(&svm_bo->eviction_work) –> &mm->mmap_lock –> &svms->lock Possible unsafe locking scenario: CPU0 CPU1 —- —- lock(&svms->lock); lock(&mm->mmap_lock); lock(&svms->lock); lock((work_completion)(&svm_bo->eviction_work)); I believe this cannot really lead to a deadlock in practice, because svm_range_evict_svm_bo_worker only takes the mmap_read_lock if the BO refcount is non-0. That means it’s impossible that svm_range_bo_release is running concurrently. However, there is no good way to annotate this. To avoid the problem, take a BO reference in svm_range_schedule_evict_svm_bo instead of in the worker. That way it’s impossible for a BO to get freed while eviction work is pending and the cancel_work_sync call in svm_range_bo_release can be eliminated. v2: Use svm_bo_ref_unless_zero and explained why that’s safe. Also removed redundant checks that are already done in amdkfd_fence_enable_signaling.	2024-03-06	not yet calculated	CVE-2024-26628 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
mediatek,_inc. — MT6739,_MT6757,_MT6761,_MT6763,_MT6765,_MT6768,_MT6771,_MT6779,_MT6785,_MT6833,_MT6853,_MT6873,_MT6877,_MT6885,_MT6893,_MT8163,_MT8167,_MT8168,_MT8512	In da, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541742.	2024-03-04	not yet calculated	CVE-2024-20031 security@mediatek.com
mediatek,_inc. — mt2713,_mt2715,_mt8173,_mt8188,_mt8195,_mt8390,_mt8395	In OPTEE, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08522504; Issue ID: ALPS08522504.	2024-03-04	not yet calculated	CVE-2024-20020 security@mediatek.com
mediatek,_inc. — mt2713,_mt2737,_mt6781,_mt6789,_mt6835,_mt6855,_mt6879,_mt6880,_mt6886,_mt6890,_mt6895,_mt6980,_mt6983,_mt6985,_mt6989,_mt6990,_mt8188,_mt8188t,_mt8370,_mt8390,_mt8673,_mt8676,_mt8678	In flashc, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541638; Issue ID: ALPS08541638.	2024-03-04	not yet calculated	CVE-2024-20023 security@mediatek.com
mediatek,_inc. — mt2713,_mt6739,_mt6761,_mt6765,_mt6768,_mt6771,_mt6779,_mt6785,_mt6789,_mt6835,_mt6855,_mt6879,_mt6883,_mt6885,_mt6886,_mt6893,_mt6895,_mt6983,_mt6985,_mt8167,_mt8167s,_mt8168,_mt8173,_mt8175,_mt8185,_mt8188,_mt8195,_mt8321,_mt8362a,_mt8365,_mt8370,_mt8385,_mt8390,_mt8395,_mt8666,_mt8667,_mt8673,_mt8675,_mt8676,_mt8678,_mt8755,_mt8765,_mt8766,_mt8768,_mt8775,_mt8781,_mt8786,_mt8788,_mt8789,_mt8791,_mt8792,_mt8796,_mt8797,_mt8798	In nvram, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08499945; Issue ID: ALPS08499945.	2024-03-04	not yet calculated	CVE-2024-20033 security@mediatek.com
mediatek,_inc. — mt2737,_mt6789,_mt6835,_mt6855,_mt6879,_mt6880,_mt6886,_mt6890,_mt6895,_mt6980,_mt6983,_mt6985,_mt6989,_mt6990,_mt8321,_mt8385,_mt8666,_mt8667,_mt8673,_mt8765,_mt8766,_mt8768,_mt8781,_mt8786,_mt8788,_mt8789,_mt8791,_mt8796,_mt8797,_mt8798	In lk, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08528255; Issue ID: ALPS08528255.	2024-03-04	not yet calculated	CVE-2024-20022 security@mediatek.com
mediatek,_inc. — mt6739,_mt6757,_mt6761,_mt6763,_mt6765,_mt6768,_mt6771,_mt6779,_mt6785,_mt6833,_mt6853,_mt6873,_mt6877,_mt6885,_mt6893,_mt8163,_mt8167,_mt8168,_mt8512	In da, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541633.	2024-03-04	not yet calculated	CVE-2024-20027 security@mediatek.com
mediatek,_inc. — mt6739,_mt6757,_mt6761,_mt6763,_mt6765,_mt6768,_mt6771,_mt6779,_mt6785,_mt6833,_mt6853,_mt6873,_mt6877,_mt6885,_mt6893,_mt8163,_mt8167,_mt8168,_mt8512	In da, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541632.	2024-03-04	not yet calculated	CVE-2024-20026 security@mediatek.com
mediatek,_inc. — mt6739,_mt6757,_mt6761,_mt6763,_mt6765,_mt6768,_mt6771,_mt6779,_mt6785,_mt6833,_mt6853,_mt6873,_mt6877,_mt6885,_mt6893,_mt8163,_mt8167,_mt8168,_mt8512	In da, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541687.	2024-03-04	not yet calculated	CVE-2024-20028 security@mediatek.com
mediatek,_inc. — mt6739,_mt6757,_mt6761,_mt6763,_mt6765,_mt6768,_mt6771,_mt6779,_mt6785,_mt6833,_mt6853,_mt6873,_mt6877,_mt6885,_mt6893,_mt8167,_mt8168,_mt8173,_mt8175,_mt8185,_mt8195,_mt8321,_mt8362a,_mt8365,_mt8385,_mt8395,_mt8666,_mt8673,_mt8678,_mt8765,_mt8766,_mt8768,_mt8781,_mt8786,_mt8788,_mt8789,_mt8791,_mt8791t,_mt8796,_mt8797,_mt8798	In da, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541686; Issue ID: ALPS08541686.	2024-03-04	not yet calculated	CVE-2024-20025 security@mediatek.com
mediatek,_inc. — mt6739,_mt6757,_mt6761,_mt6763,_mt6765,_mt6768,_mt6771,_mt6779,_mt6785,_mt6833,_mt6853,_mt6873,_mt6877,_mt6885,_mt6893,_mt8167,_mt8168,_mt8195,_mt8512	In da, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541741.	2024-03-04	not yet calculated	CVE-2024-20030 security@mediatek.com
mediatek,_inc. — mt6739,_mt6761,_mt6765,_mt6768,_mt6779,_mt6781,_mt6785,_mt6789,_mt6833,_mt6835,_mt6853,_mt6855,_mt6873,_mt6877,_mt6879,_mt6883,_mt6885,_mt6886,_mt6889,_mt6893,_mt6895,_mt6897,_mt6983,_mt6985,_mt6989,_mt8168,_mt8188,_mt8195,_mt8673,_mt8675	In pq, there is a possible write-what-where condition due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08495937; Issue ID: ALPS08495937.	2024-03-04	not yet calculated	CVE-2024-20037 security@mediatek.com
mediatek,_inc. — mt6739,_mt6761,_mt6765,_mt6768,_mt6779,_mt6781,_mt6785,_mt6789,_mt6833,_mt6835,_mt6853,_mt6855,_mt6873,_mt6877,_mt6879,_mt6883,_mt6885,_mt6886,_mt6889,_mt6893,_mt6895,_mt6897,_mt6983,_mt6985,_mt6989,_mt8168,_mt8188,_mt8195,_mt8673,_mt8675	In pq, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08495932; Issue ID: ALPS08495932.	2024-03-04	not yet calculated	CVE-2024-20038 security@mediatek.com
mediatek,_inc. — mt6761,_mt6762,_mt6763,_mt6765,_mt6768,_mt6769,_mt6771,_mt6779,_mt6781,_mt6785,_mt6789,_mt6833,_mt6835,_mt6853,_mt6853t,_mt6855,_mt6873,_mt6875,_mt6877,_mt6879,_mt6883,_mt6885,_mt6886,_mt6889,_mt6891,_mt6893,_mt6895,_mt6983,_mt6985,_mt8666,_mt8666a,_mt8666b,_mt8667,_mt8673,_mt8675,_mt8676,_mt8678	In da, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08355599; Issue ID: ALPS08355599.	2024-03-04	not yet calculated	CVE-2024-20005 security@mediatek.com
mediatek,_inc. — mt6761,_mt6765,_mt6768,_mt6855,_mt6895,_mt8167,_mt8168,_mt8188,_mt8321,_mt8765,_mt8766,_mt8768,_mt8781,_mt8786,_mt8788,_mt8789,_mt8791t,_mt8797,_mt8798	In battery, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08488849; Issue ID: ALPS08488849.	2024-03-04	not yet calculated	CVE-2024-20034 security@mediatek.com
mediatek,_inc. — mt6781,_mt6789,_mt6833,_mt6835,_mt6879,_mt6886,_mt6895,_mt6983,_mt6985,_mt6989,_mt8666,_mt8666a,_mt8666b,_mt8667,_mt8673,_mt8676,_mt8678	In flashc, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541635; Issue ID: ALPS08541635.	2024-03-04	not yet calculated	CVE-2024-20024 security@mediatek.com
mediatek,_inc. — mt6835,_mt6855,_mt6879,_mt6886,_mt6895,_mt6983,_mt6985,_mt8792,_mt8796,_mt8798	In vdec, there is a possible permission bypass due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08509508; Issue ID: ALPS08509508.	2024-03-04	not yet calculated	CVE-2024-20036 security@mediatek.com
mediatek,_inc. — mt6890,_mt7915,_mt7916,_mt7981,_mt7986	In wlan service, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation Patch ID: WCNCR00350938; Issue ID: MSV-1132.	2024-03-04	not yet calculated	CVE-2024-20017 security@mediatek.com
mediatek,_inc. — mt6985,_mt6989,_mt8678,_mt8796	In wlan firmware, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08477406; Issue ID: MSV-1010.	2024-03-04	not yet calculated	CVE-2024-20029 security@mediatek.com
mediatek,_inc. — mt7615	In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00348479; Issue ID: MSV-1019.	2024-03-04	not yet calculated	CVE-2024-20018 security@mediatek.com
mediatek,_inc. — mt7925,_mt7927	In wlan driver, there is a possible memory leak due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00351241; Issue ID: MSV-1173.	2024-03-04	not yet calculated	CVE-2024-20019 security@mediatek.com
mediatek,_inc.– MT6580,_MT6739,_MT6761,_MT6765,_MT6768,_MT6779,_MT6781,_MT6785,_MT6789,_MT6833,_MT6835,_MT6853,_MT6855,_MT6873,_MT6877,_MT6879,_MT6883,_MT6885,_MT6886,_MT6889,_MT6893,_MT6895,_MT6983,_MT6985,_MT6989,_MT8321,_MT8673,_MT8765,_MT8766,_MT8768,_MT8781,_MT8789,_MT8791,_MT8792,_MT8796	In aee, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08487630; Issue ID: MSV-1020.	2024-03-04	not yet calculated	CVE-2024-20032 security@mediatek.com
mintplex-labs — mintplex-labs/anything-llm	As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be granted explicit access to the system, but they can do this at any role. Additionally, post-download, the data is deleted so no evidence would exist that the exfiltration occured.	2024-03-03	not yet calculated	CVE-2024-0765 security@huntr.dev security@huntr.dev
mozilla — thunderbird	The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird’s local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.	2024-03-04	not yet calculated	CVE-2024-1936 security@mozilla.org security@mozilla.org
naver — ngrinder	nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.	2024-03-07	not yet calculated	CVE-2024-28211 cve@navercorp.com
naver — ngrinder	nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.	2024-03-07	not yet calculated	CVE-2024-28212 cve@navercorp.com
naver — ngrinder	nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.	2024-03-07	not yet calculated	CVE-2024-28213 cve@navercorp.com
naver — ngrinder	nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.	2024-03-07	not yet calculated	CVE-2024-28214 cve@navercorp.com
naver — ngrinder	nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.	2024-03-07	not yet calculated	CVE-2024-28215 cve@navercorp.com
naver — ngrinder	nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.	2024-03-07	not yet calculated	CVE-2024-28216 cve@navercorp.com
openpne_project — openpne_plugin_”optimelineplugin”	OpenPNE Plugin “opTimelinePlugin” 1.2.11 and earlier contains a cross-site scripting vulnerability. On the site which uses the affected product, when a user configures the profile with some malicious contents, an arbitrary script may be executed on the web browsers of other users.	2024-03-06	not yet calculated	CVE-2024-27278 vultures@jpcert.or.jp vultures@jpcert.or.jp
paddlepaddle — paddlepaddle/paddle	Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0	2024-03-07	not yet calculated	CVE-2024-0815 security@huntr.dev
paddlepaddle — paddlepaddle/paddle	Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0	2024-03-07	not yet calculated	CVE-2024-0817 security@huntr.dev
paddlepaddle — paddlepaddle/paddle	Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6	2024-03-07	not yet calculated	CVE-2024-0818 security@huntr.dev
paddlepaddle — paddlepaddle/paddle	remote code execution in paddlepaddle/paddle 2.6.0	2024-03-07	not yet calculated	CVE-2024-0917 security@huntr.dev
unknown — event_tickets_and_registration	The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn’t have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).	2024-03-04	not yet calculated	CVE-2024-1316 contact@wpscan.com
unknown — events_tickets_plus	The Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the attendees list on any post type regardless of status. (e.g. draft, private, pending review, password-protected, and trashed posts).	2024-03-04	not yet calculated	CVE-2024-1319 contact@wpscan.com

Managed Security Services

Cyber Threat Intelligence

iDNA

SiON

About Us

Leadership

Advisors

Cyber Security Assessment

SOC Cost Calculator

Request a Dark Web Report

Cyber Security Threat Alerts

What is Incident Response?

SOC 2 Compliance

Cyber Security Definitions and Terminology

Cyber Security Jobs

Blog

Podcast

Instagram

LinkedIn

Twitter

High Vulnerabilities

Medium Vulnerabilities

Low Vulnerabilities

Severity Not Yet Assigned

High Vulnerabilities

Medium Vulnerabilities

Low Vulnerabilities

Severity Not Yet Assigned

High Vulnerabilities

Medium Vulnerabilities

Low Vulnerabilities

Severity Not Yet Assigned

Company

Our services

Resources

Partners

Cyber news

Weekly Newsletter

Subscribe to our weekly newsletter on cyber news and best practices!