CVE-2024-40654

CVE-2024-40654

Título es
CVE-2024-40654

Mié, 11/09/2024 – 00:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-40654

Descripción en
In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

11/09/2024
11/09/2024
Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

  • https://android.googlesource.com/platform/packages/apps/Settings/+/f1d0079c91734168c150f839168544f407b17b06

  • https://source.android.com/security/bulletin/2024-09-01

    • Enviar en el boletín
    Off

    CVE-2024-40655

    CVE-2024-40655

    Título es
    CVE-2024-40655

    Mié, 11/09/2024 – 00:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-40655

    Descripción en
    In bindAndGetCallIdentification of CallScreeningServiceHelper.java, there is a possible way to maintain a while-in-use permission in the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

    11/09/2024
    11/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://android.googlesource.com/platform/packages/services/Telecomm/+/eeef54b37a362f506ea3aa155baddc545b6a909a

  • https://source.android.com/security/bulletin/2024-09-01

    • Enviar en el boletín
    Off

    CVE-2024-40650

    CVE-2024-40650

    Título es
    CVE-2024-40650

    Mié, 11/09/2024 – 00:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-40650

    Descripción en
    In wifi_item_edit_content of styles.xml , there is a possible FRP bypass due to Missing check for FRP state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    11/09/2024
    11/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://android.googlesource.com/platform/packages/apps/Settings/+/2968ccc911956fa5813a9a6a5e5c8970e383a60f

  • https://source.android.com/security/bulletin/2024-09-01

    • Enviar en el boletín
    Off

    CVE-2024-40652

    CVE-2024-40652

    Título es
    CVE-2024-40652

    Mié, 11/09/2024 – 00:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-40652

    Descripción en
    In onCreate of SettingsHomepageActivity.java, there is a possible way to access the Settings app while the device is provisioning due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

    11/09/2024
    11/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://android.googlesource.com/platform/packages/apps/Settings/+/2909433f7d59dcdd0c74044b1c8e9f48927193dc

  • https://source.android.com/security/bulletin/2024-09-01

    • Enviar en el boletín
    Off

    CVE-2024-8191

    CVE-2024-8191

    Título es
    CVE-2024-8191

    Mar, 10/09/2024 – 21:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8191

    Descripción en
    SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

    10/09/2024
    10/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022

    • Enviar en el boletín
    Off

    CVE-2024-8190

    CVE-2024-8190

    Título es
    CVE-2024-8190

    Mar, 10/09/2024 – 21:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8190

    Descripción en
    An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

    10/09/2024
    10/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190

    • Enviar en el boletín
    Off

    CVE-2024-8012

    CVE-2024-8012

    Título es
    CVE-2024-8012

    Mar, 10/09/2024 – 21:15

    Tipo
    CWE-288

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8012

    Descripción en
    An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.

    10/09/2024
    10/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC

    • Enviar en el boletín
    Off

    CVE-2024-44107

    CVE-2024-44107

    Título es
    CVE-2024-44107

    Mar, 10/09/2024 – 21:15

    Tipo
    CWE-427

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-44107

    Descripción en
    DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges and achieve arbitrary code execution.

    10/09/2024
    10/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC

    • Enviar en el boletín
    Off

    CVE-2024-44106

    CVE-2024-44106

    Título es
    CVE-2024-44106

    Mar, 10/09/2024 – 21:15

    Tipo
    CWE-602

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-44106

    Descripción en
    Insufficient server-side controls in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.

    10/09/2024
    10/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC

    • Enviar en el boletín
    Off