Autor: Jose Alexis Correa Valencia

CVE-2024-13894

Título es
CVE-2024-13894

Jue, 06/03/2025 – 14:15

Tipo
CWE-22

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13894

Descripción en
Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to path traversal.
When an affected device is connected to a mobile app, it opens a port 10000 enabling a user to download pictures shot at specific moments by providing paths to the files. However, the directories to which a user has access are not limited, allowing for path traversal attacks and downloading sensitive information.
The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well.

06/03/2025

06/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
5.90

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

Enviar en el boletín
Off

CVE-2024-13893

Título es
CVE-2024-13893

Jue, 06/03/2025 – 14:15

Tipo
CWE-1392

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13893

Descripción en
Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, might share same credentials for telnet service. Hash of the password can be retrieved through physical access to SPI connected memory.
For the telnet service to be enabled, the inserted SD card needs to have a folder with a specific name created. 
Two products were tested, but since the vendor has not replied to reports, patching status remains unknown, as well as groups of devices and firmware ranges in which the same password is shared.
Newer firmware versions might be vulnerable as well.

06/03/2025

06/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
7.50

Gravedad 4.0 txt
HIGH

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

Enviar en el boletín
Off

CVE-2024-13892

Título es
CVE-2024-13892

Jue, 06/03/2025 – 14:15

Tipo
CWE-77

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13892

Descripción en
Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to command injection.
During the initialization process, a user has to use a mobile app to provide devices with Access Point credentials. This input is not properly sanitized, what allows for command injection.
The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well.

06/03/2025

06/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
7.70

Gravedad 4.0 txt
HIGH

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

Enviar en el boletín
Off

CVE-2024-12144

Título es
CVE-2024-12144

Jue, 06/03/2025 – 14:15

Tipo
CWE-89

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-12144

Descripción en
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Finder Fire Safety Finder ERP/CRM (Old System) allows SQL Injection.This issue affects Finder ERP/CRM (Old System): before 18.12.2024.

06/03/2025

06/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
CRITICAL

Referencias

Enviar en el boletín
Off

CVE-2025-0877

Título es
CVE-2025-0877

Jue, 06/03/2025 – 14:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-0877

Descripción en
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AtaksAPP Reservation Management System allows Cross-Site Scripting (XSS).This issue affects Reservation Management System: before 4.2.3.

06/03/2025

06/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)
4.70

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

Enviar en el boletín
Off

CVE-2024-38311

Título es
CVE-2024-38311

Jue, 06/03/2025 – 12:15

Tipo
CWE-20

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-38311

Descripción en
Improper Input Validation vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.

Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.

06/03/2025

06/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

Enviar en el boletín
Off

CVE-2025-1383

Título es
CVE-2025-1383

Jue, 06/03/2025 – 12:15

Tipo
CWE-352

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1383

Descripción en
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

06/03/2025

06/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

Enviar en el boletín
Off

CVE-2024-7872

Título es
CVE-2024-7872

Jue, 06/03/2025 – 12:15

Tipo
CWE-201

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-7872

Descripción en
Insertion of Sensitive Information Into Sent Data vulnerability in ExtremePACS Extreme XDS allows Retrieve Embedded Sensitive Data.This issue affects Extreme XDS: before 3933.

06/03/2025

06/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)
7.60

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

Enviar en el boletín
Off

CVE-2024-56196

Título es
CVE-2024-56196

Jue, 06/03/2025 – 12:15

Tipo
CWE-284

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-56196

Descripción en
Improper Access Control vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3.

Users are recommended to upgrade to version 10.0.4, which fixes the issue.

06/03/2025

06/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

Enviar en el boletín
Off

CVE-2024-56195

Título es
CVE-2024-56195

Jue, 06/03/2025 – 12:15

Tipo
CWE-284

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-56195

Descripción en
Improper Access Control vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.

Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.

06/03/2025

06/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

Enviar en el boletín
Off