CVE-2024-10454

CVE-2024-10454

Título es
CVE-2024-10454

Jue, 31/10/2024 – 13:15

Tipo
CWE-1021

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-10454

Descripción en
Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims.

31/10/2024
31/10/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso/clickjacking-vulnerability-clibo-manager

    • Enviar en el boletín
    Off

    CVE-2024-8934

    CVE-2024-8934

    Título es
    CVE-2024-8934

    Jue, 31/10/2024 – 13:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8934

    Descripción en
    A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.

    31/10/2024
    31/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://cert.vde.com/en/advisories/VDE-2024-064

    • Enviar en el boletín
    Off

    CVE-2024-42835

    CVE-2024-42835

    Título es
    CVE-2024-42835

    Jue, 31/10/2024 – 14:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-42835

    Descripción en
    langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

    31/10/2024
    31/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/langflow-ai/langflow/issues/2908

    • Enviar en el boletín
    Off

    CVE-2024-51259

    CVE-2024-51259

    Título es
    CVE-2024-51259

    Jue, 31/10/2024 – 14:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-51259

    Descripción en
    DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function.

    31/10/2024
    31/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor3900/1.5.1.3/DrayTek_Vigor_3900_1.5.1.3.pdf

    • Enviar en el boletín
    Off

    CVE-2024-51254

    CVE-2024-51254

    Título es
    CVE-2024-51254

    Jue, 31/10/2024 – 14:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-51254

    Descripción en
    DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the sign_cacertificate function.

    31/10/2024
    31/10/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor3900/1.5.1.3/DrayTek_Vigor_3900_1.5.1.3.pdf

    • Enviar en el boletín
    Off

    CVE-2024-30149

    CVE-2024-30149

    Título es
    CVE-2024-30149

    Jue, 31/10/2024 – 09:15

    Tipo
    CWE-295

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-30149

    Descripción en
    HCL AppScan Source

    31/10/2024
    31/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0116990

    • Enviar en el boletín
    Off

    CVE-2024-43930

    CVE-2024-43930

    Título es
    CVE-2024-43930

    Jue, 31/10/2024 – 10:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-43930

    Descripción en
    Cross-Site Request Forgery (CSRF) vulnerability in eyecix JobSearch allows Cross Site Request Forgery.This issue affects JobSearch: from n/a through 2.5.3.

    31/10/2024
    31/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/vulnerability/wp-jobsearch/wordpress-jobsearch-wp-job-board-wordpress-plugin-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-43383

    CVE-2024-43383

    Título es
    CVE-2024-43383

    Jue, 31/10/2024 – 10:15

    Tipo
    CWE-502

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-43383

    Descripción en
    Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.

    This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.

    An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.

    Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.

    31/10/2024
    31/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh

    • Enviar en el boletín
    Off

    CVE-2024-49685

    CVE-2024-49685

    Título es
    CVE-2024-49685

    Jue, 31/10/2024 – 10:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-49685

    Descripción en
    Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) allows Cross Site Request Forgery.This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through 2.2.3.

    31/10/2024
    31/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/vulnerability/custom-twitter-feeds/wordpress-custom-twitter-feeds-plugin-2-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-49674

    CVE-2024-49674

    Título es
    CVE-2024-49674

    Jue, 31/10/2024 – 10:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-49674

    Descripción en
    Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1.

    31/10/2024
    31/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/vulnerability/ekc-tournament-manager/wordpress-ekc-tournament-manager-plugin-2-2-1-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off