CVE-2024-48448

CVE-2024-48448

Título es
CVE-2024-48448

Vie, 25/10/2024 – 18:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-48448

Descripción en
An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page.

25/10/2024
25/10/2024
Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

  • https://github.com/b-hermes/vulnerability-research/tree/main/CVE-2024-48448

    • Enviar en el boletín
    Off

    CVE-2024-48343

    CVE-2024-48343

    Título es
    CVE-2024-48343

    Vie, 25/10/2024 – 18:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-48343

    Descripción en
    A SQL Injection vulnerability in ESAFENET CDG 5 and earlier allows an attacker to execute arbitrary code via the id parameter of the dataSearch.jsp page.

    25/10/2024
    25/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://flowus.cn/share/d038084d-6370-4bcb-a268-6cca9e0f6615?code=G8A6P3

    • Enviar en el boletín
    Off

    CVE-2024-37845

    CVE-2024-37845

    Título es
    CVE-2024-37845

    Vie, 25/10/2024 – 19:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-37845

    Descripción en
    MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature.

    25/10/2024
    25/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/herombey/Disclosures/blob/main/CVE-2024-37845%20RCE.pdf

  • https://github.com/herombey/Disclosures/tree/main

    • Enviar en el boletín
    Off

    CVE-2024-37844

    CVE-2024-37844

    Título es
    CVE-2024-37844

    Vie, 25/10/2024 – 19:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-37844

    Descripción en
    A stored cross-site scripting (XSS) vulnerability in MangoOS before 5.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

    25/10/2024
    25/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/herombey/Disclosures/blob/main/CVE-2024-37844%20XSS.pdf

  • https://github.com/herombey/Disclosures/tree/main

    • Enviar en el boletín
    Off

    CVE-2024-48450

    CVE-2024-48450

    Título es
    CVE-2024-48450

    Vie, 25/10/2024 – 19:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-48450

    Descripción en
    An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into chat group.

    25/10/2024
    25/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/b-hermes/vulnerability-research/tree/main/CVE-2024-48450

    • Enviar en el boletín
    Off

    CVE-2024-37847

    CVE-2024-37847

    Título es
    CVE-2024-37847

    Vie, 25/10/2024 – 19:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-37847

    Descripción en
    An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file.

    25/10/2024
    25/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/herombey/Disclosures/blob/main/CVE-2024-37847%20File%20Upload%20Path%20Traversal.pdf

  • https://github.com/herombey/Disclosures/tree/main

    • Enviar en el boletín
    Off

    CVE-2024-37846

    CVE-2024-37846

    Título es
    CVE-2024-37846

    Vie, 25/10/2024 – 19:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-37846

    Descripción en
    MangoOS before 5.2.0 was discovered to contain a Client-Side Template Injection (CSTI) vulnerability via the Platform Management Edit page.

    25/10/2024
    25/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/herombey/Disclosures/blob/main/CVE-2024-37846-CSTI.pdf

  • https://github.com/herombey/Disclosures/tree/main

    • Enviar en el boletín
    Off

    CVE-2024-49380

    CVE-2024-49380

    Título es
    CVE-2024-49380

    Vie, 25/10/2024 – 14:15

    Tipo
    CWE-74

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-49380

    Descripción en
    Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0.7.2 fixes the vulnerability.

    25/10/2024
    25/10/2024
    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    8.90

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/plentico/plenti/blob/01825e0dcd3505fac57adc2edf29f772d585c008/cmd/serve.go#L205

  • https://github.com/plentico/plenti/releases/tag/v0.7.2

  • https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti/

    • Enviar en el boletín
    Off

    CVE-2024-49757

    CVE-2024-49757

    Título es
    CVE-2024-49757

    Vie, 25/10/2024 – 15:15

    Tipo
    CWE-287

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-49757

    Descripción en
    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

    25/10/2024
    25/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/zitadel/zitadel/releases/tag/v2.58.7

  • https://github.com/zitadel/zitadel/releases/tag/v2.59.5

  • https://github.com/zitadel/zitadel/releases/tag/v2.60.4

  • https://github.com/zitadel/zitadel/releases/tag/v2.61.4

  • https://github.com/zitadel/zitadel/releases/tag/v2.62.7

  • https://github.com/zitadel/zitadel/releases/tag/v2.63.5

  • https://github.com/zitadel/zitadel/releases/tag/v2.64.0

  • https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc

    • Enviar en el boletín
    Off

    CVE-2024-48428

    CVE-2024-48428

    Título es
    CVE-2024-48428

    Vie, 25/10/2024 – 15:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-48428

    Descripción en
    An issue in Olive VLE allows an attacker to obtain sensitive information via the reset password function.

    25/10/2024
    25/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://medium.com/%40powerful-/account-takeover-ato-via-the-reset-password-cve-2024-48428-84892d6211d6

  • https://medium.com/h7w/full-account-takeover-via-password-reset-link-manipulation-840fb9402967

  • https://www.linkedin.com/posts/said-al-ghammari-301972285_0day-bugbountytips-bugbountytip-activity-7227418100034412544-2ocu/

  • Olive VLE Home


    • Enviar en el boletín
    Off