CVE-2024-12368

CVE-2024-12368

Título es
CVE-2024-12368

Mar, 25/02/2025 – 18:15

Tipo
CWE-284

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-12368

Descripción en
Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.

25/02/2025

25/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
8.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias


  • https://github.com/odoo/odoo/issues/193854

    • Enviar en el boletín
    Off

    CVE-2025-25192

    CVE-2025-25192

    Título es
    CVE-2025-25192

    Mar, 25/02/2025 – 18:15

    Tipo
    CWE-200

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25192

    Descripción en
    GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

    25/02/2025

    25/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/glpi-project/glpi/releases/tag/10.0.18

  • https://github.com/glpi-project/glpi/security/advisories/GHSA-86cx-hcfc-8mm8

    • Enviar en el boletín
    Off

    CVE-2025-23046

    CVE-2025-23046

    Título es
    CVE-2025-23046

    Mar, 25/02/2025 – 18:15

    Tipo
    CWE-303

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-23046

    Descripción en
    GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

    25/02/2025

    25/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/glpi-project/glpi/releases/tag/10.0.18

  • https://github.com/glpi-project/glpi/security/advisories/GHSA-vfxc-qg3v-j2r5

    • Enviar en el boletín
    Off

    CVE-2024-36259

    CVE-2024-36259

    Título es
    CVE-2024-36259

    Mar, 25/02/2025 – 19:15

    Tipo
    CWE-284

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-36259

    Descripción en
    Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.

    25/02/2025

    25/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://github.com/odoo/odoo/issues/199330

    • Enviar en el boletín
    Off

    CVE-2025-27135

    CVE-2025-27135

    Título es
    CVE-2025-27135

    Mar, 25/02/2025 – 19:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27135

    Descripción en
    RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available.

    25/02/2025

    25/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    8.90

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/infiniflow/ragflow/blob/v0.15.1/agent/component/exesql.py

  • https://github.com/infiniflow/ragflow/security/advisories/GHSA-3gqj-66qm-25jq

  • https://swizzky.notion.site/ragflow-exesql-150ca6df7c03806989cefde915cf8e42?pvs=4

  • https://swizzky.notion.site/ragflow-exesql-150ca6df7c03806989cefde915cf8e42

    • Enviar en el boletín
    Off

    CVE-2025-26598

    CVE-2025-26598

    Título es
    CVE-2025-26598

    Mar, 25/02/2025 – 16:15

    Tipo
    CWE-787

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26598

    Descripción en
    An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.

    25/02/2025

    25/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://access.redhat.com/security/cve/CVE-2025-26598

  • https://bugzilla.redhat.com/show_bug.cgi?id=2345254

    • Enviar en el boletín
    Off

    CVE-2025-26597

    CVE-2025-26597

    Título es
    CVE-2025-26597

    Mar, 25/02/2025 – 16:15

    Tipo
    CWE-122

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26597

    Descripción en
    A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.

    25/02/2025

    25/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://access.redhat.com/security/cve/CVE-2025-26597

  • https://bugzilla.redhat.com/show_bug.cgi?id=2345255

    • Enviar en el boletín
    Off

    CVE-2025-26596

    CVE-2025-26596

    Título es
    CVE-2025-26596

    Mar, 25/02/2025 – 16:15

    Tipo
    CWE-122

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26596

    Descripción en
    A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.

    25/02/2025

    25/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://access.redhat.com/security/cve/CVE-2025-26596

  • https://bugzilla.redhat.com/show_bug.cgi?id=2345256

    • Enviar en el boletín
    Off

    CVE-2025-26595

    CVE-2025-26595

    Título es
    CVE-2025-26595

    Mar, 25/02/2025 – 16:15

    Tipo
    CWE-121

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26595

    Descripción en
    A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.

    25/02/2025

    25/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://access.redhat.com/security/cve/CVE-2025-26595

  • https://bugzilla.redhat.com/show_bug.cgi?id=2345257

    • Enviar en el boletín
    Off

    CVE-2025-26601

    CVE-2025-26601

    Título es
    CVE-2025-26601

    Mar, 25/02/2025 – 16:15

    Tipo
    CWE-416

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26601

    Descripción en
    A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.

    25/02/2025

    25/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://access.redhat.com/security/cve/CVE-2025-26601

  • https://bugzilla.redhat.com/show_bug.cgi?id=2345251

    • Enviar en el boletín
    Off