CVE-2024-52867

CVE-2024-52867

Título es
CVE-2024-52867

Dom, 17/11/2024 – 03:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-52867

Descripción en
guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.

17/11/2024
17/11/2024
Vector CVSS:3.1
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
8.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

  • https://git.savannah.gnu.org/cgit/guix.git/commit/?id=558224140dab669cabdaebabff18504a066c48d4

  • https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5ab3c4c1e43ebb637551223791db0ea3519986e1

  • https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/

    • Enviar en el boletín
    Off

    CVE-2024-52871

    CVE-2024-52871

    Título es
    CVE-2024-52871

    Dom, 17/11/2024 – 04:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52871

    Descripción en
    In Flagsmith before 2.134.1, it is possible to bypass the ALLOW_REGISTRATION_WITHOUT_INVITE setting.

    17/11/2024
    17/11/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/Flagsmith/flagsmith/compare/v2.134.0…v2.134.1

  • https://github.com/Flagsmith/flagsmith/pull/4454

    • Enviar en el boletín
    Off

    CVE-2024-52872

    CVE-2024-52872

    Título es
    CVE-2024-52872

    Dom, 17/11/2024 – 04:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52872

    Descripción en
    In Flagsmith before 2.134.1, the get_document endpoint is not correctly protected by permissions.

    17/11/2024
    17/11/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/Flagsmith/flagsmith/compare/v2.134.0…v2.134.1

  • https://github.com/Flagsmith/flagsmith/pull/4459

    • Enviar en el boletín
    Off

    CVE-2024-52876

    CVE-2024-52876

    Título es
    CVE-2024-52876

    Dom, 17/11/2024 – 05:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52876

    Descripción en
    Holy Stone Remote ID Module HSRID01, firmware distributed with the Drone Go2 mobile application before 1.1.8, allows unauthenticated "remote power off" actions (in broadcast mode) via multiple read operations on the ASTM Remote ID (0xFFFA) GATT.

    17/11/2024
    17/11/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://coalfire.com/the-coalfire-blog/holy-stone-remote-id-vulnerability-disclosure

    • Enviar en el boletín
    Off

    CVE-2024-52410

    CVE-2024-52410

    Título es
    CVE-2024-52410

    Sáb, 16/11/2024 – 22:15

    Tipo
    CWE-502

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52410

    Descripción en
    Deserialization of Untrusted Data vulnerability in Phoenixheart Referrer Detector allows Object Injection.This issue affects Referrer Detector: from n/a through 4.2.1.0.

    16/11/2024
    16/11/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/vulnerability/referrer-detector/wordpress-referrer-detector-plugin-4-2-1-0-php-object-injection-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-52409

    CVE-2024-52409

    Título es
    CVE-2024-52409

    Sáb, 16/11/2024 – 22:15

    Tipo
    CWE-502

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52409

    Descripción en
    Deserialization of Untrusted Data vulnerability in Phan An AJAX Random Posts allows Object Injection.This issue affects AJAX Random Posts: from n/a through 0.3.3.

    16/11/2024
    16/11/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/vulnerability/ajax-random-posts/wordpress-ajax-random-posts-plugin-0-3-3-php-object-injection-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-52408

    CVE-2024-52408

    Título es
    CVE-2024-52408

    Sáb, 16/11/2024 – 22:15

    Tipo
    CWE-434

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52408

    Descripción en
    Unrestricted Upload of File with Dangerous Type vulnerability in Team PushAssist Push Notifications for WordPress by PushAssist allows Upload a Web Shell to a Web Server.This issue affects Push Notifications for WordPress by PushAssist: from n/a through 3.0.8.

    16/11/2024
    16/11/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.90

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/vulnerability/push-notification-for-wp-by-pushassist/wordpress-push-notifications-for-wordpress-by-pushassist-plugin-3-0-8-arbitrary-file-upload-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-52415

    CVE-2024-52415

    Título es
    CVE-2024-52415

    Sáb, 16/11/2024 – 22:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52415

    Descripción en
    Cross-Site Request Forgery (CSRF) vulnerability in Skpstorm SK WP Settings Backup allows Object Injection.This issue affects SK WP Settings Backup: from n/a through 1.0.

    16/11/2024
    16/11/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/vulnerability/sk-wp-settings-backup/wordpress-sk-wp-settings-backup-plugin-1-0-csrf-to-php-object-injection-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-52414

    CVE-2024-52414

    Título es
    CVE-2024-52414

    Sáb, 16/11/2024 – 22:15

    Tipo
    CWE-502

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52414

    Descripción en
    Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu allows Object Injection.This issue affects WDES Responsive Mobile Menu: from n/a through 5.3.18.

    16/11/2024
    16/11/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/vulnerability/wdes-responsive-mobile-menu/wordpress-wdes-responsive-mobile-menu-plugin-5-3-18-php-object-injection-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-52413

    CVE-2024-52413

    Título es
    CVE-2024-52413

    Sáb, 16/11/2024 – 22:15

    Tipo
    CWE-502

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-52413

    Descripción en
    Deserialization of Untrusted Data vulnerability in DMC Airin Blog allows Object Injection.This issue affects Airin Blog: from n/a through 1.6.1.

    16/11/2024
    16/11/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/vulnerability/airin-blog/wordpress-airin-blog-theme-1-6-1-php-object-injection-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off