Archivos mensuales: febrero 2025

app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.

Logic vulnerability in the mobile application (com.transsion.carlcare) may lead to the risk of account takeover.

An issue was discovered in Logpoint AgentX before 1.5.0. A vulnerability caused by limited access controls allowed li-admin users to access sensitive information about AgentX Manager in a Logpoint deployment.

StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

CalInvocationHandler in Brocade
SANnav before 2.3.1b logs sensitive information in clear text. The
vulnerability could allow an authenticated, local attacker to view
Brocade Fabric OS switch sensitive information in clear text. An
attacker with administrative privileges could retrieve sensitive
information including passwords; SNMP responses that contain AuthSecret
and PrivSecret after collecting a “supportsave” or getting access to an
already collected “supportsave”. NOTE: this issue exists because of an incomplete fix for CVE-2024-29952

Under certain error conditions at time of SANnav installation or upgrade, the encryption key can be written into and obtained from a Brocade SANnav supportsave. An attacker with privileged access to the Brocade SANnav database could use the encryption key to obtain passwords used by Brocade SANnav.

IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 / IBM UrbanCode Deploy 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.9 could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.

musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.

Docker daemon in Brocade SANnav before SANnav 2.3.1b runs without auditing. The vulnerability could allow a remote authenticated attacker to execute various attacks.