Weekly Vulnerabilities Reports > March 18 to 24, 2024

Overview

93 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 14 products from 9 vendors including Tenda, Google, Fedoraproject, IBM, and Microsoft. Vulnerabilities are notably categorized as "Cross-site Scripting", "Stack-based Buffer Overflow", "OS Command Injection", "Out-of-bounds Write", and "Out-of-bounds Read".

  • 80 reported vulnerabilities are remotely exploitables.
  • 45 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 45 reported vulnerabilities are exploitable by an anonymous user.
  • Tenda has the most reported vulnerabilities, with 19 reported vulnerabilities.
  • Tenda has the most reported critical vulnerabilities, with 16 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-03-24 CVE-2024-2856 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac10 Firmware 16.03.10.13/16.03.10.20

A vulnerability, which was classified as critical, has been found in Tenda AC10 16.03.10.13/16.03.10.20.

9.8
2024-03-24 CVE-2024-2854 Tenda OS Command Injection vulnerability in Tenda Ac18 Firmware 15.03.05.05

A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05.

9.8
2024-03-24 CVE-2024-2855 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.19/15.03.20Multi

A vulnerability classified as critical was found in Tenda AC15 15.03.05.18/15.03.05.19/15.03.20.

9.8
2024-03-24 CVE-2024-2852 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.20Multi

A vulnerability was found in Tenda AC15 15.03.20_multi.

9.8
2024-03-24 CVE-2024-2853 Tenda OS Command Injection vulnerability in Tenda Ac10U Firmware 15.03.06.48/15.03.06.49

A vulnerability was found in Tenda AC10U 15.03.06.48/15.03.06.49.

9.8
2024-03-24 CVE-2024-2851 Tenda OS Command Injection vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.20Multi

A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi.

9.8
2024-03-24 CVE-2024-2850 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18

A vulnerability was found in Tenda AC15 15.03.05.18 and classified as critical.

9.8
2024-03-22 CVE-2024-2815 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi

A vulnerability classified as critical has been found in Tenda AC15 15.03.20_multi.

9.8
2024-03-22 CVE-2024-2813 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi

A vulnerability was found in Tenda AC15 15.03.20_multi.

9.8
2024-03-22 CVE-2024-2814 Tenda Unspecified vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi

A vulnerability was found in Tenda AC15 15.03.20_multi.

9.8
2024-03-22 CVE-2024-2809 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi

A vulnerability, which was classified as critical, was found in Tenda AC15 15.03.05.18/15.03.20_multi.

9.8
2024-03-22 CVE-2024-2810 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi

A vulnerability has been found in Tenda AC15 15.03.05.18/15.03.20_multi and classified as critical.

9.8
2024-03-22 CVE-2024-2811 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi

A vulnerability was found in Tenda AC15 15.03.20_multi and classified as critical.

9.8
2024-03-22 CVE-2024-2806 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi

A vulnerability classified as critical has been found in Tenda AC15 15.03.05.18/15.03.20_multi.

9.8
2024-03-22 CVE-2024-2807 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi

A vulnerability classified as critical was found in Tenda AC15 15.03.05.18/15.03.20_multi.

9.8
2024-03-22 CVE-2024-2808 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi

A vulnerability, which was classified as critical, has been found in Tenda AC15 15.03.05.18/15.03.20_multi.

9.8
2024-03-21 CVE-2024-1202 Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1.  NOTE: The vendor was contacted and it was learned that the product is not supported.
9.8

15 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-03-22 CVE-2024-2812 Tenda OS Command Injection vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi

A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi.

8.8
2024-03-21 CVE-2024-28029 Deltaww Unspecified vulnerability in Deltaww Diaenergie

Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.

8.8
2024-03-21 CVE-2024-28916 Xbox Gaming Services Elevation of Privilege Vulnerability
8.8
2024-03-20 CVE-2024-2625 Google
Fedoraproject
Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.
8.8
2024-03-20 CVE-2024-2627 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Canvas in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-03-18 CVE-2024-20767 ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read.
8.2
2024-03-18 CVE-2024-20761 Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2024-03-18 CVE-2024-20752 Bridge versions 13.0.5, 14.0.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2024-03-18 CVE-2024-20755 Bridge versions 13.0.5, 14.0.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2024-03-18 CVE-2024-20756 Bridge versions 13.0.5, 14.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2024-03-18 CVE-2024-20745 Premiere Pro versions 24.1, 23.6.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2024-03-18 CVE-2024-20746 Premiere Pro versions 24.1, 23.6.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2024-03-23 CVE-2024-29059 .NET Framework Information Disclosure Vulnerability
7.5
2024-03-18 CVE-2024-20754 Lightroom Desktop versions 7.1.2 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user.
7.5
2024-03-18 CVE-2022-47037 Siklu Insufficiently Protected Credentials vulnerability in Siklu TG Firmware

Siklu TG Terragraph devices before 2.1.1 allow attackers to discover valid, randomly generated credentials via GetCredentials.

7.5

59 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-03-22 CVE-2022-32753 IBM Inadequate Encryption Strength vulnerability in IBM Security Verify Directory 10.0.0

IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

6.5
2024-03-22 CVE-2024-2816 Tenda Cross-Site Request Forgery (CSRF) vulnerability in Tenda Ac15 Firmware 15.03.05.18

A vulnerability classified as problematic was found in Tenda AC15 15.03.05.18.

6.5
2024-03-22 CVE-2024-2817 Tenda Cross-Site Request Forgery (CSRF) vulnerability in Tenda Ac15 Firmware 15.03.05.18

A vulnerability, which was classified as problematic, has been found in Tenda AC15 15.03.05.18.

6.5
2024-03-20 CVE-2024-2626 Google
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.

6.5
2024-03-20 CVE-2024-2630 Google
Fedoraproject
Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
6.5
2024-03-19 CVE-2023-50811 Seling Unspecified vulnerability in Seling Visual Access Manager 4.38.6

An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception.

6.5
2024-03-21 CVE-2024-22352 IBM Information Exposure Through Log Files vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 stores potentially sensitive information in log files that could be read by a local user.

5.5
2024-03-18 CVE-2024-20763 Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
5.5
2024-03-18 CVE-2024-20764 Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
5.5
2024-03-18 CVE-2024-20757 Bridge versions 13.0.5, 14.0.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
5.5
2024-03-20 CVE-2024-29471 Zhyd Cross-site Scripting vulnerability in Zhyd Oneblog 2.3.4

OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Notice Manage module.

5.4
2024-03-20 CVE-2024-29472 Zhyd Cross-site Scripting vulnerability in Zhyd Oneblog 2.3.4

OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Privilege Management module.

5.4
2024-03-18 CVE-2024-20760 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-20768 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26028 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26030 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26032 Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable web pages.
5.4
2024-03-18 CVE-2024-26033 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26034 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26035 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26038 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26040 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26041 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26043 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26044 Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into a webpage.
5.4
2024-03-18 CVE-2024-26045 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26052 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26056 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26059 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26061 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26062 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26065 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26067 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26069 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26073 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26094 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26096 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26101 Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
5.4
2024-03-18 CVE-2024-26102 Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
5.4
2024-03-18 CVE-2024-26103 Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
5.4
2024-03-18 CVE-2024-26104 Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
5.4
2024-03-18 CVE-2024-26105 Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
5.4
2024-03-18 CVE-2024-26106 Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
5.4
2024-03-18 CVE-2024-26118 Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
5.4
2024-03-18 CVE-2024-26120 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26124 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-18 CVE-2024-26125 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
5.4
2024-03-22 CVE-2022-32751 IBM Unspecified vulnerability in IBM Security Verify Directory 10.0.0

IBM Security Verify Directory 10.0.0 could disclose sensitive server information that could be used in further attacks against the system.

5.3
2024-03-18 CVE-2024-26063 Adobe Experience Manager versions 6.5.19 and earlier are affected by an Information Exposure vulnerability that could result in a Security feature bypass.
5.3
2024-03-18 CVE-2024-26119 Adobe Experience Manager versions 6.5.19 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass.
5.3
2024-03-22 CVE-2022-32754 IBM Cross-site Scripting vulnerability in IBM Security Verify Directory 10.0.0

IBM Security Verify Directory 10.0.0 is vulnerable to cross-site scripting.

4.8
2024-03-18 CVE-2024-26050 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
4.8
2024-03-22 CVE-2024-26247 Microsoft Unspecified vulnerability in Microsoft Edge

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

4.7
2024-03-22 CVE-2024-29057 Microsoft Unspecified vulnerability in Microsoft Edge

Microsoft Edge (Chromium-based) Spoofing Vulnerability

4.3
2024-03-21 CVE-2023-47715 IBM Improper Privilege Management vulnerability in IBM Storage Protect Plus

IBM Storage Protect Plus Server 10.1.0 through 10.1.16 could allow an authenticated user with read-only permissions to add or delete entries from an existing HyperVisor configuration.

4.3
2024-03-21 CVE-2024-26196 Microsoft Unspecified vulnerability in Microsoft Edge 112.0.1722.34/118.0.2088.88

Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

4.3
2024-03-20 CVE-2024-2628 Google
Fedoraproject
Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL.
4.3
2024-03-20 CVE-2024-2629 Google
Fedoraproject
Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
4.3
2024-03-20 CVE-2024-2631 Google
Fedoraproject
Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-03-18 CVE-2024-26051 Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
3.4
2024-03-22 CVE-2022-32756 IBM Information Exposure Through an Error Message vulnerability in IBM Security Verify Directory 10.0.0

IBM Security Verify Directory 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

2.7