Autor: Jose Alexis Correa Valencia

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

IP Guard v4.81.0307.0 was discovered to contain an arbitrary file read vulnerability via the file name parameter.

Directory Traversal vulnerability in Marimer LLC CSLA .Net before 8.0 allows a remote attacker to execute arbitrary code via a crafted script to the MobileFormatter component.

llama.cpp provides LLM inference in C/C++. Prior to b3427, llama.cpp contains a null pointer dereference in gguf_init_from_file. This vulnerability is fixed in b3427.

In veilid-core in Veilid before 0.3.4, the protocol's ping function can be misused in a way that decreases the effectiveness of safety and private routes.

Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability.

An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi?formID=142 component.

A misconfiguration on UniFi U6+ Access Point could cause an incorrect VLAN traffic forwarding to APs meshed to UniFi U6+ Access Point.

Affected Products:
UniFi U6+ Access Point (Version 6.6.65 and earlier)

Mitigation:
Update your UniFi U6+ Access Point to Version 6.6.74 or later.

In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page

In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab