Critical Severity Vulnerability
Atos Eviden iCare | CVE-2024-42017: is a critical vulnerability affecting Atos Eviden iCare versions 2.7.1 through 2.7.11, which exposes a web interface locally and can allow unauthorized remote execution of arbitrary commands with system privileges if the application is accessible over the network.
SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability | CVE-2019-0344: is a critical vulnerability that affects SAP Commerce Cloud (formerly known as Hybris). This vulnerability could allow an attacker to execute arbitrary code on a target machine with ‘Hybris’ user rights.
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability | CVE-2020-15415: This vulnerability affects DrayTek Vigor3900, Vigor2960, and Vigor300B devices running versions prior to 1.5.1. It allows for remote command execution through shell metacharacters in a filename, particularly when the text/x-python-script content type is used, posing risks for users of these routers.
D-Link DIR-820 Router OS Command Injection Vulnerability | CVE-2023-25280: is a critical OS command injection vulnerability affecting the D-Link DIR-820LA1 router running firmware version 105B03. This vulnerability allows an attacker to execute arbitrary commands on the router by crafting a malicious payload with the ping_addr parameter to ping.ccp.
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability | CVE-2024-29824: is a critical unauthenticated SQL injection vulnerability affecting Ivanti Endpoint Manager (EPM) 2022 SU5 and earlier versions. This vulnerability allows an attacker to execute arbitrary code on the EPM server, potentially leading to complete system compromise.
Synacor Zimbra Collaboration Command Execution Vulnerability | CVE-2024-45519: is a critical remote code execution (RCE) vulnerability affecting Zimbra Collaboration (ZCS) versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the Zimbra server.
High Severity Vulnerability
Cross-site scripting vulnerability | CVE-2024-9158: is a stored cross-site scripting vulnerability affecting Nessus Network Monitor products including zF8ard, zF698m, zF8arc, zF6KNF, and zF698l. This vulnerability allows an authenticated, privileged local attacker to inject arbitrary code into the NNM user interface via the local command-line interface.
LibreNMS has Stored Cross-site Scripting vulnerability in “Alert Transports” feature | CVE-2024-47523: is a Stored Cross-Site Scripting (XSS) vulnerability identified in the LibreNMS network monitoring system, affecting versions prior to 24.9.0. This flaw allows authenticated users to inject malicious JavaScript via the “Details” section of the “Alert Transports” feature, potentially compromising other users’ sessions and accounts. The vulnerability has been rated with a base severity score of 7.5, indicating a high risk level with potential confidentiality impacts.
Cisco Meraki MX and Z3 Teleworker Gateway AnyConnect VPN Denial of Service Vulnerability | CVE-2024-20501: identifies multiple vulnerabilities in the Cisco AnyConnect VPN server affecting Cisco Meraki MX and Z Series Teleworker Gateway devices, which could allow unauthenticated remote attackers to induce a denial-of-service (DoS) condition. The vulnerabilities stem from insufficient validation of client-supplied parameters during SSL VPN session establishment, enabling an attacker to send crafted HTTPS requests that may cause the AnyConnect service to restart.
Medium Severity Vulnerability
WordPress Confetti Fall Animation plugin <= 1.3.0 – Cross Site Scripting (XSS) vulnerability | CVE-2024-47641: is a Cross-site Scripting (XSS) vulnerability affecting the WPDeveloper Confetti Fall Animation plugin, specifically versions up to 1.3.0. This flaw allows for Stored XSS attacks, which can potentially compromise the security of affected websites by enabling attackers to execute malicious scripts in the context of users’ browsers.
Scout contains insufficient output escaping of attachment names | CVE-2024-47531: is a vulnerability in the Scout web-based visualizer for VCF files that allows attackers to bypass file extension restrictions due to insufficient filename sanitization. This flaw can lead to users inadvertently downloading and executing malicious files, potentially compromising their devices or data.
Buildah: podman: improper input validation in bind-propagation option of dockerfile run –mount instruction | CVE-2024-9407: A vulnerability exists in the bind-propagation option of the Dockerfile RUN –mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files.
Pomerium’s service account access token may grant unintended access to databroker API | CVE-2024-47616: is a vulnerability affecting the Pomerium identity and context-aware access proxy, specifically within its databroker service responsible for managing application state. Incomplete validation of JSON Web Tokens (JWTs) used for API authorization allows certain service account access tokens to be improperly accepted, which can lead to unauthorized access to the databroker API.
Leave a Reply