Weekly Vulnerabilities Reports > May 6 to 12, 2024
Overview
26 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 10 products from 6 vendors including Google, F5, Oisf, Fedoraproject, and Apple. Vulnerabilities are notably categorized as "Allocation of Resources Without Limits or Throttling", "Out-of-bounds Write", "SQL Injection", "Improper Certificate Validation", and "Use After Free".
- 11 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 15 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 18 reported vulnerabilities.
- F5 has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
4 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2024-05-08 | CVE-2024-21793 | F5 | SQL Injection vulnerability in F5 Big-Ip Next Central Manager 20.1.0 An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 9.8 |
| 2024-05-08 | CVE-2024-26026 | F5 | SQL Injection vulnerability in F5 Big-Ip Next Central Manager 20.1.0 An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 9.8 |
| 2024-05-08 | CVE-2024-32113 | Apache | Unspecified vulnerability in Apache Ofbiz Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. | 9.8 |
| 2024-05-07 | CVE-2024-4558 | Google Fedoraproject Apple | Use After Free vulnerability in multiple products Use after free in ANGLE in Google Chrome prior to 124.0.6367.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 9.6 |
15 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2024-05-08 | CVE-2024-33612 | F5 | Improper Certificate Validation vulnerability in F5 Big-Ip Next Central Manager 20.1.0 An improper certificate validation vulnerability exists in BIG-IP Next Central Manager and may allow an attacker to impersonate an Instance Provider system. | 8.0 |
| 2024-05-07 | CVE-2024-0024 | Unspecified vulnerability in Google Android In multiple methods of UserManagerService.java, there is a possible failure to persist or enforce user restrictions due to improper input validation. | 7.8 | |
| 2024-05-07 | CVE-2024-0025 | Unspecified vulnerability in Google Android In sendIntentSender of ActivityManagerService.java, there is a possible background activity launch due to a logic error. | 7.8 | |
| 2024-05-07 | CVE-2024-0042 | Improper Certificate Validation vulnerability in Google Android In TBD of TBD, there is a possible confusion of OEM and DRM certificates due to improperly used crypto. | 7.8 | |
| 2024-05-07 | CVE-2024-0043 | Unspecified vulnerability in Google Android In multiple locations, there is a possible notification listener grant to an app running in the work profile due to a logic error in the code. | 7.8 | |
| 2024-05-07 | CVE-2024-23704 | Missing Authorization vulnerability in Google Android 13.0/14.0 In onCreate of WifiDialogActivity.java, there is a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction due to a missing permission check. | 7.8 | |
| 2024-05-07 | CVE-2024-23705 | Unspecified vulnerability in Google Android In multiple locations, there is a possible failure to persist or enforce user restrictions due to improper input validation. | 7.8 | |
| 2024-05-07 | CVE-2024-23706 | Unspecified vulnerability in Google Android 14.0 In multiple locations, there is a possible bypass of health data permissions due to an improper input validation. | 7.8 | |
| 2024-05-07 | CVE-2024-23707 | Unspecified vulnerability in Google Android 14.0 In multiple locations, there is a possible permissions bypass due to improper input validation. | 7.8 | |
| 2024-05-07 | CVE-2024-23708 | Unspecified vulnerability in Google Android In multiple functions of NotificationManagerService.java, there is a possible way to not show a toast message when a clipboard message has been accessed. | 7.8 | |
| 2024-05-07 | CVE-2024-23710 | Unspecified vulnerability in Google Android 13.0/14.0 In assertPackageWithSharedUserIdIsPrivileged of InstallPackageHelper.java, there is a possible execution of arbitrary app code as a privileged app due to a logic error in the code. | 7.8 | |
| 2024-05-07 | CVE-2024-23713 | Unspecified vulnerability in Google Android In migrateNotificationFilter of NotificationManagerService.java, there is a possible failure to persist notifications settings due to improper input validation. | 7.8 | |
| 2024-05-07 | CVE-2024-32663 | Oisf | Allocation of Resources Without Limits or Throttling vulnerability in Oisf Suricata Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. | 7.5 |
| 2024-05-08 | CVE-2024-32049 | F5 | Unspecified vulnerability in F5 Big-Ip Next Central Manager BIG-IP Next Central Manager (CM) may allow an unauthenticated, remote attacker to obtain the BIG-IP Next LTM/WAF instance credentials. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 7.4 |
| 2024-05-07 | CVE-2024-32664 | Oisf | Classic Buffer Overflow vulnerability in Oisf Suricata Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. | 7.3 |
7 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2024-05-07 | CVE-2024-23709 | Out-of-bounds Write vulnerability in Google Android In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. | 6.5 | |
| 2024-05-07 | CVE-2024-4559 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in WebAudio in Google Chrome prior to 124.0.6367.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
| 2024-05-07 | CVE-2024-0022 | Unspecified vulnerability in Google Android 13.0/14.0 In multiple functions of CompanionDeviceManagerService.java, there is a possible launch NotificationAccessConfirmationActivity of another user profile due to improper input validation. | 5.5 | |
| 2024-05-07 | CVE-2024-0026 | Allocation of Resources Without Limits or Throttling vulnerability in Google Android In multiple functions of SnoozeHelper.java, there is a possible persistent denial of service due to resource exhaustion. | 5.5 | |
| 2024-05-07 | CVE-2024-0027 | Allocation of Resources Without Limits or Throttling vulnerability in Google Android In multiple functions of SnoozeHelper.java, there is a possible way to cause a boot loop due to resource exhaustion. | 5.5 | |
| 2024-05-07 | CVE-2024-23712 | Unspecified vulnerability in Google Android In multiple functions of AppOpsService.java, there is a possible way to saturate the content of /data/system/appops_accesses.xml due to resource exhaustion. | 5.5 | |
| 2024-05-07 | CVE-2024-32867 | Oisf | Improper Check for Unusual or Exceptional Conditions vulnerability in Oisf Suricata Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. | 5.3 |
0 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|