octubre 2024 - Página 138 de 160

4 Oct 2024

CVE-2024-9054

Título es

CVE-2024-9054

Vie, 04/10/2024 – 20:15

Tipo

CWE-200

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-9054

Descripción en

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

04/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://www.gruppotim.it/it/footer/red-team.html

https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-7801

Título es

CVE-2024-7801

Vie, 04/10/2024 – 20:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-7801

Descripción en

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProvider 4100 (Data plot modules) allows SQL Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

04/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://www.gruppotim.it/it/footer/red-team.html

https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-47764

Título es

CVE-2024-47764

Vie, 04/10/2024 – 20:15

Tipo

CWE-74

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-47764

Descripción en

cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.

04/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c

https://github.com/jshttp/cookie/pull/167

https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-43687

Título es

CVE-2024-43687

Vie, 04/10/2024 – 20:15

Tipo

CWE-79

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-43687

Descripción en

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimeProvider 4100 (banner config modules) allows Cross-Site Scripting (XSS).This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

04/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://www.gruppotim.it/it/footer/red-team.html

https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-47911

Título es

CVE-2024-47911

Vie, 04/10/2024 – 21:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-47911

Descripción en

In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands.

04/10/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)

6.70

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://sonarsource.atlassian.net/browse/SONAR-22340

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-47910

Título es

CVE-2024-47910

Vie, 04/10/2024 – 21:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-47910

Descripción en

An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT.

04/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://community.sonarsource.com/t/sonarqube-github-integration-information-leakage/126609

https://sonarsource.atlassian.net/browse/SONAR-21795

https://sonarsource.atlassian.net/browse/SONAR-21813

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-37869

Título es

CVE-2024-37869

Vie, 04/10/2024 – 21:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-37869

Descripción en

File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "poster.php" file, and the uploaded file was received using the "$- FILES" variable

04/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://gist.github.com/TERRENCE-REX/7e5dfdd3583bf9fd81196f557a8b8879

https://github.com/TERRENCE-REX/CVE/issues/2

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-37868

Título es

CVE-2024-37868

Vie, 04/10/2024 – 21:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-37868

Descripción en

File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "sendreply.php" file, and the uploaded file was received using the "$- FILES" variable.

04/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://gist.github.com/TERRENCE-REX/bfca92171143e28899bb8511f311f9ed

https://github.com/TERRENCE-REX/CVE/issues/1

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-47913

Título es

CVE-2024-47913

Vie, 04/10/2024 – 22:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-47913

Descripción en

An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter.

05/10/2024

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1076855

https://phabricator.wikimedia.org/T372998

Enviar en el boletín

Off

4 Oct 2024

CVE-2024-8149

Título es

CVE-2024-8149

Vie, 04/10/2024 – 18:15

Tipo

CWE-79

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8149

Descripción en

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

04/10/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)

4.60

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/

Enviar en el boletín

Off

Archivos mensuales: octubre 2024