CVE-2024-37299

CVE-2024-37299

Título es
CVE-2024-37299

Mar, 30/07/2024 – 15:15

Tipo
CWE-400

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-37299

Descripción en
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.

30/07/2024
30/07/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
4.90

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210

  • https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e

  • https://github.com/discourse/discourse/security/advisories/GHSA-4j6h-9pjp-5476

    • Enviar en el boletín
    Off

    CVE-2024-37165

    CVE-2024-37165

    Título es
    CVE-2024-37165

    Mar, 30/07/2024 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-37165

    Descripción en
    Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd

  • https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2

  • https://github.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9

    • Enviar en el boletín
    Off

    CVE-2024-41109

    CVE-2024-41109

    Título es
    CVE-2024-41109

    Mar, 30/07/2024 – 15:15

    Tipo
    CWE-200

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-41109

    Descripción en
    Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics` with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. This vulnerability is fixed in 1.5.2, 1.4.6, and 1.3.10.

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40

  • https://github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0

  • https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2

  • https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36

    • Enviar en el boletín
    Off

    CVE-2024-39320

    CVE-2024-39320

    Título es
    CVE-2024-39320

    Mar, 30/07/2024 – 15:15

    Tipo
    CWE-1021

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-39320

    Descripción en
    Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210

  • https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e

  • https://github.com/discourse/discourse/security/advisories/GHSA-4p82-xh38-gq4p

    • Enviar en el boletín
    Off

    CVE-2024-4188

    CVE-2024-4188

    Título es
    CVE-2024-4188

    Mar, 30/07/2024 – 15:15

    Tipo
    CWE-523

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-4188

    Descripción en
    Unprotected Transport of Credentials vulnerability in OpenText™ Documentum™ Server could allow Credential Stuffing.This issue affects Documentum™ Server: from 16.7 through 23.4.

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0815868

    • Enviar en el boletín
    Off

    CVE-2024-41804

    CVE-2024-41804

    Título es
    CVE-2024-41804

    Mar, 30/07/2024 – 16:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-41804

    Descripción en
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch

  • https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr

  • https://xibosignage.com/blog/security-advisory-2024-07

    • Enviar en el boletín
    Off

    CVE-2024-41803

    CVE-2024-41803

    Título es
    CVE-2024-41803

    Mar, 30/07/2024 – 16:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-41803

    Descripción en
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.90

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch

  • https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv

  • https://xibosignage.com/blog/security-advisory-2024-07

    • Enviar en el boletín
    Off

    CVE-2024-41802

    CVE-2024-41802

    Título es
    CVE-2024-41802

    Mar, 30/07/2024 – 16:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-41802

    Descripción en
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.
    Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075

  • https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2

  • https://xibosignage.com/blog/security-advisory-2024-07

    • Enviar en el boletín
    Off

    CVE-2024-7127

    CVE-2024-7127

    Título es
    CVE-2024-7127

    Mar, 30/07/2024 – 12:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7127

    Descripción es
    Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web en Stackposts Social Marketing Tool que permite ataques de Cross-site Scripting (XSS). Al enviar el payload en el nombre de usuario durante el registro, se puede ejecutar más tarde en el panel de la aplicación. Esto podría llevar a la adquisición no autorizada de información (por ejemplo, cookies de un usuario conectado). Después de varios intentos de contactar al proveedor, no recibimos ninguna respuesta. Nuestro equipo ha confirmado la existencia de esta vulnerabilidad. Suponemos que este problema afecta a Social Marketing Tool en todas las versiones.

    Descripción en
    Improper Neutralization of Input During Web Page Generation vulnerability in Stackposts Social Marketing Tool allows Cross-site Scripting (XSS) attack. By submitting the payload in the username during registration, it can be executed later in the application panel. This could lead to the unauthorised acquisition of information (e.g. cookies from a logged-in user). After multiple attempts to contact the vendor we did not receive any answer. Our team has confirmed the existence of this vulnerability. We suppose this issue affects Social Marketing Tool in all versions.

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://cert.pl/en/posts/2024/07/CVE-2024-7127/

  • https://cert.pl/posts/2024/07/CVE-2024-7127/

  • https://codecanyon.net/comments/30802802

  • https://stackposts.com/product/stackposts-social-marketing-tool-1

    • Enviar en el boletín
    Off

    CVE-2024-6699

    CVE-2024-6699

    Título es
    CVE-2024-6699

    Mar, 30/07/2024 – 13:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6699

    Descripción en
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection.This issue affects Mikafon MA7: from v3.0 before v3.1.

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.usom.gov.tr/bildirim/tr-24-1105

    • Enviar en el boletín
    Off