@RISK

The Consensus Security Vulnerability Alert

September 26, 2024  |  Vol. 24, Num. 38

Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

DNS Reflection Update and Odd Corrupted DNS Requests

Published: 2024-09-25.

Last Updated: 2024-09-25 16:33:15 UTC

by Johannes Ullrich (Version: 1)

Occasionally, I tend to check in on what reflective DNS denial of service attacks are doing. We usually see steady levels of attacks. Usually, they attempt to use spoofed requests for ANY records to achieve the highest possible amplification. Currently, I am seeing these two records used (among others):

ANY nlrb<.>gov

The response for this query may be up to 5,826 bytes in size. With a query payload size of 37 bytes, this leads to a rather impressive implication. The original name server appears to do the right thing, and it ignores EDNS0, but that, of course, doesn't help with open resolvers.

ANY ncca<.>mil

This domain is a bit odd. I only receive empty responses for ANY, NS, or other queries I tried. Maybe this domain was fixed after it got abused for DDoS attacks.

ANY fnop<.>net

The response for this domain is also truncated. Likely also fixed.

"Fixing" Amplification via ANY records

There are a few other defensive techniques that show up more often. Google's domain name service returns a "Not Implemented" error for ANY queries ...

Read the full entry:

https://isc.sans.edu/diary/DNS+Reflection+Update+and+Odd+Corrupted+DNS+Requests/31296/

Fake GitHub Site Targeting Developers

Published: 2024-09-19. Last Updated: 2024-09-19 20:14:39 UTC

by Johannes Ullrich (Version: 1)

Our reader "RoseSecurity" forwarded received the following malicious email:

Hey there!

We have detected a security vulnerability in your repository. Please contact us at https:[//]github-scanner[.]com to get more information on how to fix this issue. Best regards,

Github Security Team

GitHub has offered free security scans to users for a while now. But usually, you go directly to GitHub.com to review results, not a "scanner" site like suggested above.

The github-scanner website first displays what appears to be some form of Captcha to make sure you are "Human" (does this exclude developers?) ...

Read the full entry:

https://isc.sans.edu/diary/Fake+GitHub+Site+Targeting+Developers/31282/

Phishing links with @ sign and the need for effective security awareness building

Published: 2024-09-23.

Last Updated: 2024-09-23 07:40:22 UTC

by Jan Kopriva (Version: 1)

While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format – the ability to specify information about a user in the URI before its "host" part (domain or IP address).

RFC 3986 specifies[1] that a “user information” string (i.e., username and – potentially – other contextual data) may be included in a URI in the following format:

[ userinfo "@" ] host [ ":" port ]

In this instance, the threat actors used the user information string to make the link appear as if it was pointing to facebook.com, while it actually lead to an IPFS gateway[2] ipfs.io.

Read the full entry:

https://isc.sans.edu/diary/Phishing+links+with+sign+and+the+need+for+effective+security+awareness+building/31288/

Internet Storm Center Entries


Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120 (2024.09.24)

https://isc.sans.edu/diary/Exploitation+of+RAISECOM+Gateway+Devices+Vulnerability+CVE20247120/31292/

Time-to-Live Analysis of DShield Data with Vega-Lite (2024.09.18)

https://isc.sans.edu/diary/TimetoLive+Analysis+of+DShield+Data+with+VegaLite/31278/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-8963 - Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

Product: Ivanti Endpoint Manager Cloud Services Appliance

CVSS Score: 9.1

** KEV since 2024-09-19 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8963

ISC Podcast: https://isc.sans.edu/podcastdetail/9146

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963

CVE-2024-9043 - Cellopoint's Secure Email Gateway is vulnerable to buffer overflow in authentication allowing remote attackers to crash the process and gain admin privileges.

Product: Cellopoint Secure Email Gateway

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9043

ISC Podcast: https://isc.sans.edu/podcastdetail/9152

NVD References:

- https://www.twcert.org.tw/en/cp-139-8103-b0568-2.html

- https://www.twcert.org.tw/tw/cp-132-8102-b94a9-1.html

CVE-2024-27348 - Apache HugeGraph-Server is vulnerable to RCE-Remote Command Execution in versions 1.0.0 to 1.3.0 on Java8 & Java11, requiring users to upgrade to version 1.3.0 with Java11 and enable the Auth system for a fix.

Product: Apache HugeGraph-Server

CVSS Score: 0

** KEV since 2024-09-18 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27348

ISC Podcast: https://isc.sans.edu/podcastdetail/9148

CVE-2024-7120 - Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90 are vulnerable to critical os command injection via manipulation of the argument template in the Web Interface component's list_base_config.php file, allowing for remote attacks with publicly disclosed exploit potential (VDB-272451).

Product: Raisecom MSG1200_Firmware 3.90

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7120

ISC Podcast: https://isc.sans.edu/podcastdetail/9152

CVE-2024-44146 - macOS Sequoia 15 has a vulnerability in file handling that could allow an app to escape its sandbox.

Product: Apple macOS

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44146

NVD References: https://support.apple.com/en-us/121238

CVE-2024-44148 - macOS Sequoia 15 may allow an app to break out of its sandbox due to improved validation of file attributes.

Product: Apple macOS

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44148

NVD References: https://support.apple.com/en-us/121238

CVE-2024-45496 - OpenShift is vulnerable to arbitrary command execution due to misuse of elevated privileges in the build process, allowing an attacker to escalate permissions on the worker node.

Product: Red Hat OpenShift

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45496

NVD References:

- https://access.redhat.com/errata/RHSA-2024:6685

- https://access.redhat.com/errata/RHSA-2024:6687

- https://access.redhat.com/errata/RHSA-2024:6689

- https://access.redhat.com/errata/RHSA-2024:6691

- https://access.redhat.com/errata/RHSA-2024:6705

- https://access.redhat.com/security/cve/CVE-2024-45496

- https://bugzilla.redhat.com/show_bug.cgi?id=2308661

CVE-2024-7387 - Openshift/builder is vulnerable to command injection via path traversal allowing an attacker to execute arbitrary commands on the OpenShift node.

Product: Red Hat Openshift/builder

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7387

NVD References:

- https://access.redhat.com/errata/RHSA-2024:6685

- https://access.redhat.com/errata/RHSA-2024:6687

- https://access.redhat.com/errata/RHSA-2024:6689

- https://access.redhat.com/errata/RHSA-2024:6691

- https://access.redhat.com/errata/RHSA-2024:6705

- https://access.redhat.com/security/cve/CVE-2024-7387

- https://bugzilla.redhat.com/show_bug.cgi?id=2302259

CVE-2024-38812 - vCenter Server is vulnerable to a heap-overflow in the DCERPC protocol, allowing remote code execution by a malicious actor via a specially crafted network packet.

Product: VMware vCenter Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38812

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

CVE-2024-8944 - Hospital Management System 1.0 is susceptible to a critical SQL injection vulnerability in check_availability.php via email argument manipulation, allowing remote attackers to launch attacks after the exploit was disclosed publicly.

Product: Fabianros Hospital Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8944

NVD References:

- https://code-projects.org/

- https://github.com/65241/cve/issues/1

- https://vuldb.com/?ctiid.277761

- https://vuldb.com/?id.277761

- https://vuldb.com/?submit.408871

CVE-2024-45798 - Arduino-esp32 is vulnerable to Poisoned Pipeline Execution (PPE) vulnerabilities affecting the `tests_results.yml` workflow and environment Variable injection.

Product: Arduino-esp32

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45798

NVD References:

- https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection

- https://github.com/espressif/arduino-esp32/blob/690bdb511d9f001e2066da2dda2c631a3eee270f/.github/workflows/tests_results.yml

- https://github.com/espressif/arduino-esp32/security/advisories/GHSA-h52q-xhg2-6jw8

- https://securitylab.github.com/research/github-actions-preventing-pwn-requests

- https://securitylab.github.com/research/github-actions-untrusted-input

CVE-2024-8956 - The PTZOptics PT30X-SDI/NDI-xx camera before firmware 6.3.40 is vulnerable to an insufficient authentication issue, allowing a remote attacker to leak sensitive data and manipulate configuration settings without proper authentication.

Product: PTZOptics PT30X-SDI/NDI-xx

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8956

NVD References:

- https://ptzoptics.com/firmware-changelog/

- https://vulncheck.com/advisories/ptzoptics-insufficient-auth

CVE-2024-43976 & CVE-2024-43978 - Super Store Finder SQL Injection vulnerabilities affecting versions before 6.9.8.

Product: Super Store Finder

Active Installations: unknown

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43976

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43978

NVD References: https://patchstack.com/database/vulnerability/superstorefinder-wp/wordpress-super-store-finder-plugin-6-9-7-sql-injection-vulnerability?_s_id=cve

NVD References: https://patchstack.com/database/vulnerability/superstorefinder-wp/wordpress-super-store-finder-plugin-6-9-8-sql-injection-vulnerability?_s_id=cve

CVE-2024-44004 - WPTaskForce WPCargo Track & Trace allows SQL Injection through improper neutralization of special elements in SQL commands.

Product: WPTaskforce Track & Trace

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44004

NVD References: https://patchstack.com/database/vulnerability/wpcargo/wordpress-wpcargo-track-trace-plugin-7-0-6-sql-injection-vulnerability?_s_id=cve

CVE-2024-8887 & CVE-2024-8888 - Multiple vulnerabilities in CIRCUTOR Q-SMT firmware version 1.0.4

Product: CIRCUTOR Q-SMT

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8887

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8888

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products

CVE-2024-8889 - CIRCUTOR TCP2RS+ firmware version 1.3b allows unauthorized modification of configuration values via UDP packets on port 2000, potentially disabling the device, even with user/password authentication enabled, as the equipment nears its end of life.

Product: CIRCUTOR TCP2RS+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8889

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products

CVE-2024-34026 - OpenPLC v3 b4702061dc14d1024856f71b4543298d77007b88 is vulnerable to a stack-based buffer overflow in its EtherNet/IP parser, allowing remote code execution via specially crafted requests.

Product: OpenPLC Runtime

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34026

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2005

CVE-2024-35515 - Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.

Product: sqlitedict

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35515

NVD References:

- https://github.com/piskvorky/sqlitedict/

- https://wha13.github.io/2024/06/13/mfcve/

CVE-2024-44542 - SQL Injection vulnerability in todesk v.1.1 allows a remote attacker to execute arbitrary code via the /todesk.com/news.html parameter.

Product: todesk v.1.1

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44542

NVD References: https://github.com/alphandbelt/CVE-2024-44542/tree/main

CVE-2024-34399 - BMC Remedy Mid Tier 7.6.04 allows unauthenticated remote attackers to access any user account without a password, but this vulnerability is only present in unsupported versions.

Product: BMC Remedy Mid Tier

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34399

NVD References: https://www.gruppotim.it/it/footer/red-team.html

CVE-2024-45523 - Bravura Security Fabric versions before 12.7.1.38241 allow unauthenticated attackers to cause a resource leak through API SOAP by issuing multiple failed login attempts.

Product: Bravura Security Fabric

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45523

NVD References: https://www.bravurasecurity.com/cve-2024-45523-resource-leak-in-api-after-a-failed-login-attempt

CVE-2024-46986 - Camaleon CMS is vulnerable to an arbitrary file write issue in the MediaController, allowing authenticated users to write arbitrary files to any location on the web server, potentially leading to remote code execution.

Product: Tuzitio Camaleon CMS

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46986

NVD References:

- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection

- https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5

- https://owasp.org/www-community/attacks/Path_Traversal

- https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released

CVE-2024-40568 - btstack mesh is vulnerable to a buffer overflow bug that lets hackers run malicious code through src/mesh/pb_adv.c's pb_adv_handle_tranaction_cont function.

Product: btstack mesh

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40568

NVD References: https://github.com/xiaobye-ctf/My-CVE/tree/main/BTstack/CVE-2024-40568

CVE-2024-46374 - Best House Rental Management System 1.0 contains a SQL injection vulnerability in the delete_category() function of the file rental/admin_class.php.

Product: Best House Rental Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46374

NVD References: https://github.com/gaorenyusi/gaorenyusi/blob/main/CVE-2024-46374.md

CVE-2024-46375, CVE-2024-46376, & CVE-2024-46377 - Best House Rental Management System 1.0 contains multiple arbitrary file upload vulnerabilities

Product: Best House Rental Management System 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46375

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46376

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46377

NVD References: https://github.com/gaorenyusi/gaorenyusi/blob/main/CVE-2024-46375.md

NVD References: https://github.com/gaorenyusi/gaorenyusi/blob/main/CVE-2024-46376.md

NVD References: https://github.com/gaorenyusi/gaorenyusi/blob/main/CVE-2024-46377.md

CVE-2024-46946 - LangChain Experimental versions 0.1.17 through 0.3.0 allow attackers to execute arbitrary code through sympy.sympify in LLMSymbolicMathChain.

Product: LangChain Experimental

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46946

NVD References:

- https://cwe.mitre.org/data/definitions/95.html

- https://docs.sympy.org/latest/modules/codegen.html

- https://gist.github.com/12end/68c0c58d2564ef4141bccd4651480820#file-cve-2024-46946-txt

- https://github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0

CVE-2024-31570 - libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based buffer overflow in the PluginXPM.cpp Load function via an XPM file.

Product: FreeImage libfreeimage

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-31570

NVD References:

- https://sourceforge.net/p/freeimage/bugs/355/

- https://www.openwall.com/lists/oss-security/2024/04/11/10

CVE-2024-33109 - Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the Ringtone upload function.

Product: Tiptel IP 286

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33109

NVD References:

- http://tiptel.com

- https://www.bdosecurity.de/en-gb/advisories/cve-2024-33109

CVE-2024-40125 - Closed-Loop Technology CLESS Server v4.5.2 is vulnerable to arbitrary file uploads, allowing attackers to execute code by uploading a crafted PHP file.

Product: Closed-Loop Technology CLESS Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40125

NVD References:

- https://github.com/brendontkl/My-CVEs/tree/main/CVE-2024-40125

- https://www.closed-loop.biz/

CVE-2024-9004 - D-Link DAR-7000 up to 20240912 is vulnerable to critical os command injection via the argument host in /view/DBManage/Backup_Server_commit.php, allowing for remote attackers to exploit this issue.

Product: Dlink DAR-7000

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9004

NVD References:

- https://github.com/mhtcshe/cve/blob/main/cve.md

- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10354

- https://www.dlink.com/

CVE-2023-27584 - Dragonfly has a hardcoded secret key for JWT authentication, leading to an authentication bypass vulnerability allowing attackers to perform admin actions, addressed in release version 2.0.9 with no known workarounds.

Product: CNCF Dragonfly

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27584

NVD References:

- https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9

- https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w

CVE-2024-45410 - Traefik is vulnerable to HTTP header manipulation in certain cases, potentially leading to security implications for applications trusting these headers.

Product: Traefik

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45410

NVD References:

- https://github.com/traefik/traefik/releases/tag/v2.11.9

- https://github.com/traefik/traefik/releases/tag/v3.1.3

- https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv

CVE-2024-46983 - Sofa-hessian is vulnerable to a gadget chain that can bypass its blacklist protection mechanism, but users can fix the issue by updating to version 3.5.5.

Product: Ant Group CO. Ltd., SOFA Hessian

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46983

NVD References: https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj

CVE-2024-9008 - SourceCodester Best Online News Portal 1.0 has a critical vulnerability in the Comment Section component, allowing remote attackers to initiate SQL injection through the manipulation of the argument name in /news-details.php. Product: Best Online News Portal Project

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9008

NVD References: https://github.com/gurudattch/CVEs/blob/main/Sourcecodester-News-Portal-Comment-Blind-SQLi.md

CVE-2024-41721 - USB code vulnerability in heap leads to remote code execution.

Product: Microsoft Windows 10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41721

NVD References: https://security.freebsd.org/advisories/FreeBSD-SA-24:15.bhyve.asc

CVE-2024-8853 - The Webo-facto plugin for WordPress allows unauthenticated attackers to gain administrator privileges by exploiting the 'doSsoAuthentification' function.

Product: Webo-facto WordPress

Active Installations: 900+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8853

NVD References:

- https://plugins.trac.wordpress.org/browser/webo-facto-connector/tags/1.40/WeboFacto/Sso.php#L78

- https://plugins.trac.wordpress.org/changeset/3153062/webo-facto-connector

- https://www.wordfence.com/threat-intel/vulnerabilities/id/c1280ceb-9ce8-47fc-8fd3-6af80015dea9?source=cve

CVE-2024-46652 - Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability in the fromAdvSetMacMtuWan function.

Product: Tenda AC8v4

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46652

NVD References: https://github.com/zp9080/Tenda/blob/main/Tenda-AC8v4%20V16.03.34.06-fromAdvSetMacMtuWan/overview.md

CVE-2024-45489 - Arc before 2024-08-26 has a vulnerability that allows remote code execution in JavaScript boosts, enabling the installation of boosts in a victim's browser and running arbitrary Javascript in a privileged context.

Product: Arc JavaScript Boosts

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45489

NVD References:

- https://arc.net/blog/CVE-2024-45489-incident-response

- https://kibty.town/blog/arc/

- https://news.ycombinator.com/item?id=41597250

CVE-2024-46101 - GDidees CMS <= v3.9.1 has a file upload vulnerability.

Product: GDidees CMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46101

NVD References: https://github.com/N0zoM1z0/MY-CVE/blob/main/CVE-2024-46101.md

CVE-2024-46103 - SEMCMS 4.8 is vulnerable to SQL Injection via SEMCMS_Main.php.

Product: SEMCMS 4.8

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46103

NVD References: https://github.com/N0zoM1z0/MY-CVE/blob/main/CVE-2024-46103.md

CVE-2024-46640 - SeaCMS 13.2 is vulnerable to remote code execution via writing to a file through the MySQL slow query method.

Product: SeaCMS 13.2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46640

NVD References: https://gitee.com/zheng_botong/CVE-2024-46640

CVE-2024-47218 - An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows bypassing authentication.

Product: vesoft NebulaGraph

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47218

NVD References:

- https://github.com/vesoft-inc/nebula/pull/5936

- https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c

CVE-2024-34331 - Parallels Desktop for Mac v19.3.0 and below is vulnerable to privilege escalation via a crafted macOS installer due to a lack of code signature verification, as Parallels Service runs with root privileges.

Product: Parallels Desktop for Mac

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34331

NVD References:

- https://kb.parallels.com/129860

- https://khronokernel.com/macos/2024/05/30/CVE-2024-34331.html

CVE-2024-46997 - DataEase prior to version 2.10.1 allows remote command execution through a carefully crafted h2 data source connection string.

Product: DataEase

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46997

NVD References: https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w

CVE-2024-47066 - Lobe Chat's server-side request forgery protection in versions prior to 1.19.13 can be bypassed by attackers using external malicious URLs to access internal resources.

Product: Lobe Chat

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47066

NVD References:

- https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts

- https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf

- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg

- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc

CVE-2024-9014 - pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication, potentially allowing attackers to obtain client ID and secret for unauthorized access to user data.

Product: pgAdmin

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9014

NVD References: https://github.com/pgadmin-org/pgadmin4/issues/7945

CVE-2024-0001 - FlashArray Purity has a vulnerability where a local account for initial configuration stays active, enabling unauthorized access.

Product: FlashArray Purity

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0001

NVD References: https://purestorage.com/security

CVE-2024-0002 - A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array.

Product: FlashArray Purity

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0002

NVD References: https://purestorage.com/security

CVE-2024-0003 - FlashArray Purity has a vulnerability that allows a malicious user to create an account with privileged access through a remote administrative service.

Product: FlashArray Purity

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0003

NVD References: https://purestorage.com/security

CVE-2024-0004 - FlashArray Purity allows a user with array admin role to remotely execute arbitrary commands and escalate privilege on the array.

Product: FlashArray Purity

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0004

NVD References: https://purestorage.com/security

CVE-2024-0005 - FlashArray and FlashBlade Purity are vulnerable to remote command execution via a specially crafted SNMP configuration.

Product: Pure Storage FlashArray

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0005

NVD References: https://purestorage.com/security

CVE-2024-8624 - The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection in all versions up to 1.3.3.3, allowing authenticated attackers with Contributor-level access to extract sensitive information from the database.

Product: WordPress MDTF – Meta Data and Taxonomies Filter

Active Installations: 1,000+

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8624

NVD References:

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3153150%40wp-meta-data-filter-and-taxonomy-filter&new=3153150%40wp-meta-data-filter-and-taxonomy-filter&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/8f50812a-c6a7-4bb3-9833-e10acd0460c0?source=cve

CVE-2024-8671 - The WooEvents - Calendar and Event Booking plugin for WordPress is vulnerable to arbitrary file overwrite allowing unauthenticated attackers to execute remote code.

Product: WooEvents Calendar and Event Booking plugin

Active Installations: 8,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8671

NVD References:

- https://codecanyon.net/item/wooevents-calendar-and-event-booking/15598178

- https://www.wordfence.com/threat-intel/vulnerabilities/id/3d7af96a-5a3c-4291-a369-f6ed78f72a3f?source=cve

CVE-2024-8791 - The Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress plugin is vulnerable to privilege escalation in all versions up to, and including, 1.8.1.14, allowing unauthenticated attackers to update email addresses and passwords of user accounts through the update_core_user() function.

Product: Donation Forms by Charitable Donations Plugin & Fundraising Platform

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8791

NVD References:

- https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.1.14/includes/users/class-charitable-user.php#L872

- https://plugins.trac.wordpress.org/changeset/3154009/charitable/trunk/includes/users/class-charitable-user.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/0ee60943-b583-4a99-8e62-846b380c98aa?source=cve

CVE-2023-26686 - CS-Cart MultiVendor 4.16.1 is vulnerable to remote code execution through image uploads during shop customization.

Product: CS-Cart MultiVendor

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26686

NVD References:

- https://github.com/cybrops-io/CVEs/tree/main/CVE-2023-26686%20-%20File%20Upload%20vulnerability%20in%20product%20image%20of%20CS-Cart%20MultiVendor%204.16.1

- https://www.cs-cart.com/multivendor.html

CVE-2023-26689 - An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request.

Product: CS-Cart MultiVendor

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26689

NVD References: https://github.com/cybrops-io/CVEs/tree/main/CVE-2023-26689%20-%20Insufficient%20Authorization%20for%20API%20key%20creation%20in%20CS-Cart%20MultiVendor%204.16.1

CVE-2024-42505, CVE-2024-42506, & CVE-2024-42507 - Aruba's Access Point management protocol (PAPI) is vulnerable to unauthenticated remote code execution through specially crafted packets sent to the UDP port (8211).

Product: Aruba PAPI (Aruba's Access Point management protocol)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42505

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42506

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42507

NVD References: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04712en_us&docLocale=en_US

CVE-2024-42797 - Kashipara Music Management System v1.0 is vulnerable to an Incorrect Access Control flaw in /music/ajax.php?action=delete_playlist, enabling unauthorized deletion of music playlist entries.

Product: Kashipara Music Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42797

NVD References: https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Broken%20Access%20Control%20-%20Delete%20Playlist.pdf

CVE-2024-43423 - The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.

Product: ProGauge MAGLINK LX4 CONSOLE

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43423

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-04

CVE-2024-43692 - ProGauge MAGLINK LX CONSOLE allows attackers to request the resource sub page with full privileges via the URL.

Product: ProGauge MAGLINK LX CONSOLE

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43692

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-04

CVE-2024-43693 - ProGauge MAGLINK LX CONSOLE UTILITY sub-menu is vulnerable to remote code injection via specially crafted POST requests.

Product: ProGauge MAGLINK LX CONSOLE UTILITY

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43693

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-04

CVE-2024-45066 - ProGauge MAGLINK LX CONSOLE IP is vulnerable to remote command injection via specially crafted POST requests.

Product: ProGauge MAGLINK LX CONSOLE

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45066

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-04

CVE-2024-46612 - IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.

Product: IceCMS v3.4.7

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46612

NVD References:

- https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46612.md

- https://github.com/Thecosy/iceCMS?tab=readme-ov-file

CVE-2024-46957 - Mellium mellium.im/xmpp 0.0.1 through 0.21.4 allows response spoofing because the stanza type is not checked. This is fixed in 0.22.0.

Product: Mellium im/xmpp

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46957

NVD References:

- https://codeberg.org/mellium/xmpp/releases

- https://mellium.im/cve/cve-2024-46957/

CVE-2024-8067 - Helix Core is vulnerable to a Windows ANSI API Unicode "best fit" argument injection before version 2024.1 Patch 2 (2024.1/2655224).

Product: Helix Core

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8067

NVD References: https://portal.perforce.com/s/detail/a91PA000001SXEzYAO

CVE-2024-8436 - The WP Easy Gallery - WordPress Gallery Plugin is vulnerable to SQL Injection in versions up to 4.8.5, allowing authenticated attackers to extract sensitive information from the database.

Product: WordPress Gallery Plugin

Active Installations: This plugin has been closed as of September 19, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8436

NVD References:

- https://plugins.trac.wordpress.org/browser/wp-easy-gallery/trunk/wp-easy-gallery.php#L730

- https://www.wordfence.com/threat-intel/vulnerabilities/id/d6eb094a-4f5a-418a-ba95-635765abfcff?source=cve

CVE-2024-8940 - Scriptcase application version 9.4.019 is vulnerable to an arbitrary upload file exploit via a POST request, allowing attackers to upload malicious files to the server.

Product: Scriptcase

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8940

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-scriptcase

CVE-2024-9142 - e-Belediye: before 2.0.642 allows external manipulation of file paths, leading to incorrect permission assignment for critical resources in Olgu Computer Systems.

Product: Olgu Computer Systems e-Belediye

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9142

NVD References: https://www.usom.gov.tr/bildirim/tr-24-1527

CVE-2024-9148 - Flowise Chat Embed < 2.0.0 has a Stored Cross-Site vulnerability caused by inadequate input sanitization.

Product: Flowise Chat Embed

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9148

NVD References: https://www.tenable.com/security/research/tra-2024-40

CVE-2024-8485 - The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation through account takeover in all versions up to, and including, 4.7.1.

Product: WordPress REST API TO MiniProgram plugin

Active Installations: This plugin has been closed as of September 23, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8485

NVD References:

- https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264

- https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve

CVE-2024-8621 - The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection through the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26, allowing authenticated attackers to extract sensitive information from the database.

Product: WordPress Daily Prayer Time plugin

Active Installations: 1,000+

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8621

NVD References:

- https://plugins.trac.wordpress.org/browser/daily-prayer-time-for-mosques/tags/2024.08.26/Models/QuranADay/QuranDB.php#L72

- https://plugins.trac.wordpress.org/changeset/3151906/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/866e4bc3-080a-4498-b210-e692d72d3db0?source=cve

CVE-2024-20439 - Cisco Smart Licensing Utility has a vulnerability that lets an unauthenticated, remote attacker access an affected system using a static administrative credential.

Product: Cisco Smart Licensing Utility

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20439

ISC Podcast: https://isc.sans.edu/podcastdetail/9152