CVE-2024-5991

CVE-2024-5991

Título es
CVE-2024-5991

Mar, 27/08/2024 – 19:15

Tipo
CWE-125

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-5991

Descripción en
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.

27/08/2024
27/08/2024
Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

  • https://https://github.com/wolfSSL/wolfssl/pull/7604

    • Enviar en el boletín
    Off

    CVE-2024-8182

    CVE-2024-8182

    Título es
    CVE-2024-8182

    Mar, 27/08/2024 – 13:15

    Tipo
    CWE-400

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8182

    Descripción en
    An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-file” api endpoint.

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://tenable.com/security/research/tra-2024-34

    • Enviar en el boletín
    Off

    CVE-2024-7071

    CVE-2024-7071

    Título es
    CVE-2024-7071

    Mar, 27/08/2024 – 14:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7071

    Descripción en
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE – 564 – SQL Injection: Hibernate vulnerability in Brain Information Technologies Inc. Brain Low-Code allows SQL Injection.This issue affects Brain Low-Code: before 2.1.0.

    27/08/2024
    27/08/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.usom.gov.tr/bildirim/tr-24-1349

    • Enviar en el boletín
    Off

    CVE-2024-6633

    CVE-2024-6633

    Título es
    CVE-2024-6633

    Mar, 27/08/2024 – 15:15

    Tipo
    CWE-200

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6633

    Descripción en
    The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software.

    The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB.

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://www.fortra.com/security/advisories/product-security/fi-2024-011

    • Enviar en el boletín
    Off

    CVE-2024-6632

    CVE-2024-6632

    Título es
    CVE-2024-6632

    Mar, 27/08/2024 – 15:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6632

    Descripción en
    A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability.

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.fortra.com/security/advisories/product-security/fi-2024-010

    • Enviar en el boletín
    Off

    CVE-2024-7791

    CVE-2024-7791

    Título es
    CVE-2024-7791

    Mar, 27/08/2024 – 11:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7791

    Descripción es
    El complemento 140+ Widgets | Xpro Addons For Elementor – FREE para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro "flecha" dentro del widget Post Grid en todas las versiones hasta la 1.4.4.3 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.

    Descripción en
    The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arrow’ parameter within the Post Grid widget in all versions up to, and including, 1.4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/post-grid/post-grid.php#L1891

  • https://plugins.trac.wordpress.org/changeset/3141892/

  • https://plugins.trac.wordpress.org/changeset/3141892/#file2

  • 140+ Widgets | Xpro Addons For Elementor – FREE



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/c6025dd5-a1d7-48cc-90b3-f020d3d2298b?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8197

    CVE-2024-8197

    Título es
    CVE-2024-8197

    Mar, 27/08/2024 – 11:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8197

    Descripción es
    El complemento Visual Sound para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.03 incluida. Esto se debe a la falta o la validación incorrecta de un nonce en una función. Esto permite que atacantes no autenticados actualicen la configuración del complemento a través de una solicitud falsificada, siempre que puedan engañar al administrador del sitio para que realice una acción como hacer clic en un enlace.

    Descripción en
    The Visual Sound plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.03. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://wpscan.com/vulnerability/88cacd47-d900-478c-b833-c6c55fd4b082/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/48d6d4c1-cc87-4c2c-9fbb-90af62f576aa?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8207

    CVE-2024-8207

    Título es
    CVE-2024-8207

    Mar, 27/08/2024 – 12:15

    Tipo
    CWE-114

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8207

    Descripción en
    In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.

    Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://jira.mongodb.org/browse/SERVER-69507

    • Enviar en el boletín
    Off

    CVE-2024-4872

    CVE-2024-4872

    Título es
    CVE-2024-4872

    Mar, 27/08/2024 – 13:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-4872

    Descripción en
    The product does not validate any query towards persistent
    data, resulting in a risk of injection attacks.

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.90

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch

    • Enviar en el boletín
    Off

    CVE-2024-3982

    CVE-2024-3982

    Título es
    CVE-2024-3982

    Mar, 27/08/2024 – 13:15

    Tipo
    CWE-294

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-3982

    Descripción en
    An attacker with local access to machine where MicroSCADA X
    SYS600 is installed, could enable the session logging supporting the product and try to exploit a session hijacking of an already established session. By default, the session logging level
    is not enabled and only users with administrator rights can enable it.

    27/08/2024
    27/08/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch

    • Enviar en el boletín
    Off