septiembre 2024 - Página 116 de 136

5 Sep 2024

CVE-2024-45173

Título es

CVE-2024-45173

Jue, 05/09/2024 – 15:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-45173

Descripción en

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper privilege management concerning sudo privileges, C-MOR is vulnerable to a privilege escalation attack. The Linux user www-data running the C-MOR web interface can execute some OS commands as root via Sudo without having to enter the root password. These commands, for example, include cp, chown, and chmod, which enable an attacker to modify the system's sudoers file in order to execute all commands with root privileges. Thus, it is possible to escalate the limited privileges of the user www-data to root privileges.

05/09/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt

https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-videoueberwachungssoftware-c-mor-syss-2024-020-bis-030

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8464

Título es

CVE-2024-8464

Jue, 05/09/2024 – 13:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8464

Descripción en

SQL injection vulnerability, by which an attacker could send a specially designed query through JOBREGID parameter in /jobportal/admin/applicants/controller.php, and retrieve all the information stored in it.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8468

Título es

CVE-2024-8468

Jue, 05/09/2024 – 13:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8468

Descripción en

SQL injection vulnerability, by which an attacker could send a specially designed query through search parameter in /jobportal/index.php, and retrieve all the information stored in it.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8467

Título es

CVE-2024-8467

Jue, 05/09/2024 – 13:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8467

Descripción en

SQL injection vulnerability, by which an attacker could send a specially designed query through id parameter in /jobportal/admin/category/index.php, and retrieve all the information stored in it.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8466

Título es

CVE-2024-8466

Jue, 05/09/2024 – 13:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8466

Descripción en

SQL injection vulnerability, by which an attacker could send a specially designed query through CATEGORY parameter in /jobportal/admin/category/controller.php, and retrieve all the information stored in it.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8465

Título es

CVE-2024-8465

Jue, 05/09/2024 – 13:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8465

Descripción en

SQL injection vulnerability, by which an attacker could send a specially designed query through user_id parameter in /jobportal/admin/user/controller.php, and retrieve all the information stored in it.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8471

Título es

CVE-2024-8471

Jue, 05/09/2024 – 13:15

Tipo

CWE-79

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8471

Descripción en

Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through JOBID and USERNAME parameters in /jobportal/process.php.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)

6.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8470

Título es

CVE-2024-8470

Jue, 05/09/2024 – 13:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8470

Descripción en

SQL injection vulnerability, by which an attacker could send a specially designed query through CATEGORY parameter in /jobportal/admin/vacancy/controller.php, and retrieve all the information stored in it.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8469

Título es

CVE-2024-8469

Jue, 05/09/2024 – 13:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8469

Descripción en

SQL injection vulnerability, by which an attacker could send a specially designed query through id parameter in /jobportal/admin/employee/index.php, and retrieve all the information stored in it.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

5 Sep 2024

CVE-2024-8473

Título es

CVE-2024-8473

Jue, 05/09/2024 – 13:15

Tipo

CWE-79

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8473

Descripción en

Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through user_email parameter in /jobportal/admin/login.php.

05/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)

6.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

Enviar en el boletín

Off

Archivos mensuales: septiembre 2024