Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-12-29 | CVE-2024-12238 | The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. | 6.3 |
| 2024-12-29 | CVE-2024-13000 | SQL Injection vulnerability in PHPgurukul Small CRM 1.0 A vulnerability was found in PHPGurukul Small CRM 1.0 and classified as critical. | 9.8 |
| 2024-12-29 | CVE-2024-13001 | SQL Injection vulnerability in PHPgurukul Small CRM 1.0 A vulnerability was found in PHPGurukul Small CRM 1.0. | 9.8 |
| 2024-12-29 | CVE-2024-12999 | SQL Injection vulnerability in PHPgurukul Small CRM 1.0 A vulnerability has been found in PHPGurukul Small CRM 1.0 and classified as critical. | 9.8 |
| 2024-12-28 | CVE-2024-12998 | Cross-site Scripting vulnerability in Fabianros Online CAR Rental System 1.0 A vulnerability, which was classified as problematic, was found in code-projects Online Car Rental System 1.0. | 6.1 |
| 2024-12-28 | CVE-2024-56512 | Missing Authorization vulnerability in Apache Nifi Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. | 5.4 |
| 2024-12-28 | CVE-2024-56682 | NULL Pointer Dereference vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: irqchip/riscv-aplic: Prevent crash when MSI domain is missing If the APLIC driver is probed before the IMSIC driver, the parent MSI domain will be missing, which causes a NULL pointer dereference in msi_create_device_irq_domain(). Avoid this by deferring probe until the parent MSI domain is available. | 5.5 |
| 2024-12-28 | CVE-2024-56687 | Improper Locking vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usb_ep_queue() (call trace below, supplemented with missing calls): req->complete from usb_gadget_giveback_request (drivers/usb/gadget/udc/core.c:999) usb_gadget_giveback_request from musb_g_giveback (drivers/usb/musb/musb_gadget.c:147) musb_g_giveback from rxstate (drivers/usb/musb/musb_gadget.c:784) rxstate from musb_ep_restart (drivers/usb/musb/musb_gadget.c:1169) musb_ep_restart from musb_ep_restart_resume_work (drivers/usb/musb/musb_gadget.c:1176) musb_ep_restart_resume_work from musb_queue_resume_work (drivers/usb/musb/musb_core.c:2279) musb_queue_resume_work from musb_gadget_queue (drivers/usb/musb/musb_gadget.c:1241) musb_gadget_queue from usb_ep_queue (drivers/usb/gadget/udc/core.c:300) According to the docstring of usb_ep_queue(), this should not happen: "Note that @req's ->complete() callback must never be called from within usb_ep_queue() as that can create deadlock situations." In fact, a hardware lockup might occur in the following sequence: 1. | 5.5 |
| 2024-12-28 | CVE-2024-56688 | NULL Pointer Dereference vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport Since transport->sock has been set to NULL during reset transport, XPRT_SOCK_UPD_TIMEOUT also needs to be cleared. | 5.5 |
| 2024-12-28 | CVE-2024-56689 | NULL Pointer Dereference vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: epf-mhi: Avoid NULL dereference if DT lacks 'mmio' If platform_get_resource_byname() fails and returns NULL because DT lacks an 'mmio' property for the MHI endpoint, dereferencing res->start will cause a NULL pointer access. | 5.5 |