Weekly Vulnerabilities Reports > March 18 to 24, 2024

Overview

93 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 14 products from 9 vendors including Tenda, Google, Fedoraproject, IBM, and Microsoft. Vulnerabilities are notably categorized as "Cross-site Scripting", "Stack-based Buffer Overflow", "OS Command Injection", "Out-of-bounds Write", and "Out-of-bounds Read".

80 reported vulnerabilities are remotely exploitables.
45 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
45 reported vulnerabilities are exploitable by an anonymous user.
Tenda has the most reported vulnerabilities, with 19 reported vulnerabilities.
Tenda has the most reported critical vulnerabilities, with 16 reported vulnerabilities.

TOTAL
VULNERABILITIES

CRITICAL RISK
VULNERABILITIES

HIGH RISK
VULNERABILITIES

MEDIUM RISK
VULNERABILITIES

LOW RISK
VULNERABILITIES

REMOTELY
EXPLOITABLE

LOCALLY
EXPLOITABLE

EXPLOIT
AVAILABLE

EXPLOITABLE
ANONYMOUSLY

AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS
2024-03-24	CVE-2024-2856	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac10 Firmware 16.03.10.13/16.03.10.20 A vulnerability, which was classified as critical, has been found in Tenda AC10 16.03.10.13/16.03.10.20.	9.8
2024-03-24	CVE-2024-2854	Tenda	OS Command Injection vulnerability in Tenda Ac18 Firmware 15.03.05.05 A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05.	9.8
2024-03-24	CVE-2024-2855	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.19/15.03.20Multi A vulnerability classified as critical was found in Tenda AC15 15.03.05.18/15.03.05.19/15.03.20.	9.8
2024-03-24	CVE-2024-2852	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.20Multi A vulnerability was found in Tenda AC15 15.03.20_multi.	9.8
2024-03-24	CVE-2024-2853	Tenda	OS Command Injection vulnerability in Tenda Ac10U Firmware 15.03.06.48/15.03.06.49 A vulnerability was found in Tenda AC10U 15.03.06.48/15.03.06.49.	9.8
2024-03-24	CVE-2024-2851	Tenda	OS Command Injection vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.20Multi A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi.	9.8
2024-03-24	CVE-2024-2850	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18 A vulnerability was found in Tenda AC15 15.03.05.18 and classified as critical.	9.8
2024-03-22	CVE-2024-2815	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi A vulnerability classified as critical has been found in Tenda AC15 15.03.20_multi.	9.8
2024-03-22	CVE-2024-2813	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi A vulnerability was found in Tenda AC15 15.03.20_multi.	9.8
2024-03-22	CVE-2024-2814	Tenda	Unspecified vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi A vulnerability was found in Tenda AC15 15.03.20_multi.	9.8
2024-03-22	CVE-2024-2809	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi A vulnerability, which was classified as critical, was found in Tenda AC15 15.03.05.18/15.03.20_multi.	9.8
2024-03-22	CVE-2024-2810	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi A vulnerability has been found in Tenda AC15 15.03.05.18/15.03.20_multi and classified as critical.	9.8
2024-03-22	CVE-2024-2811	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.20Multi A vulnerability was found in Tenda AC15 15.03.20_multi and classified as critical.	9.8
2024-03-22	CVE-2024-2806	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi A vulnerability classified as critical has been found in Tenda AC15 15.03.05.18/15.03.20_multi.	9.8
2024-03-22	CVE-2024-2807	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi A vulnerability classified as critical was found in Tenda AC15 15.03.05.18/15.03.20_multi.	9.8
2024-03-22	CVE-2024-2808	Tenda	Stack-based Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi A vulnerability, which was classified as critical, has been found in Tenda AC15 15.03.05.18/15.03.20_multi.	9.8
2024-03-21	CVE-2024-1202		Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1. NOTE: The vendor was contacted and it was learned that the product is not supported.	9.8

Expand/Hide

15 High Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS
2024-03-22	CVE-2024-2812	Tenda	OS Command Injection vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.20Multi A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi.	8.8
2024-03-21	CVE-2024-28029	Deltaww	Unspecified vulnerability in Deltaww Diaenergie Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.	8.8
2024-03-21	CVE-2024-28916		Xbox Gaming Services Elevation of Privilege Vulnerability	8.8
2024-03-20	CVE-2024-2625	Google Fedoraproject	Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.	8.8
2024-03-20	CVE-2024-2627	Google Fedoraproject	Use After Free vulnerability in multiple products Use after free in Canvas in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.	8.8
2024-03-18	CVE-2024-20767		ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read.	8.2
2024-03-18	CVE-2024-20761		Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.	7.8
2024-03-18	CVE-2024-20752		Bridge versions 13.0.5, 14.0.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.	7.8
2024-03-18	CVE-2024-20755		Bridge versions 13.0.5, 14.0.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.	7.8
2024-03-18	CVE-2024-20756		Bridge versions 13.0.5, 14.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.	7.8
2024-03-18	CVE-2024-20745		Premiere Pro versions 24.1, 23.6.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.	7.8
2024-03-18	CVE-2024-20746		Premiere Pro versions 24.1, 23.6.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.	7.8
2024-03-23	CVE-2024-29059		.NET Framework Information Disclosure Vulnerability	7.5
2024-03-18	CVE-2024-20754		Lightroom Desktop versions 7.1.2 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user.	7.5
2024-03-18	CVE-2022-47037	Siklu	Insufficiently Protected Credentials vulnerability in Siklu TG Firmware Siklu TG Terragraph devices before 2.1.1 allow attackers to discover valid, randomly generated credentials via GetCredentials.	7.5

Expand/Hide

59 Medium Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS
2024-03-22	CVE-2022-32753	IBM	Inadequate Encryption Strength vulnerability in IBM Security Verify Directory 10.0.0 IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.	6.5
2024-03-22	CVE-2024-2816	Tenda	Cross-Site Request Forgery (CSRF) vulnerability in Tenda Ac15 Firmware 15.03.05.18 A vulnerability classified as problematic was found in Tenda AC15 15.03.05.18.	6.5
2024-03-22	CVE-2024-2817	Tenda	Cross-Site Request Forgery (CSRF) vulnerability in Tenda Ac15 Firmware 15.03.05.18 A vulnerability, which was classified as problematic, has been found in Tenda AC15 15.03.05.18.	6.5
2024-03-20	CVE-2024-2626	Google Fedoraproject	Out-of-bounds Read vulnerability in multiple products Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.	6.5
2024-03-20	CVE-2024-2630	Google Fedoraproject	Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to leak cross-origin data via a crafted HTML page.	6.5
2024-03-19	CVE-2023-50811	Seling	Unspecified vulnerability in Seling Visual Access Manager 4.38.6 An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception.	6.5
2024-03-21	CVE-2024-22352	IBM	Information Exposure Through Log Files vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 stores potentially sensitive information in log files that could be read by a local user.	5.5
2024-03-18	CVE-2024-20763		Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.	5.5
2024-03-18	CVE-2024-20764		Animate versions 24.0, 23.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.	5.5
2024-03-18	CVE-2024-20757		Bridge versions 13.0.5, 14.0.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.	5.5
2024-03-20	CVE-2024-29471	Zhyd	Cross-site Scripting vulnerability in Zhyd Oneblog 2.3.4 OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Notice Manage module.	5.4
2024-03-20	CVE-2024-29472	Zhyd	Cross-site Scripting vulnerability in Zhyd Oneblog 2.3.4 OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Privilege Management module.	5.4
2024-03-18	CVE-2024-20760		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-20768		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26028		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26030		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26032		Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable web pages.	5.4
2024-03-18	CVE-2024-26033		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26034		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26035		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26038		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26040		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26041		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26043		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26044		Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into a webpage.	5.4
2024-03-18	CVE-2024-26045		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26052		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26056		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26059		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26061		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26062		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26065		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26067		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26069		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26073		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26094		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26096		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26101		Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.	5.4
2024-03-18	CVE-2024-26102		Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.	5.4
2024-03-18	CVE-2024-26103		Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.	5.4
2024-03-18	CVE-2024-26104		Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.	5.4
2024-03-18	CVE-2024-26105		Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.	5.4
2024-03-18	CVE-2024-26106		Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.	5.4
2024-03-18	CVE-2024-26118		Adobe Experience Manager versions 6.5.19 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.	5.4
2024-03-18	CVE-2024-26120		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26124		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-18	CVE-2024-26125		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	5.4
2024-03-22	CVE-2022-32751	IBM	Unspecified vulnerability in IBM Security Verify Directory 10.0.0 IBM Security Verify Directory 10.0.0 could disclose sensitive server information that could be used in further attacks against the system.	5.3
2024-03-18	CVE-2024-26063		Adobe Experience Manager versions 6.5.19 and earlier are affected by an Information Exposure vulnerability that could result in a Security feature bypass.	5.3
2024-03-18	CVE-2024-26119		Adobe Experience Manager versions 6.5.19 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass.	5.3
2024-03-22	CVE-2022-32754	IBM	Cross-site Scripting vulnerability in IBM Security Verify Directory 10.0.0 IBM Security Verify Directory 10.0.0 is vulnerable to cross-site scripting.	4.8
2024-03-18	CVE-2024-26050		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	4.8
2024-03-22	CVE-2024-26247	Microsoft	Unspecified vulnerability in Microsoft Edge Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability	4.7
2024-03-22	CVE-2024-29057	Microsoft	Unspecified vulnerability in Microsoft Edge Microsoft Edge (Chromium-based) Spoofing Vulnerability	4.3
2024-03-21	CVE-2023-47715	IBM	Improper Privilege Management vulnerability in IBM Storage Protect Plus IBM Storage Protect Plus Server 10.1.0 through 10.1.16 could allow an authenticated user with read-only permissions to add or delete entries from an existing HyperVisor configuration.	4.3
2024-03-21	CVE-2024-26196	Microsoft	Unspecified vulnerability in Microsoft Edge 112.0.1722.34/118.0.2088.88 Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability	4.3
2024-03-20	CVE-2024-2628	Google Fedoraproject	Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL.	4.3
2024-03-20	CVE-2024-2629	Google Fedoraproject	Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page.	4.3
2024-03-20	CVE-2024-2631	Google Fedoraproject	Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page.	4.3

Expand/Hide

2 Low Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS
2024-03-18	CVE-2024-26051		Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.	3.4
2024-03-22	CVE-2022-32756	IBM	Information Exposure Through an Error Message vulnerability in IBM Security Verify Directory 10.0.0 IBM Security Verify Directory 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.	2.7