Jose Alexis Correa Valencia, Author at AlterPlex

25 Feb 2025

CVE-2024-45426

Título es
CVE-2024-45426

Mar, 25/02/2025 – 20:15

Tipo
CWE-708

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-45426

Descripción en
Incorrect ownership assignment in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.90

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://www.zoom.com/en/trust/security-bulletin/zsb-24038/

Enviar en el boletín
Off

25 Feb 2025

CVE-2024-45425

Título es
CVE-2024-45425

Mar, 25/02/2025 – 20:15

Tipo
CWE-286

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-45425

Descripción en
Incorrect user management in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.90

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://www.zoom.com/en/trust/security-bulletin/zsb-24037/

Enviar en el boletín
Off

25 Feb 2025

CVE-2024-45424

Título es
CVE-2024-45424

Mar, 25/02/2025 – 20:15

Tipo
CWE-840

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-45424

Descripción en
Business logic error in some Zoom Workplace Apps may allow an unauthenticated user to conduct a disclosure of information via network access.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
5.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://www.zoom.com/en/trust/security-bulletin/zsb-24036/

Enviar en el boletín
Off

25 Feb 2025

CVE-2024-45421

Título es
CVE-2024-45421

Mar, 25/02/2025 – 20:15

Tipo
CWE-122

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-45421

Descripción en
Buffer overflow in some Zoom Apps may allow an authenticated user to conduct an escalation of privilege via network access.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
8.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

https://www.zoom.com/en/trust/security-bulletin/zsb-24043/

Enviar en el boletín
Off

25 Feb 2025

CVE-2024-45418

Título es
CVE-2024-45418

Mar, 25/02/2025 – 20:15

Tipo
CWE-61

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-45418

Descripción en
Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
5.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://www.zoom.com/en/trust/security-bulletin/zsb-24040/

Enviar en el boletín
Off

25 Feb 2025

CVE-2024-45417

Título es
CVE-2024-45417

Mar, 25/02/2025 – 20:15

Tipo
CWE-708

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-45417

Descripción en
Uncontrolled resource consumption in the installer for some Zoom apps for macOS before version 6.1.5 may allow a privileged user to conduct a disclosure of information via local access.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.00

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://www.zoom.com/en/trust/security-bulletin/zsb-24039/

Enviar en el boletín
Off

25 Feb 2025

CVE-2025-27142

Título es
CVE-2025-27142

Mar, 25/02/2025 – 20:15

Tipo
CWE-22

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27142

Descripción en
LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in the `POST /api/localsend/v2/prepare-upload` and the `POST /api/localsend/v2/upload` endpoint, a malicious file transfer request can write files to the arbitrary location on the system, resulting in the remote command execution. A malicious file transfer request sent by nearby devices can write files into an arbitrary directory. This usually allows command execution via the startup folder on Windows or Bash-related files on Linux. If the user enables the `Quick Save` feature, it will silently write files without explicit user interaction. Version 1.17.0 fixes this issue.

25/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
6.30

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/localsend/localsend/commit/e8635204ec782ded45bc7d698deb60f3c4105687

https://github.com/localsend/localsend/security/advisories/GHSA-f7jp-p6j4-3522

Enviar en el boletín
Off

25 Feb 2025

CVE-2025-27139

Título es
CVE-2025-27139

Mar, 25/02/2025 – 20:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27139

Descripción en
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://github.com/Combodo/iTop/security/advisories/GHSA-c6mg-9537-c8cf

Enviar en el boletín
Off

25 Feb 2025

CVE-2025-27110

Título es
CVE-2025-27110

Mar, 25/02/2025 – 20:15

Tipo
CWE-172

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27110

Descripción en
Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.

25/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
7.90

Gravedad 4.0 txt
HIGH

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/owasp-modsecurity/ModSecurity/issues/3340

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rmv5-4x2j

Enviar en el boletín
Off

25 Feb 2025

CVE-2025-27146

Título es
CVE-2025-27146

Mar, 25/02/2025 – 20:15

Tipo
CWE-77

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27146

Descripción en
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user. The vulnerability has been patched in matrix-appservice-irc version 3.0.4.

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
2.70

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
LOW

Referencias

https://github.com/matrix-org/matrix-appservice-irc/commit/74f02c8e11f16ed1b355700092c1aa9c036a11bd

https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-5mvm-89c9-9gm5

Enviar en el boletín
Off

Autor: Jose Alexis Correa Valencia