CVE-2024-37310

CVE-2024-37310

Título es
CVE-2024-37310

Mié, 10/07/2024 – 20:15

Tipo
CWE-122

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-37310

Descripción en
EVerest is an EV charging software stack. An integer overflow in the "v2g_incoming_v2gtp" function in the v2g_server.cpp implementation can allow a remote attacker to overflow the process' heap. This vulnerability is fixed in 2024.3.1 and 2024.6.0.

10/07/2024
10/07/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
9.00

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
CRITICAL

Referencias

  • https://github.com/EVerest/everest-core/commit/f73620c4c0f626e1097068a47e10cc27b369ad8e

  • https://github.com/EVerest/everest-core/releases/tag/2024.3.1

  • https://github.com/EVerest/everest-core/releases/tag/2024.6.0

  • https://github.com/EVerest/everest-core/security/advisories/GHSA-8g9q-7qr9-vc96

    • Enviar en el boletín
    Off

    CVE-2024-37149

    CVE-2024-37149

    Título es
    CVE-2024-37149

    Mié, 10/07/2024 – 20:15

    Tipo
    CWE-73

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-37149

    Descripción en
    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

    10/07/2024
    10/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/glpi-project/glpi/security/advisories/GHSA-cwvp-j887-m4xh

    • Enviar en el boletín
    Off

    CVE-2024-39693

    CVE-2024-39693

    Título es
    CVE-2024-39693

    Mié, 10/07/2024 – 20:15

    Tipo
    CWE-400

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-39693

    Descripción en
    Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later.

    10/07/2024
    10/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42

    • Enviar en el boletín
    Off

    CVE-2024-38354

    CVE-2024-38354

    Título es
    CVE-2024-38354

    Mié, 10/07/2024 – 20:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-38354

    Descripción en
    CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe `HTML` tags with an improperly sanitized `name` attribute. This vulnerability enables attackers to perform cross-site scripting (XSS) attacks via DOM clobbering. This vulnerability is fixed in 2.5.4.

    10/07/2024
    10/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/hackmdio/codimd/security/advisories/GHSA-22jv-vch8-2vp9

    • Enviar en el boletín
    Off

    CVE-2024-38353

    CVE-2024-38353

    Título es
    CVE-2024-38353

    Mié, 10/07/2024 – 20:15

    Tipo
    CWE-338

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-38353

    Descripción en
    CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data. Due to the insecure random filename generation in the underlying Formidable library, an attacker can determine the filenames for previously uploaded images and the likelihood of this issue being exploited is increased. This vulnerability is fixed in 2.5.4.

    10/07/2024
    10/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://github.com/hackmdio/codimd/security/advisories/GHSA-2764-jppc-p2hm

    • Enviar en el boletín
    Off

    CVE-2024-6151

    CVE-2024-6151

    Título es
    CVE-2024-6151

    Mié, 10/07/2024 – 21:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6151

    Descripción en
    Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS

    10/07/2024
    10/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://support.citrix.com/article/CTX678035

    • Enviar en el boletín
    Off