CVE-2024-38821

CVE-2024-38821

Título es
CVE-2024-38821

Lun, 28/10/2024 – 07:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-38821

Descripción en
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

* It must be a WebFlux application
* It must be using Spring's static resources support
* It must have a non-permitAll authorization rule applied to the static resources support

28/10/2024
28/10/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
9.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
CRITICAL

Referencias

  • https://spring.io/security/cve-2024-38821

    • Enviar en el boletín
    Off

    CVE-2024-10440

    CVE-2024-10440

    Título es
    CVE-2024-10440

    Lun, 28/10/2024 – 03:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-10440

    Descripción en
    The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents.

    28/10/2024
    28/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://www.twcert.org.tw/en/cp-139-8169-0632f-2.html

  • https://www.twcert.org.tw/tw/cp-132-8168-02720-1.html

    • Enviar en el boletín
    Off

    CVE-2024-10439

    CVE-2024-10439

    Título es
    CVE-2024-10439

    Lun, 28/10/2024 – 03:15

    Tipo
    CWE-639

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-10439

    Descripción en
    The eHRD CTMS from Sunnet has an Insecure Direct Object Reference (IDOR) vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to access arbitrary files uploaded by any user.

    28/10/2024
    28/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.twcert.org.tw/en/cp-139-8167-a2c0d-2.html

  • https://www.twcert.org.tw/tw/cp-132-8166-085c4-1.html

    • Enviar en el boletín
    Off

    CVE-2024-10438

    CVE-2024-10438

    Título es
    CVE-2024-10438

    Lun, 28/10/2024 – 03:15

    Tipo
    CWE-288

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-10438

    Descripción en
    The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities.

    28/10/2024
    28/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.twcert.org.tw/en/cp-139-8165-7da2f-2.html

  • https://www.twcert.org.tw/tw/cp-132-8164-fe7c5-1.html

    • Enviar en el boletín
    Off

    CVE-2024-48936

    CVE-2024-48936

    Título es
    CVE-2024-48936

    Lun, 28/10/2024 – 04:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-48936

    Descripción en
    SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with –stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration.

    28/10/2024
    28/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://lists.schedmd.com/mailman3/hyperkitty/list/slurm-announce%40lists.schedmd.com/message/44MFMN7R35YZFWTNO43R2754W5B5XUAI/

  • https://lists.schedmd.com/pipermail/slurm-announce/2024/date.html

  • https://www.schedmd.com/security-policy/

    • Enviar en el boletín
    Off

    CVE-2024-50307

    CVE-2024-50307

    Título es
    CVE-2024-50307

    Lun, 28/10/2024 – 05:15

    Tipo
    CWE-676

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50307

    Descripción en
    Use of potentially dangerous function issue exists in Chatwork Desktop Application (Windows) versions prior to 2.9.2. If a user clicks a specially crafted link in the application, an arbitrary file may be downloaded from an external website and executed. As a result, arbitrary code may be executed on the device that runs Chatwork Desktop Application (Windows).

    28/10/2024
    28/10/2024
    Vector CVSS:3.1
    CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://jvn.jp/en/jp/JVN78335885/

    • Enviar en el boletín
    Off

    CVE-2024-10431

    CVE-2024-10431

    Título es
    CVE-2024-10431

    Dom, 27/10/2024 – 23:15

    Tipo
    CWE-89

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2024-10431

    Descripción en
    A vulnerability, which was classified as critical, was found in Codezips Pet Shop Management System 1.0. Affected is an unknown function of the file /deletebird.php. The manipulation of the argument t1 leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

    28/10/2024
    28/10/2024
    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/ppp-src/CVE/issues/24

  • https://vuldb.com/?ctiid_281982=

  • https://vuldb.com/?id_281982=

  • https://vuldb.com/?submit_432150=

    • Enviar en el boletín
    Off

    CVE-2024-10430

    CVE-2024-10430

    Título es
    CVE-2024-10430

    Dom, 27/10/2024 – 23:15

    Tipo
    CWE-89

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2024-10430

    Descripción en
    A vulnerability, which was classified as critical, has been found in Codezips Pet Shop Management System 1.0. This issue affects some unknown processing of the file /animalsupdate.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

    28/10/2024
    28/10/2024
    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/ppp-src/CVE/issues/23

  • https://vuldb.com/?ctiid_281981=

  • https://vuldb.com/?id_281981=

  • https://vuldb.com/?submit_432149=

    • Enviar en el boletín
    Off

    CVE-2024-50624

    CVE-2024-50624

    Título es
    CVE-2024-50624

    Lun, 28/10/2024 – 00:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50624

    Descripción en
    ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard.

    28/10/2024
    28/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://bugs.kde.org/show_bug.cgi?id=487882

  • https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4

  • https://invent.kde.org/pim/kmail/-/tags

  • https://kde.org/announcements/megarelease/6/

    • Enviar en el boletín
    Off

    CVE-2024-50623

    CVE-2024-50623

    Título es
    CVE-2024-50623

    Lun, 28/10/2024 – 00:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50623

    Descripción en
    In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability.

    28/10/2024
    28/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory

    • Enviar en el boletín
    Off