Weekly Vulnerabilities Reports > August 5 to 11, 2024

Overview

411 new vulnerabilities reported during this period, including 61 critical vulnerabilities and 160 high severity vulnerabilities. This weekly summary report vulnerabilities in 199 products from 92 vendors including Janobe, Samsung, Linux, Google, and Mozilla. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Out-of-bounds Read", and "Use After Free".

  • 290 reported vulnerabilities are remotely exploitables.
  • 119 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 237 reported vulnerabilities are exploitable by an anonymous user.
  • Janobe has the most reported vulnerabilities, with 37 reported vulnerabilities.
  • Totolink has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

61 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-08-08 CVE-2024-41161 Vonets Use of Hard-coded Credentials vulnerability in Vonets products

Use of hard-coded credentials vulnerability affecting Vonets industrial wifi bridge relays and WiFi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication using hard-coded administrator credentials.

9.8
2024-08-08 CVE-2024-42355 Shopware Code Injection vulnerability in Shopware

Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag.

9.8
2024-08-08 CVE-2024-42357 Shopware SQL Injection vulnerability in Shopware

Shopware is an open commerce platform.

9.8
2024-08-08 CVE-2024-7490 Microchip Classic Buffer Overflow vulnerability in Microchip Advanced Software Framework

Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option. This issue affects Advanced Software Framework: through 3.52.0.2574. ASF is no longer being supported.

9.8
2024-08-08 CVE-2024-42256 Linux Unspecified vulnerability in Linux Kernel 6.10/6.10.0

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix server re-repick on subrequest retry When a subrequest is marked for needing retry, netfs will call cifs_prepare_write() which will make cifs repick the server for the op before renegotiating credits; it then calls cifs_issue_write() which invokes smb2_async_writev() - which re-repicks the server. If a different server is then selected, this causes the increment of server->in_flight to happen against one record and the decrement to happen against another, leading to misaccounting. Fix this by just removing the repick code in smb2_async_writev().

9.8
2024-08-08 CVE-2024-7350 The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7.
9.8
2024-08-07 CVE-2024-41912 HP Unspecified vulnerability in HP Poly Clariti Manager Firmware

A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices.

9.8
2024-08-07 CVE-2024-41237 Lopalopa SQL Injection vulnerability in Lopalopa Responsive School Management System 3.2.0

A SQL injection vulnerability in /smsa/teacher_login.php in Kashipara Responsive School Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "username" parameter.

9.8
2024-08-07 CVE-2024-20450 Cisco Classic Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges. These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow.

9.8
2024-08-07 CVE-2024-20454 Cisco Classic Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges. These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow.

9.8
2024-08-07 CVE-2024-7584 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

A vulnerability, which was classified as critical, was found in Tenda i22 1.0.0.3(4687).

9.8
2024-08-07 CVE-2024-7585 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

A vulnerability has been found in Tenda i22 1.0.0.3(4687) and classified as critical.

9.8
2024-08-07 CVE-2024-34479 Oretnom23 SQL Injection vulnerability in Oretnom23 Computer Laboratory Management System 1.0

SourceCodester Computer Laboratory Management System 1.0 allows classes/Master.php id SQL Injection.

9.8
2024-08-07 CVE-2024-34480 Oretnom23 SQL Injection vulnerability in Oretnom23 Computer Laboratory Management System 1.0

SourceCodester Computer Laboratory Management System 1.0 allows admin/category/view_category.php id SQL Injection.

9.8
2024-08-07 CVE-2024-7582 Tenda Out-of-bounds Write vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

A vulnerability classified as critical was found in Tenda i22 1.0.0.3(4687).

9.8
2024-08-07 CVE-2024-7583 Tenda Out-of-bounds Write vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

A vulnerability, which was classified as critical, has been found in Tenda i22 1.0.0.3(4687).

9.8
2024-08-07 CVE-2024-42005 Djangoproject SQL Injection vulnerability in Djangoproject Django

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.

9.8
2024-08-07 CVE-2024-7580 Alientechnology OS Command Injection vulnerability in Alientechnology Alr-F800 Firmware

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00.

9.8
2024-08-07 CVE-2024-7581 Tendacn Out-of-bounds Write vulnerability in Tendacn A301 Firmware 15.13.08.12

A vulnerability classified as critical has been found in Tenda A301 15.13.08.12.

9.8
2024-08-07 CVE-2024-7578 Alientechnology Improper Authorization vulnerability in Alientechnology Alr-F800 Firmware

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00.

9.8
2024-08-07 CVE-2024-36130 Ivanti Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile

An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance.

9.8
2024-08-06 CVE-2024-42393 HP
Arubanetworks
Out-of-bounds Write vulnerability in multiple products

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack.

9.8
2024-08-06 CVE-2024-42394 HP
Arubanetworks
Out-of-bounds Write vulnerability in multiple products

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack.

9.8
2024-08-06 CVE-2024-42395 HP
Arubanetworks
Out-of-bounds Write vulnerability in multiple products

There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack.

9.8
2024-08-06 CVE-2024-39227 GL Inet Injection vulnerability in Gl-Inet products

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc.

9.8
2024-08-06 CVE-2024-23483 Zscaler OS Command Injection vulnerability in Zscaler Client Connector

An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection. This issue affects Zscaler Client Connector on MacOS <4.2.

9.8
2024-08-06 CVE-2024-39225 GL Inet Improper Restriction of Excessive Authentication Attempts vulnerability in Gl-Inet products

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.

9.8
2024-08-06 CVE-2024-39226 GL Inet Path Traversal vulnerability in Gl-Inet products

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a vulnerability can be exploited to manipulate routers by passing malicious shell commands through the s2s API.

9.8
2024-08-06 CVE-2024-39228 GL Inet OS Command Injection vulnerability in Gl-Inet products

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config and check_config.

9.8
2024-08-06 CVE-2024-41616 Dlink Use of Hard-coded Credentials vulnerability in Dlink Dir-300 Firmware 1.06B05Ww

D-Link DIR-300 REVA FIRMWARE v1.06B05_WW contains hardcoded credentials in the Telnet service.

9.8
2024-08-06 CVE-2024-6359 Opentext Unspecified vulnerability in Opentext Arcsight Intelligence

Privilege escalation vulnerability identified in OpenText ArcSight Intelligence.

9.8
2024-08-06 CVE-2024-33960 Janobe SQL Injection vulnerability in Janobe Credit Card, Debit Card Payment and Paypal

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

9.8
2024-08-06 CVE-2024-33974 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

9.8
2024-08-06 CVE-2024-6202 Haloservicesolutions Incorrect Authorization vulnerability in Haloservicesolutions Haloitsm

HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping (XSW) vulnerability.

9.8
2024-08-06 CVE-2024-7500 Angeljudesuarez Unrestricted Upload of File with Dangerous Type vulnerability in Angeljudesuarez Airline Reservation System 1.0

A vulnerability was found in itsourcecode Airline Reservation System 1.0.

9.8
2024-08-06 CVE-2024-7505 Rainniar SQL Injection vulnerability in Rainniar Bike Delivery System 1.0

A vulnerability, which was classified as critical, was found in itsourcecode Bike Delivery System 1.0.

9.8
2024-08-06 CVE-2024-7498 Angeljudesuarez SQL Injection vulnerability in Angeljudesuarez Airline Reservation System 1.0

A vulnerability was found in itsourcecode Airline Reservation System 1.0.

9.8
2024-08-06 CVE-2024-7499 Angeljudesuarez SQL Injection vulnerability in Angeljudesuarez Airline Reservation System 1.0

A vulnerability was found in itsourcecode Airline Reservation System 1.0.

9.8
2024-08-06 CVE-2024-7495 Itsourcecode Unrestricted Upload of File with Dangerous Type vulnerability in Itsourcecode Laravel Accounting System 1.0

A vulnerability, which was classified as critical, was found in itsourcecode Laravel Accounting System 1.0.

9.8
2024-08-05 CVE-2024-7494 Oretnom23 SQL Injection vulnerability in Oretnom23 Clinic'S Patient Management System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Clinics Patient Management System 1.0.

9.8
2024-08-05 CVE-2024-38856 Apache Incorrect Authorization vulnerability in Apache Ofbiz

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

9.8
2024-08-05 CVE-2024-42447 Apache Insufficient Session Expiration vulnerability in Apache Apache-Airflow-Providers-Fab 1.2.0/1.2.1

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions.

9.8
2024-08-05 CVE-2024-41889 Pimax Unspecified vulnerability in Pimax Pitool and Play

Multiple Pimax products accept WebSocket connections from unintended endpoints.

9.8
2024-08-05 CVE-2024-7469 Raisecom OS Command Injection vulnerability in Raisecom products

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90.

9.8
2024-08-05 CVE-2024-7470 Raisecom OS Command Injection vulnerability in Raisecom products

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90.

9.8
2024-08-05 CVE-2024-7467 Raisecom OS Command Injection vulnerability in Raisecom products

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90 and classified as critical.

9.8
2024-08-05 CVE-2024-7468 Raisecom OS Command Injection vulnerability in Raisecom products

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90.

9.8
2024-08-05 CVE-2024-7465 Totolink Classic Buffer Overflow vulnerability in Totolink Cp450 Firmware 4.1.0Cu.747B20191224

A vulnerability, which was classified as critical, was found in TOTOLINK CP450 4.1.0cu.747_B20191224.

9.8
2024-08-05 CVE-2024-7463 Totolink Classic Buffer Overflow vulnerability in Totolink Cp900 Firmware 6.3C.566

A vulnerability classified as critical was found in TOTOLINK CP900 6.3c.566.

9.8
2024-08-05 CVE-2024-7464 Totolink Command Injection vulnerability in Totolink Cp900 Firmware 6.3C.566

A vulnerability, which was classified as critical, has been found in TOTOLINK CP900 6.3c.566.

9.8
2024-08-05 CVE-2024-7461 Forip SQL Injection vulnerability in Forip Administracao Pabx

A vulnerability was found in ForIP Tecnologia Administração PABX 1.x.

9.8
2024-08-05 CVE-2024-7462 Totolink Classic Buffer Overflow vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216

A vulnerability classified as critical has been found in TOTOLINK N350RT 9.3.5u.6139_B20201216.

9.8
2024-08-06 CVE-2024-28740 Koha Cross-site Scripting vulnerability in Koha

Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component.

9.6
2024-08-06 CVE-2024-7519 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

Insufficient checks when processing graphics shared memory could have led to memory corruption.

9.6
2024-08-05 CVE-2024-42008 Roundcube Cross-site Scripting vulnerability in Roundcube Webmail

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

9.3
2024-08-05 CVE-2024-42009 Roundcube Cross-site Scripting vulnerability in Roundcube Webmail

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

9.3
2024-08-06 CVE-2024-41270 Appleboy Use of a Broken or Risky Cryptographic Algorithm vulnerability in Appleboy Gorush

An issue discovered in the RunHTTPServer function in Gorush v1.18.4 allows attackers to intercept and manipulate data due to use of deprecated TLS version.

9.1
2024-08-06 CVE-2024-30170 SSH Unspecified vulnerability in SSH Privx

PrivX before 34.0 allows data exfiltration and denial of service via the REST API.

9.1
2024-08-06 CVE-2024-33897 HMS Networks Forced Browsing vulnerability in Hms-Networks Ewon Cosy+ Firmware

A compromised HMS Networks Cosy+ device could be used to request a Certificate Signing Request from Talk2m for another device, resulting in an availability issue.

9.1
2024-08-05 CVE-2024-6118 Hamastar Insufficiently Protected Credentials vulnerability in Hamastar Meetinghub Paperless Meetings 2021

A Plaintext Storage of a Password vulnerability in ebooknote function in Hamastar MeetingHub Paperless Meetings 2021 allows remote attackers to obtain the other users’ credentials and gain access to the product via an XML file.

9.1
2024-08-08 CVE-2024-42366 Vrcx Team Cross-site Scripting vulnerability in Vrcx-Team Vrcx

VRCX is an assistant/companion application for VRChat.

9.0

160 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-08-08 CVE-2024-0104 Nvidia Unspecified vulnerability in Nvidia products

NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in the LDAP AAA component, where a user can cause improper access.

8.8
2024-08-08 CVE-2024-0108 Nvidia Improper Handling of Exceptional Conditions vulnerability in Nvidia Jetson Linux

NVIDIA Jetson Linux contains a vulnerability in NvGPU where error handling paths in GPU MMU mapping code fail to clean up a failed mapping attempt.

8.8
2024-08-08 CVE-2024-42365 Asterisk Unspecified vulnerability in Asterisk and Certified Asterisk

Asterisk is an open source private branch exchange (PBX) and telephony toolkit.

8.8
2024-08-08 CVE-2024-22069 ZTE Unspecified vulnerability in ZTE Zxv10 Et301 Firmware and Zxv10 Xt802 Firmware

There is a permission and access control vulnerability of ZTE's ZXV10 XT802/ET301 product.Attackers with common permissions can log in the terminal web and change the password of the administrator illegally by intercepting requests to change the passwords.

8.8
2024-08-08 CVE-2024-7150 The Slider by 10Web – Responsive Image Slider plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.2.57 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
8.8
2024-08-08 CVE-2024-7492 The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.
8.8
2024-08-08 CVE-2024-7486 The MultiPurpose theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.0 via deserialization of untrusted input through the 'wpeden_post_meta' post meta.
8.8
2024-08-08 CVE-2024-7561 The The Next theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the wpeden_post_meta post meta value.
8.8
2024-08-08 CVE-2024-6891 Journyx Code Injection vulnerability in Journyx 11.5.4

Attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow.

8.8
2024-08-07 CVE-2024-6707 Openwebui Path Traversal vulnerability in Openwebui Open Webui 0.1.105

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability.

8.8
2024-08-07 CVE-2024-6890 Journyx Use of Hard-coded Credentials vulnerability in Journyx 11.5.4

Password reset tokens are generated using an insecure source of randomness.

8.8
2024-08-07 CVE-2024-43044 Jenkins Improper Check for Unusual or Exceptional Conditions vulnerability in Jenkins

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

8.8
2024-08-07 CVE-2024-7579 Alientechnology OS Command Injection vulnerability in Alientechnology Alr-F800 Firmware

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00.

8.8
2024-08-07 CVE-2024-7265 Nask Incorrect Authorization vulnerability in Nask EZD RP

Incorrect User Management vulnerability in Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.

8.8
2024-08-07 CVE-2024-36131 Ivanti Deserialization of Untrusted Data vulnerability in Ivanti Endpoint Manager Mobile

An insecure deserialization vulnerability in web component of EPMM prior to 12.1.0.1 allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system of the appliance.

8.8
2024-08-07 CVE-2024-34619 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper input validation in librtp.so prior to SMR Aug-2024 Release 1 allows remote attackers to execute arbitrary code with system privilege.

8.8
2024-08-06 CVE-2024-7532 Google Out-of-bounds Write vulnerability in Google Chrome

Out of bounds memory access in ANGLE in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-7533 Google Use After Free vulnerability in Google Chrome

Use after free in Sharing in Google Chrome on iOS prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-7534 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-7535 Google Out-of-bounds Write vulnerability in Google Chrome

Inappropriate implementation in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-7536 Google Use After Free vulnerability in Google Chrome

Use after free in WebAudio in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-7550 Google Type Confusion vulnerability in Google Chrome

Type Confusion in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-6720 Dmytropopov Cross-Site Request Forgery (CSRF) vulnerability in Dmytropopov Light Poll

The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

8.8
2024-08-06 CVE-2024-6988 Google Use After Free vulnerability in Google Chrome

Use after free in Downloads in Google Chrome on iOS prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-6989 Google Use After Free vulnerability in Google Chrome

Use after free in Loader in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-6991 Google Use After Free vulnerability in Google Chrome

Use after free in Dawn in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-6994 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-6997 Google Use After Free vulnerability in Google Chrome

Use after free in Tabs in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-6998 Google Use After Free vulnerability in Google Chrome

Use after free in User Education in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-7000 Google Use After Free vulnerability in Google Chrome

Use after free in CSS in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-08-06 CVE-2024-7552 Datagear Expression Language Injection vulnerability in Datagear

A vulnerability was found in DataGear up to 5.0.0.

8.8
2024-08-06 CVE-2024-41913 HP Unrestricted Upload of File with Dangerous Type vulnerability in HP Poly Clariti Manager Firmware

A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices.

8.8
2024-08-06 CVE-2024-6357 Opentext Authorization Bypass Through User-Controlled Key vulnerability in Opentext Arcsight Intelligence

Insecure Direct Object Reference vulnerability identified in OpenText ArcSight Intelligence.

8.8
2024-08-06 CVE-2024-6358 Opentext Incorrect Authorization vulnerability in Opentext Arcsight Intelligence

Incorrect Authorization vulnerability identified in OpenText ArcSight Intelligence.

8.8
2024-08-06 CVE-2024-7520 Mozilla Type Confusion vulnerability in Mozilla Firefox

A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution.

8.8
2024-08-06 CVE-2024-7521 Mozilla Improper Handling of Exceptional Conditions vulnerability in Mozilla Firefox

Incomplete WebAssembly exception handing could have led to a use-after-free.

8.8
2024-08-06 CVE-2024-7522 Mozilla Out-of-bounds Read vulnerability in Mozilla Firefox

Editor code failed to check an attribute value.

8.8
2024-08-06 CVE-2024-7527 Mozilla Use After Free vulnerability in Mozilla Firefox

Unexpected marking work at the start of sweeping could have led to a use-after-free.

8.8
2024-08-06 CVE-2024-7528 Mozilla Use After Free vulnerability in Mozilla Firefox

Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free.

8.8
2024-08-06 CVE-2024-7530 Mozilla Use After Free vulnerability in Mozilla Firefox

Incorrect garbage collection interaction could have led to a use-after-free.

8.8
2024-08-06 CVE-2024-5709 The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.7 via the 'layout_name' parameter.
8.8
2024-08-06 CVE-2024-7506 Angeljudesuarez Unrestricted Upload of File with Dangerous Type vulnerability in Angeljudesuarez Tailoring Management System 1.0

A vulnerability has been found in itsourcecode Tailoring Management System 1.0 and classified as critical.

8.8
2024-08-06 CVE-2023-5000 The Horizontal scrolling announcements plugin for WordPress is vulnerable to SQL Injection via the plugin's 'hsas-shortcode' shortcode in versions up to, and including, 2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
8.8
2024-08-06 CVE-2024-6315 The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handleUploadFile' function in all versions up to, and including, 1.0.65.
8.8
2024-08-06 CVE-2024-7496 Angeljudesuarez Unspecified vulnerability in Angeljudesuarez Airline Reservation System 1.0

A vulnerability has been found in itsourcecode Airline Reservation System 1.0 and classified as critical.

8.8
2024-08-06 CVE-2024-7497 Angeljudesuarez Unspecified vulnerability in Angeljudesuarez Airline Reservation System 1.0

A vulnerability was found in itsourcecode Airline Reservation System 1.0 and classified as critical.

8.8
2024-08-05 CVE-2024-23657 Nuxt Path Traversal vulnerability in Nuxt

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.

8.8
2024-08-05 CVE-2024-34344 Nuxt Code Injection vulnerability in Nuxt

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.

8.8
2024-08-05 CVE-2024-39838 Zexelon Use of Hard-coded Credentials vulnerability in Zexelon Zwx-2000Csw2-Hn Firmware

ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.

8.8
2024-08-05 CVE-2024-6117 Hamastar Unrestricted Upload of File with Dangerous Type vulnerability in Hamastar Meetinghub Paperless Meetings 2021

A Unrestricted upload of file with dangerous type vulnerability in meeting management function in Hamastar MeetingHub Paperless Meetings 2021 allows remote authenticated users to perform arbitrary system commands via a crafted ASP file.

8.8
2024-08-05 CVE-2024-39713 Rocket Chat Server-Side Request Forgery (SSRF) vulnerability in Rocket.Chat

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.

8.6
2024-08-07 CVE-2024-6522 The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function.
8.5
2024-08-05 CVE-2024-21481 Memory corruption when preparing a shared memory notification for a memparcel in Resource Manager.
8.4
2024-08-05 CVE-2024-23381 Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU.
8.4
2024-08-05 CVE-2024-23382 Memory corruption while processing graphics kernel driver request to create DMA fence.
8.4
2024-08-05 CVE-2024-23383 Memory corruption when kernel driver attempts to trigger hardware fences.
8.4
2024-08-05 CVE-2024-23384 Memory corruption when the mapped pages in VBO are still mapped after reclaiming by shrinker.
8.4
2024-08-05 CVE-2024-33022 Memory corruption while allocating memory in HGSL driver.
8.4
2024-08-05 CVE-2024-33023 Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events.
8.4
2024-08-05 CVE-2024-33028 Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.
8.4
2024-08-05 CVE-2024-33034 Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory buffers are performed at the same time.
8.4
2024-08-07 CVE-2024-7143 Pulpproject Insecure Inherited Permissions vulnerability in Pulpproject Pulp

A flaw was found in the Pulp package.

8.3
2024-08-08 CVE-2024-3035 Gitlab Authorization Bypass Through User-Controlled Key vulnerability in Gitlab

A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.

8.1
2024-08-06 CVE-2024-7523 Mozilla Unspecified vulnerability in Mozilla Firefox

A select option could partially obscure security prompts.

8.1
2024-08-06 CVE-2024-7525 Mozilla Incorrect Default Permissions vulnerability in Mozilla Firefox

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site.

8.1
2024-08-06 CVE-2024-6203 Haloservicesolutions Weak Password Recovery Mechanism for Forgotten Password vulnerability in Haloservicesolutions Haloitsm

HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability.

8.1
2024-08-05 CVE-2024-41720 Zexelon Incorrect Permission Assignment for Critical Resource vulnerability in Zexelon Zwx-2000Csw2-Hn Firmware

Incorrect permission assignment for critical resource issue exists in ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15, which may allow a network-adjacent authenticated attacker to alter the configuration of the device.

8.0
2024-08-08 CVE-2024-0107 Nvidia Out-of-bounds Read vulnerability in Nvidia GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can cause an out-of-bounds read.

7.8
2024-08-08 CVE-2024-42035 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Permission control vulnerability in the App Multiplier module Impact:Successful exploitation of this vulnerability may affect functionality and confidentiality.

7.8
2024-08-08 CVE-2024-42257 Linux Unspecified vulnerability in Linux Kernel 6.10/6.10.0

In the Linux kernel, the following vulnerability has been resolved: ext4: use memtostr_pad() for s_volume_name As with the other strings in struct ext4_super_block, s_volume_name is not NUL terminated.

7.8
2024-08-07 CVE-2024-7061 Okta Uncontrolled Search Path Element vulnerability in Okta Verify

Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking.

7.8
2024-08-07 CVE-2024-41308 Enjayworld Unspecified vulnerability in Enjayworld Enjay CRM 1.0

An issue in the Ping feature of IT Solutions Enjay CRM OS v1.0 allows attackers to escape the restricted terminal environment and gain root-level privileges on the underlying system.

7.8
2024-08-07 CVE-2024-41309 Enjayworld Unspecified vulnerability in Enjayworld Enjay CRM 1.0

An issue in the Hardware info module of IT Solutions Enjay CRM OS v1.0 allows attackers to escape the restricted terminal environment and gain root-level privileges on the underlying system.

7.8
2024-08-07 CVE-2024-43199 Nagios Incorrect Permission Assignment for Critical Resource vulnerability in Nagios Ndoutils

Nagios NDOUtils before 2.1.4 allows privilege escalation from nagios to root because certain executable files are owned by the nagios user.

7.8
2024-08-07 CVE-2024-7553 Mongodb Unspecified vulnerability in Mongodb

Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows.

7.8
2024-08-07 CVE-2024-5290 W1 FI Uncontrolled Search Path Element vulnerability in W1.Fi WPA Supplicant

An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root). Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.

7.8
2024-08-07 CVE-2024-34612 Samsung Out-of-bounds Write vulnerability in Samsung Android 12.0/13.0/14.0

Out-of-bound write in libcodec2secmp4vdec.so prior to SMR Aug-2024 Release 1 allows local attackers to execute arbitrary code.

7.8
2024-08-07 CVE-2024-34614 Samsung Out-of-bounds Write vulnerability in Samsung Android 12.0/13.0/14.0

Out-of-bound write in libsmat.so prior to SMR Aug-2024 Release 1 allows local attackers to execute arbitrary code.

7.8
2024-08-07 CVE-2024-34615 Samsung Out-of-bounds Write vulnerability in Samsung Android 12.0/13.0/14.0

Out-of-bound write in libsmat.so prior to SMR Aug-2024 Release 1 allows local attackers to cause memory corruption.

7.8
2024-08-07 CVE-2024-34620 Samsung Unspecified vulnerability in Samsung Android 13.0/14.0

Improper privilege management in SumeNNService prior to SMR Aug-2024 Release 1 allows local attackers to start privileged service.

7.8
2024-08-07 CVE-2024-34622 Samsung Out-of-bounds Write vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds write in appending paragraph in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially execute arbitrary code with Samsung Notes privilege.

7.8
2024-08-07 CVE-2024-34623 Samsung Out-of-bounds Write vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds write in applying connected information in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially execute arbitrary code with Samsung Notes privilege.

7.8
2024-08-06 CVE-2024-42219 1Password Unspecified vulnerability in 1Password

1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC inter-process communication validation is insufficient.

7.8
2024-08-06 CVE-2024-7502 Deltaww Out-of-bounds Write vulnerability in Deltaww Diascreen 1.2.1.23/1.3.2

A crafted DPA file could force Delta Electronics DIAScreen to overflow a stack-based buffer, which could allow an attacker to execute arbitrary code.

7.8
2024-08-06 CVE-2024-23458 Zscaler Origin Validation Error vulnerability in Zscaler Client Connector

While copying individual autoupdater log files, reparse point check was missing which could result into crafted attacks, potentially leading to a local privilege escalation.

7.8
2024-08-06 CVE-2024-23460 Zscaler Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector

The Zscaler Updater process does not validate the digital signature of the installer before execution, allowing arbitrary code to be locally executed.

7.8
2024-08-06 CVE-2024-41226 Automationanywhere Improper Neutralization of Formula Elements in a CSV File vulnerability in Automationanywhere Automation 360 21094

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload.

7.8
2024-08-06 CVE-2024-43114 Jetbrains Incorrect Default Permissions vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions

7.8
2024-08-06 CVE-2024-7538 Ofono Project Out-of-bounds Write vulnerability in Ofono Project Ofono 1.34

oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability.

7.8
2024-08-06 CVE-2024-7539 Ofono Project Out-of-bounds Write vulnerability in Ofono Project Ofono 1.34

oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability.

7.8
2024-08-06 CVE-2024-7543 Ofono Project Out-of-bounds Write vulnerability in Ofono Project Ofono 2.3

oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability.

7.8
2024-08-06 CVE-2024-7544 Ofono Project Out-of-bounds Write vulnerability in Ofono Project Ofono 2.3

oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability.

7.8
2024-08-06 CVE-2024-7545 Ofono Project Out-of-bounds Write vulnerability in Ofono Project Ofono 2.3

oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability.

7.8
2024-08-06 CVE-2024-7546 Ofono Project Out-of-bounds Write vulnerability in Ofono Project Ofono 2.3

oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability.

7.8
2024-08-06 CVE-2024-7547 Ofono Project Out-of-bounds Write vulnerability in Ofono Project Ofono 2.3

oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability.

7.8
2024-08-05 CVE-2024-23356 Memory corruption during session sign renewal request calls in HLOS.
7.8
2024-08-05 CVE-2024-2937 ARM Use After Free vulnerability in ARM products

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r49p0; Valhall GPU Kernel Driver: from r41p0 through r49p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p0.

7.8
2024-08-05 CVE-2024-4607 ARM Use After Free vulnerability in ARM products

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r49p0; Valhall GPU Kernel Driver: from r41p0 through r49p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p0.

7.8
2024-08-08 CVE-2024-39287 Dorsettcontrols Unspecified vulnerability in Dorsettcontrols Infoscan 1.32/1.33/1.35

Dorsett Controls Central Server update server has potential information leaks with an unprotected file that contains passwords and API keys.

7.5
2024-08-08 CVE-2024-0101 Nvidia Unspecified vulnerability in Nvidia products

NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter definitions could enable an attacker to cause a failure by attacking the switch.

7.5
2024-08-08 CVE-2024-7348 Postgresql Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Postgresql

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser.

7.5
2024-08-08 CVE-2024-2800 Gitlab Unspecified vulnerability in Gitlab

ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.

7.5
2024-08-08 CVE-2024-42036 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Access permission verification vulnerability in the Notepad module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

7.5
2024-08-08 CVE-2024-6329 Gitlab Improper Encoding or Escaping of Output vulnerability in Gitlab

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.

7.5
2024-08-08 CVE-2024-42031 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Access permission verification vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

7.5
2024-08-08 CVE-2024-6893 Journyx XXE vulnerability in Journyx 11.5.4

The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities.

7.5
2024-08-07 CVE-2024-20451 Cisco Unspecified vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly. These vulnerabilities exist because HTTP packets are not properly checked for errors.

7.5
2024-08-07 CVE-2024-41989 Djangoproject Unspecified vulnerability in Djangoproject Django

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.

7.5
2024-08-07 CVE-2024-41990 Djangoproject Unspecified vulnerability in Djangoproject Django

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.

7.5
2024-08-07 CVE-2024-41991 Djangoproject Improper Validation of Specified Quantity in Input vulnerability in Djangoproject Django

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.

7.5
2024-08-07 CVE-2024-36132 Ivanti Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile

Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources.

7.5
2024-08-06 CVE-2024-23456 Zscaler Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector

Anti-tampering can be disabled under certain conditions without signature validation.

7.5
2024-08-06 CVE-2024-33961 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33962 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33963 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33964 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33965 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33966 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33967 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33968 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33969 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33970 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33971 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33972 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33973 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-33957 Janobe SQL Injection vulnerability in Janobe Young Entrepreneur E-Negosyo System 1.0

SQL injection vulnerability in E-Negosyo System affecting version 1.0.

7.5
2024-08-06 CVE-2024-33958 Janobe SQL Injection vulnerability in Janobe Young Entrepreneur E-Negosyo System 1.0

SQL injection vulnerability in E-Negosyo System affecting version 1.0.

7.5
2024-08-06 CVE-2024-33959 Janobe SQL Injection vulnerability in Janobe products

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

7.5
2024-08-06 CVE-2024-28962 Dell Externally Controlled Reference to a Resource in Another Sphere vulnerability in Dell Alienware Update, Command Update and Update

Dell Command | Update, Dell Update, and Alienware Update UWP, versions prior to 5.4, contain an Exposed Dangerous Method or Function vulnerability.

7.5
2024-08-06 CVE-2024-6781 Calibre Ebook Path Traversal vulnerability in Calibre-Ebook Calibre

Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.

7.5
2024-08-05 CVE-2024-42352 Nuxt Server-Side Request Forgery (SSRF) vulnerability in Nuxt

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.

7.5
2024-08-05 CVE-2024-21479 Transient DOS during music playback of ALAC content.
7.5
2024-08-05 CVE-2024-23352 Transient DOS when NAS receives ODAC criteria of length 1 and type 1 in registration accept OTA.
7.5
2024-08-05 CVE-2024-23353 Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI.
7.5
2024-08-05 CVE-2024-33010 Transient DOS while parsing fragments of MBSSID IE from beacon frame.
7.5
2024-08-05 CVE-2024-33011 Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.
7.5
2024-08-05 CVE-2024-33012 Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon.
7.5
2024-08-05 CVE-2024-33013 Transient DOS when driver accesses the ML IE memory and offset value is incremented beyond ML IE length.
7.5
2024-08-05 CVE-2024-33014 Transient DOS while parsing ESP IE from beacon/probe response frame.
7.5
2024-08-05 CVE-2024-33015 Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report.
7.5
2024-08-05 CVE-2024-33018 Transient DOS while parsing the received TID-to-link mapping element of the TID-to-link mapping action frame.
7.5
2024-08-05 CVE-2024-33019 Transient DOS while parsing the received TID-to-link mapping action frame.
7.5
2024-08-05 CVE-2024-33020 Transient DOS while processing TID-to-link mapping IE elements.
7.5
2024-08-05 CVE-2024-33024 Transient DOS while parsing the ML IE when a beacon with length field inside the common info of ML IE greater than the ML IE length.
7.5
2024-08-05 CVE-2024-33025 Transient DOS while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.
7.5
2024-08-05 CVE-2024-33026 Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.
7.5
2024-08-08 CVE-2024-38202 Microsoft Unspecified vulnerability in Microsoft products

Summary Microsoft was notified that an elevation of privilege vulnerability exists in Windows Update, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS).

7.3
2024-08-05 CVE-2024-36448 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Iotdb Workbench

** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench. This issue affects Apache IoTDB Workbench: from 0.13.0. As this project is retired, we do not plan to release a version that fixes this issue.

7.3
2024-08-08 CVE-2024-37382 Abinitio Code Injection vulnerability in Abinitio Authorization Gateway and Metadata HUB

An issue discovered in import host feature in Ab Initio Metadata Hub and Authorization Gateway before 4.3.1.1 allows attackers to run arbitrary code via crafted modification of server configuration.

7.2
2024-08-08 CVE-2024-41942 Jupyter Unspecified vulnerability in Jupyter Jupyterhub

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks.

7.2
2024-08-08 CVE-2024-42356 Shopware Code Injection vulnerability in Shopware

Shopware is an open commerce platform.

7.2
2024-08-08 CVE-2024-3659 Kaongroup Command Injection vulnerability in Kaongroup Ar2140 Firmware

Firmware in KAON AR2140 routers prior to version 4.2.16 is vulnerable to a shell command injection via sending a crafted request to one of the endpoints. In order to exploit this vulnerability, one has to have access to the administrative portal of the router.

7.2
2024-08-08 CVE-2024-7560 The News Flash theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the newsflash_post_meta meta value.
7.2
2024-08-07 CVE-2024-42062 Apache Incorrect Authorization vulnerability in Apache Cloudstack

CloudStack account-users by default use username and password based authentication for API and UI access.

7.2
2024-08-06 CVE-2024-28739 Koha Command Injection vulnerability in Koha

An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter.

7.2
2024-08-06 CVE-2024-7484 The CRM Perks Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'handle_uploaded_files' function in versions up to, and including, 1.1.3.
7.2
2024-08-06 CVE-2024-7485 The Traffic Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in the 'UserWebStat' AJAX function in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping.
7.2
2024-08-05 CVE-2024-41958 Mailcow Unspecified vulnerability in Mailcow Mailcow: Dockerized

mailcow: dockerized is an open source groupware/email suite based on docker.

7.2
2024-08-08 CVE-2024-42033 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Access control vulnerability in the security verification module mpact: Successful exploitation of this vulnerability will affect integrity and confidentiality.

7.1
2024-08-06 CVE-2024-7009 Calibre Ebook SQL Injection vulnerability in Calibre-Ebook Calibre

Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL injection on the SQLite database.

7.1

176 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-08-08 CVE-2023-24062 Dieboldnixdorf Unspecified vulnerability in Dieboldnixdorf Vynamic Security Suite

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR12, 4.0.0 SR04, 4.1.0 SR02, and 4.2.0 SR01 fails to validate the directory structure of the root file system during the Pre-Boot Authorization (PBA) process.

6.8
2024-08-08 CVE-2023-24063 Dieboldnixdorf Improper Validation of Integrity Check Value vulnerability in Dieboldnixdorf Vynamic Security Suite

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR10 fails to validate /etc/mtab during the Pre-Boot Authorization (PBA) process.

6.8
2024-08-08 CVE-2023-24064 Dieboldnixdorf Unspecified vulnerability in Dieboldnixdorf Vynamic Security Suite

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR4 fails to validate /etc/initab during the Pre-Boot Authorization (PBA) process.

6.8
2024-08-08 CVE-2023-33206 Dieboldnixdorf Improper Validation of Integrity Check Value vulnerability in Dieboldnixdorf Vynamic Security Suite

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR16, 4.0.0 SR06, 4.1.0 SR04, 4.2.0 SR03, and 4.3.0 SR01 fails to validate symlinks during the Pre-Boot Authorization (PBA) process.

6.8
2024-08-08 CVE-2023-40261 Dieboldnixdorf Improper Initialization vulnerability in Dieboldnixdorf Vynamic Security Suite

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR17, 4.0.0 SR07, 4.1.0 SR04, 4.2.0 SR04, and 4.3.0 SR02 fails to validate file attributes during the Pre-Boot Authorization (PBA) process.

6.8
2024-08-08 CVE-2024-7477 Avaya SQL Injection vulnerability in Avaya Aura System Manager

A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database.  Affected versions include 10.1.x.x and 10.2.x.x.

6.7
2024-08-08 CVE-2024-21302 Microsoft Unspecified vulnerability in Microsoft products

Summary: Microsoft was notified that an elevation of privilege vulnerability exists in Windows based systems supporting Virtualization Based Security (VBS), including a subset of Azure Virtual Machine SKUS.

6.7
2024-08-08 CVE-2023-28865 Dieboldnixdorf Insufficient Verification of Data Authenticity vulnerability in Dieboldnixdorf Vynamic Security Suite

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR15, 4.0.0 SR05, 4.1.0 SR03, and 4.2.0 SR02 fails to validate the directory contents of certain directories (e.g., ensuring the expected hash sum) during the Pre-Boot Authorization (PBA) process.

6.6
2024-08-08 CVE-2024-3114 Gitlab Unspecified vulnerability in Gitlab

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.

6.5
2024-08-08 CVE-2024-3958 Gitlab Code Injection vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2.

6.5
2024-08-08 CVE-2024-5423 Gitlab Unspecified vulnerability in Gitlab

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.

6.5
2024-08-08 CVE-2024-7554 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2.

6.5
2024-08-08 CVE-2024-7610 Gitlab Unspecified vulnerability in Gitlab

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2.

6.5
2024-08-08 CVE-2024-4210 Gitlab Unspecified vulnerability in Gitlab

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2.

6.5
2024-08-07 CVE-2024-41251 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/admin_teacher_register_approval.php and /smsa/admin_teacher_register_approval_submit.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view and approve Teacher registration.

6.5
2024-08-07 CVE-2024-41252 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/admin_student_register_approval.php and /smsa/admin_student_register_approval_submit.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view and approve student registration.

6.5
2024-08-07 CVE-2024-7267 Nask Unspecified vulnerability in Nask EZD RP

Exposure of Sensitive Information vulnerability in Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials. This issue affects EZD RP all versions before 19.6

6.5
2024-08-07 CVE-2024-34788 Ivanti Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile

An improper authentication vulnerability in web component of EPMM prior to 12.1.0.1 allows a remote malicious user to access potentially sensitive information

6.5
2024-08-06 CVE-2024-38206 Microsoft Server-Side Request Forgery (SSRF) vulnerability in Microsoft Copilot Studio

An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network.

6.5
2024-08-06 CVE-2024-42347 Matrix Unspecified vulnerability in Matrix Matrix-React-Sdk

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page.

6.5
2024-08-06 CVE-2023-28806 Zscaler Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector

An Improper Validation of signature in Zscaler Client Connector on Windows allows an authenticated user to disable anti-tampering.

6.5
2024-08-06 CVE-2024-7564 Logsign Path Traversal vulnerability in Logsign Unified Secops Platform 6.4.11

Logsign Unified SecOps Platform Directory Traversal Information Disclosure Vulnerability.

6.5
2024-08-06 CVE-2024-7518 Mozilla Unspecified vulnerability in Mozilla Firefox

Select options could obscure the fullscreen notification dialog.

6.5
2024-08-06 CVE-2024-7526 Mozilla Use of Uninitialized Resource vulnerability in Mozilla Firefox

ANGLE failed to initialize parameters which lead to reading from uninitialized memory.

6.5
2024-08-06 CVE-2024-7529 Mozilla Unspecified vulnerability in Mozilla Firefox

The date picker could partially obscure security prompts.

6.5
2024-08-06 CVE-2024-7531 Mozilla Unspecified vulnerability in Mozilla Firefox

Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor.

6.5
2024-08-06 CVE-2024-39817 Cybozu Unspecified vulnerability in Cybozu Office

Insertion of sensitive information into sent data issue exists in Cybozu Office 10.0.0 to 10.8.6, which may allow a user who can login to the product to view data that the user does not have access by conducting 'search' under certain conditions in Custom App.

6.5
2024-08-05 CVE-2024-21459 Information disclosure while handling beacon or probe response frame in STA.
6.5
2024-08-05 CVE-2024-21467 Information disclosure while handling beacon probe frame during scan entry generation in client side.
6.5
2024-08-05 CVE-2024-23350 Permanent DOS when DL NAS transport receives multiple payloads such that one payload contains SOR container whose integrity check has failed, and the other is LPP where UE needs to send status message to network.
6.5
2024-08-08 CVE-2024-5226 The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files.
6.4
2024-08-08 CVE-2024-5668 The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 2.7.28 due to insufficient input sanitization and output escaping on user supplied attributes.
6.4
2024-08-06 CVE-2024-7317 The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping.
6.4
2024-08-06 CVE-2024-5708 The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 7.7 due to insufficient input sanitization and output escaping.
6.4
2024-08-07 CVE-2024-43045 Jenkins Missing Authorization vulnerability in Jenkins

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views".

6.3
2024-08-08 CVE-2024-42037 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of uncaught exceptions in the Graphics module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

6.2
2024-08-08 CVE-2024-42030 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Access permission verification vulnerability in the content sharing pop-up module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

6.2
2024-08-08 CVE-2023-7265 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Permission verification vulnerability in the lock screen module Impact: Successful exploitation of this vulnerability may affect availability

6.2
2024-08-05 CVE-2024-23357 Transient DOS while importing a PKCS#8-encoded RSA key with zero bytes modulus.
6.2
2024-08-08 CVE-2024-6892 Journyx Cross-site Scripting vulnerability in Journyx 11.5.4

Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application.

6.1
2024-08-07 CVE-2024-6706 Openwebui Cross-site Scripting vulnerability in Openwebui Open Webui 0.1.105

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.

6.1
2024-08-07 CVE-2024-41240 Lopalopa Cross-site Scripting vulnerability in Lopalopa Responsive School Management System 3.2.0

A Reflected Cross Site Scripting (XSS) vulnerability was found in " /smsa/teacher_login.php" in Kashipara Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via the "error" parameter.

6.1
2024-08-07 CVE-2024-41241 Lopalopa Cross-site Scripting vulnerability in Lopalopa Responsive School Management System 3.2.0

A Reflected Cross Site Scripting (XSS) vulnerability was found in " /smsa/admin_login.php" in Kashipara Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via "error" parameter.

6.1
2024-08-07 CVE-2024-41242 Lopalopa Cross-site Scripting vulnerability in Lopalopa Responsive School Management System 3.2.0

A Reflected Cross Site Scripting (XSS) vulnerability was found in /smsa/student_login.php in Kashipara Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via "error" parameter.

6.1
2024-08-06 CVE-2024-38166 Microsoft Cross-site Scripting vulnerability in Microsoft Dynamics CRM Service Portal web Resource

An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link.

6.1
2024-08-06 CVE-2024-41677 Qwik Cross-site Scripting vulnerability in Qwik

Qwik is a performance focused javascript framework.

6.1
2024-08-06 CVE-2024-41333 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Tourism Management System 2.0

A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the uname parameter.

6.1
2024-08-06 CVE-2024-43111 Mozilla Cross-site Scripting vulnerability in Mozilla Firefox

Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129.

6.1
2024-08-06 CVE-2024-43112 Mozilla Cross-site Scripting vulnerability in Mozilla Firefox

Long pressing on a download link could potentially provide a means for cross-site scripting This vulnerability affects Firefox for iOS < 129.

6.1
2024-08-06 CVE-2024-43113 Mozilla Cross-site Scripting vulnerability in Mozilla Firefox

The contextual menu for links could provide an opportunity for cross-site scripting attacks This vulnerability affects Firefox for iOS < 129.

6.1
2024-08-06 CVE-2023-40819 Devlop Systems Cross-site Scripting vulnerability in Devlop.Systems Id4Portais

ID4Portais in version < V.2022.837.002a returns message parameter unsanitized in the response, resulting in a HTML Injection vulnerability.

6.1
2024-08-06 CVE-2024-40101 Microweber Cross-site Scripting vulnerability in Microweber

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.

6.1
2024-08-06 CVE-2024-41910 HP Cross-site Scripting vulnerability in HP Poly Clariti Manager Firmware

A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices.

6.1
2024-08-06 CVE-2024-33982 Janobe Cross-site Scripting vulnerability in Janobe products

Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33983 Janobe Cross-site Scripting vulnerability in Janobe products

Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33984 Janobe Cross-site Scripting vulnerability in Janobe products

Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33985 Janobe Cross-site Scripting vulnerability in Janobe products

Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33986 Janobe Cross-site Scripting vulnerability in Janobe products

Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33987 Janobe Cross-site Scripting vulnerability in Janobe products

Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33988 Janobe Cross-site Scripting vulnerability in Janobe products

Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33989 Janobe Cross-site Scripting vulnerability in Janobe School Event Management System 1.0

Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33990 Janobe Cross-site Scripting vulnerability in Janobe School Event Management System 1.0

Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33991 Janobe Cross-site Scripting vulnerability in Janobe School Event Management System 1.0

Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33992 Janobe Cross-site Scripting vulnerability in Janobe School Event Management System 1.0

Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33993 Janobe Cross-site Scripting vulnerability in Janobe School Event Management System 1.0

Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0.

6.1
2024-08-06 CVE-2024-7524 Mozilla Cross-site Scripting vulnerability in Mozilla Firefox

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection.

6.1
2024-08-06 CVE-2024-33975 Janobe Cross-site Scripting vulnerability in Janobe Young Entrepreneur E-Negosyo System 1.0

Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33976 Janobe Cross-site Scripting vulnerability in Janobe Young Entrepreneur E-Negosyo System 1.0

Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33977 Janobe Cross-site Scripting vulnerability in Janobe Young Entrepreneur E-Negosyo System 1.0

Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33978 Janobe Cross-site Scripting vulnerability in Janobe Young Entrepreneur E-Negosyo System 1.0

Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0.

6.1
2024-08-06 CVE-2024-33979 Janobe Cross-site Scripting vulnerability in Janobe Credit Card, Debit Card Payment and Paypal

Cross-Site Scripting (XSS) vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

6.1
2024-08-06 CVE-2024-33980 Janobe Cross-site Scripting vulnerability in Janobe Credit Card, Debit Card Payment and Paypal

Cross-Site Scripting (XSS) vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

6.1
2024-08-06 CVE-2024-33981 Janobe Cross-site Scripting vulnerability in Janobe Credit Card, Debit Card Payment and Paypal

Cross-Site Scripting (XSS) vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0.

6.1
2024-08-06 CVE-2024-7008 Calibre Ebook Cross-site Scripting vulnerability in Calibre-Ebook Calibre

Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting.

6.1
2024-08-05 CVE-2024-34343 Nuxt Cross-site Scripting vulnerability in Nuxt

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.

6.1
2024-08-05 CVE-2024-41959 Mailcow Cross-site Scripting vulnerability in Mailcow Mailcow: Dockerized

mailcow: dockerized is an open source groupware/email suite based on docker.

6.1
2024-08-08 CVE-2024-42354 Shopware Unspecified vulnerability in Shopware

Shopware is an open commerce platform.

5.9
2024-08-08 CVE-2024-0102 Nvidia Out-of-bounds Read vulnerability in Nvidia Cuda Toolkit

NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm, where an attacker can cause an out-of-bounds read issue by deceiving a user into reading a malformed ELF file.

5.5
2024-08-08 CVE-2024-42034 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

LaunchAnywhere vulnerability in the account module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

5.5
2024-08-08 CVE-2024-42032 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Access permission verification vulnerability in the Contacts module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

5.5
2024-08-08 CVE-2024-42251 Linux Reachable Assertion vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: mm: page_ref: remove folio_try_get_rcu() The below bug was reported on a non-SMP kernel: [ 275.267158][ T4335] ------------[ cut here ]------------ [ 275.267949][ T4335] kernel BUG at include/linux/page_ref.h:275! [ 275.268526][ T4335] invalid opcode: 0000 [#1] KASAN PTI [ 275.269001][ T4335] CPU: 0 PID: 4335 Comm: trinity-c3 Not tainted 6.7.0-rc4-00061-gefa7df3e3bb5 #1 [ 275.269787][ T4335] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 275.270679][ T4335] RIP: 0010:try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.272813][ T4335] RSP: 0018:ffffc90005dcf650 EFLAGS: 00010202 [ 275.273346][ T4335] RAX: 0000000000000246 RBX: ffffea00066e0000 RCX: 0000000000000000 [ 275.274032][ T4335] RDX: fffff94000cdc007 RSI: 0000000000000004 RDI: ffffea00066e0034 [ 275.274719][ T4335] RBP: ffffea00066e0000 R08: 0000000000000000 R09: fffff94000cdc006 [ 275.275404][ T4335] R10: ffffea00066e0037 R11: 0000000000000000 R12: 0000000000000136 [ 275.276106][ T4335] R13: ffffea00066e0034 R14: dffffc0000000000 R15: ffffea00066e0008 [ 275.276790][ T4335] FS: 00007fa2f9b61740(0000) GS:ffffffff89d0d000(0000) knlGS:0000000000000000 [ 275.277570][ T4335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 275.278143][ T4335] CR2: 00007fa2f6c00000 CR3: 0000000134b04000 CR4: 00000000000406f0 [ 275.278833][ T4335] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 275.279521][ T4335] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 275.280201][ T4335] Call Trace: [ 275.280499][ T4335] <TASK> [ 275.280751][ T4335] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) [ 275.281087][ T4335] ? do_trap (arch/x86/kernel/traps.c:112 arch/x86/kernel/traps.c:153) [ 275.281463][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.281884][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.282300][ T4335] ? do_error_trap (arch/x86/kernel/traps.c:174) [ 275.282711][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283129][ T4335] ? handle_invalid_op (arch/x86/kernel/traps.c:212) [ 275.283561][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283990][ T4335] ? exc_invalid_op (arch/x86/kernel/traps.c:264) [ 275.284415][ T4335] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:568) [ 275.284859][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.285278][ T4335] try_grab_folio (mm/gup.c:148) [ 275.285684][ T4335] __get_user_pages (mm/gup.c:1297 (discriminator 1)) [ 275.286111][ T4335] ? __pfx___get_user_pages (mm/gup.c:1188) [ 275.286579][ T4335] ? __pfx_validate_chain (kernel/locking/lockdep.c:3825) [ 275.287034][ T4335] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 1)) [ 275.287416][ T4335] __gup_longterm_locked (mm/gup.c:1509 mm/gup.c:2209) [ 275.288192][ T4335] ? __pfx___gup_longterm_locked (mm/gup.c:2204) [ 275.288697][ T4335] ? __pfx_lock_acquire (kernel/locking/lockdep.c:5722) [ 275.289135][ T4335] ? __pfx___might_resched (kernel/sched/core.c:10106) [ 275.289595][ T4335] pin_user_pages_remote (mm/gup.c:3350) [ 275.290041][ T4335] ? __pfx_pin_user_pages_remote (mm/gup.c:3350) [ 275.290545][ T4335] ? find_held_lock (kernel/locking/lockdep.c:5244 (discriminator 1)) [ 275.290961][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.291353][ T4335] process_vm_rw_single_vec+0x142/0x360 [ 275.291900][ T4335] ? __pfx_process_vm_rw_single_vec+0x10/0x10 [ 275.292471][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.292859][ T4335] process_vm_rw_core+0x272/0x4e0 [ 275.293384][ T4335] ? hlock_class (a ---truncated---

5.5
2024-08-08 CVE-2024-42252 Linux Reachable Assertion vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: closures: Change BUG_ON() to WARN_ON() If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() For reference, this has popped up once in the CI, and we'll need more info to debug it: 03240 ------------[ cut here ]------------ 03240 kernel BUG at lib/closure.c:21! 03240 kernel BUG at lib/closure.c:21! 03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP 03240 Modules linked in: 03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 03240 Hardware name: linux,dummy-virt (DT) 03240 Workqueue: btree_update btree_interior_update_work 03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 03240 pc : closure_put+0x224/0x2a0 03240 lr : closure_put+0x24/0x2a0 03240 sp : ffff0000d12071c0 03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d 03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e 03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b 03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 03240 Call trace: 03240 closure_put+0x224/0x2a0 03240 bch2_check_for_deadlock+0x910/0x1028 03240 bch2_six_check_for_deadlock+0x1c/0x30 03240 six_lock_slowpath.isra.0+0x29c/0xed0 03240 six_lock_ip_waiter+0xa8/0xf8 03240 __bch2_btree_node_lock_write+0x14c/0x298 03240 bch2_trans_lock_write+0x6d4/0xb10 03240 __bch2_trans_commit+0x135c/0x5520 03240 btree_interior_update_work+0x1248/0x1c10 03240 process_scheduled_works+0x53c/0xd90 03240 worker_thread+0x370/0x8c8 03240 kthread+0x258/0x2e8 03240 ret_from_fork+0x10/0x20 03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) 03240 ---[ end trace 0000000000000000 ]--- 03240 Kernel panic - not syncing: Oops - BUG: Fatal exception 03240 SMP: stopping secondary CPUs 03241 SMP: failed to stop secondary CPUs 13,15 03241 Kernel Offset: disabled 03241 CPU features: 0x00,00000003,80000008,4240500b 03241 Memory Limit: none 03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- 03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s

5.5
2024-08-08 CVE-2024-42254 Linux NULL Pointer Dereference vulnerability in Linux Kernel 6.10

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix error pbuf checking Syz reports a problem, which boils down to NULL vs IS_ERR inconsistent error handling in io_alloc_pbuf_ring(). KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:__io_remove_buffers+0xac/0x700 io_uring/kbuf.c:341 Call Trace: <TASK> io_put_bl io_uring/kbuf.c:378 [inline] io_destroy_buffers+0x14e/0x490 io_uring/kbuf.c:392 io_ring_ctx_free+0xa00/0x1070 io_uring/io_uring.c:2613 io_ring_exit_work+0x80f/0x8a0 io_uring/io_uring.c:2844 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

5.5
2024-08-08 CVE-2024-42255 Linux NULL Pointer Dereference vulnerability in Linux Kernel 6.10

In the Linux kernel, the following vulnerability has been resolved: tpm: Use auth only after NULL check in tpm_buf_check_hmac_response() Dereference auth after NULL check in tpm_buf_check_hmac_response(). Otherwise, unless tpm2_sessions_init() was called, a call can cause NULL dereference, when TCG_TPM2_HMAC is enabled. [jarkko: adjusted the commit message.]

5.5
2024-08-07 CVE-2024-42232 Linux Use After Free vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting().

5.5
2024-08-07 CVE-2024-42234 Linux Double Free vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: mm: fix crashes from deferred split racing folio migration Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PG_locked had been set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration. 6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferred_split_scan(): it moves folios to its own local list to work on them without split_queue_lock, during which time folio->_deferred_list is not empty, but even the "right" lock does nothing to secure the folio and the list it is on. Fortunately, deferred_split_scan() is careful to use folio_try_get(): so folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it).

5.5
2024-08-07 CVE-2024-42235 Linux NULL Pointer Dereference vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add NULL pointer check to crst_table_free() base_crst_free() crst_table_free() used to work with NULL pointers before the conversion to ptdescs.

5.5
2024-08-07 CVE-2024-42236 Linux Out-of-bounds Write vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Userspace provided string 's' could trivially have the length zero.

5.5
2024-08-07 CVE-2024-42237 Linux Excessive Iteration vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Validate payload length before processing block Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load() to be done before the block is processed. The check that the length of a block payload does not exceed the number of remaining bytes in the firwmware file buffer was being done near the end of the loop iteration.

5.5
2024-08-07 CVE-2024-42238 Linux Classic Buffer Overflow vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Return error if block header overflows file Return an error from cs_dsp_power_up() if a block header is longer than the amount of data left in the file. The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop while there was enough data left in the file for a valid region.

5.5
2024-08-07 CVE-2024-42239 Linux Improper Locking vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: bpf: Fail bpf_timer_cancel when callback is being cancelled Given a schedule: timer1 cb timer2 cb bpf_timer_cancel(timer2); bpf_timer_cancel(timer1); Both bpf_timer_cancel calls would wait for the other callback to finish executing, introducing a lockup. Add an atomic_t count named 'cancelling' in bpf_hrtimer.

5.5
2024-08-07 CVE-2024-42240 Linux Infinite Loop vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: x86/bhi: Avoid warning in #DB handler due to BHI mitigation When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the clear_bhb_loop() before the TF flag is cleared.

5.5
2024-08-07 CVE-2024-42241 Linux Allocation of Resources Without Limits or Throttling vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: mm/shmem: disable PMD-sized page cache if needed For shmem files, it's possible that PMD-sized page cache can't be supported by xarray.

5.5
2024-08-07 CVE-2024-42242 Linux Allocation of Resources Without Limits or Throttling vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE blk_queue_max_segment_size() ensured: if (max_size < PAGE_SIZE) max_size = PAGE_SIZE; whereas: blk_validate_limits() makes it an error: if (WARN_ON_ONCE(lim->max_segment_size < PAGE_SIZE)) return -EINVAL; The change from one to the other, exposed sdhci which was setting maximum segment size too low in some circumstances. Fix the maximum segment size when it is too low.

5.5
2024-08-07 CVE-2024-42243 Linux Unspecified vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray Patch series "mm/filemap: Limit page cache size to that supported by xarray", v2. Currently, xarray can't support arbitrary page cache size.

5.5
2024-08-07 CVE-2024-42244 Linux Unspecified vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 ("USB: serial: use generic method if no alternative is provided in usb serial layer"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011.

5.5
2024-08-07 CVE-2024-42245 Linux Improper Locking vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: Revert "sched/fair: Make sure to try to detach at least one movable task" This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06. b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if all tasks examined to that point were pinned.

5.5
2024-08-07 CVE-2024-42246 Linux Infinite Loop vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket When using a BPF program on kernel_connect(), the call can return -EPERM.

5.5
2024-08-07 CVE-2024-42247 Linux Allocation of Resources Without Limits or Throttling vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: wireguard: allowedips: avoid unaligned 64-bit memory accesses On the parisc platform, the kernel issues kernel warnings because swap_endian() tries to load a 128-bit IPv6 address from an unaligned memory location: Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df) Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc) Avoid such unaligned memory accesses by instead using the get_unaligned_be64() helper macro. [Jason: replace src[8] in original patch with src+8]

5.5
2024-08-07 CVE-2024-42248 Linux NULL Pointer Dereference vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: tty: serial: ma35d1: Add a NULL check for of_node The pdev->dev.of_node can be NULL if the "serial" node is absent. Add a NULL check to return an error in such cases.

5.5
2024-08-07 CVE-2024-42250 Linux Improper Locking vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: cachefiles: add missing lock protection when polling Add missing lock protection in poll routine when iterating xarray, otherwise: Even with RCU read lock held, only the slot of the radix tree is ensured to be pinned there, while the data structure (e.g.

5.5
2024-08-07 CVE-2024-37403 Ivanti Path Traversal vulnerability in Ivanti Docs@Work

Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability.

5.5
2024-08-07 CVE-2024-34604 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in LedCoverService prior to SMR Aug-2024 Release 1 allows local attackers to bypass restrictions on starting services from the background.

5.5
2024-08-07 CVE-2024-34605 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in SamsungHealthService prior to SMR Aug-2024 Release 1 allows local attackers to bypass restrictions on starting services from the background.

5.5
2024-08-07 CVE-2024-34606 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in SmartThingsService prior to SMR Aug-2024 Release 1 allows local attackers to bypass restrictions on starting services from the background.

5.5
2024-08-07 CVE-2024-34607 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in SamsungNotesService prior to SMR Aug-2024 Release 1 allows local attackers to bypass restrictions on starting services from the background.

5.5
2024-08-07 CVE-2024-34608 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in PaymentManagerService prior to SMR Aug-2024 Release 1 allows local attackers to bypass restrictions on starting services from the background.

5.5
2024-08-07 CVE-2024-34609 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in VoiceNoteService prior to SMR Aug-2024 Release 1 allows local attackers to bypass restrictions on starting services from the background.

5.5
2024-08-07 CVE-2024-34610 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in ExtControlDeviceService prior to SMR Aug-2024 Release 1 allows local attackers to access protected data.

5.5
2024-08-07 CVE-2024-34611 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in KnoxService prior to SMR Aug-2024 Release 1 allows local attackers to get sensitive information.

5.5
2024-08-07 CVE-2024-34613 Samsung Unspecified vulnerability in Samsung Wear OS 4.0

Improper access control in Galaxy Watch prior to SMR Aug-2024 Release 1 allows local attackers to access sensitive information of Galaxy watch.

5.5
2024-08-07 CVE-2024-34616 Samsung Incorrect Default Permissions vulnerability in Samsung Android 12.0/13.0/14.0

Improper handling of insufficient permission in KnoxDualDARPolicy prior to SMR Aug-2024 Release 1 allows local attackers to access sensitive data.

5.5
2024-08-07 CVE-2024-34621 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying binary with data in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34624 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying paragraphs in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34625 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying connection point in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34626 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying own binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34627 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in parsing implemention in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34628 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying binary with path in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34629 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying binary with text common object in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34630 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying own binary with textbox in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34631 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in applying new binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

5.5
2024-08-07 CVE-2024-34636 Samsung Unspecified vulnerability in Samsung Email 6.1.82.0/6.1.90.16/6.1.90.4

Use of implicit intent for sensitive communication in Samsung Email prior to version 6.1.94.2 allows local attackers to get sensitive information.

5.5
2024-08-06 CVE-2024-42358 Msweet Infinite Loop vulnerability in Msweet Pdfio

PDFio is a simple C library for reading and writing PDF files.

5.5
2024-08-06 CVE-2024-36424 K7Computing NULL Pointer Dereference vulnerability in K7Computing K7 Ultimate Security 16.0.000/16.0.0117/16.0.0120

K7RKScan.sys in K7 Ultimate Security before 17.0.2019 allows local users to cause a denial of service (BSOD) because of a NULL pointer dereference.

5.5
2024-08-06 CVE-2024-7537 Ofono Project Out-of-bounds Read vulnerability in Ofono Project Ofono 1.34

oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability.

5.5
2024-08-08 CVE-2024-4207 Gitlab Cross-site Scripting vulnerability in Gitlab

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2.

5.4
2024-08-08 CVE-2024-4784 Gitlab Improper Authentication vulnerability in Gitlab

An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.

5.4
2024-08-08 CVE-2024-6869 The Falang multilanguage for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.3.52.
5.4
2024-08-07 CVE-2024-20443 Cisco Cross-site Scripting vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system.

5.4
2024-08-06 CVE-2024-41911 HP Cross-site Scripting vulnerability in HP Poly Clariti Manager Firmware

A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices.

5.4
2024-08-06 CVE-2024-6200 Haloservicesolutions Cross-site Scripting vulnerability in Haloservicesolutions Haloitsm

HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting (XSS) vulnerability.

5.4
2024-08-05 CVE-2024-6361 Opentext Cross-site Scripting vulnerability in Opentext ALM Octane

Improper Neutralization vulnerability (XSS) has been discovered in OpenText™ ALM Octane.

5.4
2024-08-05 CVE-2024-6710 Metaphorcreations Cross-site Scripting vulnerability in Metaphorcreations Ditty

The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

5.4
2024-08-05 CVE-2024-7466 Pmweb Cross-site Scripting vulnerability in Pmweb 7.2.00

A vulnerability has been found in PMWeb 7.2.00 and classified as problematic.

5.4
2024-08-08 CVE-2024-42493 Dorsettcontrols Unspecified vulnerability in Dorsettcontrols Infoscan 1.32/1.33/1.35

Dorsett Controls InfoScan is vulnerable due to a leak of possible sensitive information through the response headers and the rendered JavaScript prior to user login.

5.3
2024-08-08 CVE-2024-41238 Lopalopa SQL Injection vulnerability in Lopalopa Responsive School Management System 3.2.0

A SQL injection vulnerability in /smsa/student_login.php in Kashipara Responsive School Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "username" parameter.

5.3
2024-08-08 CVE-2024-6552 The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.
5.3
2024-08-07 CVE-2024-41243 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/view_marks.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view MARKS details.

5.3
2024-08-07 CVE-2024-41244 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/view_class.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view CLASS details.

5.3
2024-08-07 CVE-2024-41245 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/view_teachers.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view TEACHER details.

5.3
2024-08-07 CVE-2024-41250 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/view_students.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view STUDENT details.

5.3
2024-08-07 CVE-2024-41246 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/admin_dashboard.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view administrator dashboard.

5.3
2024-08-07 CVE-2024-41247 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/add_class.php and /smsa/add_class_submit.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to add a new class entry.

5.3
2024-08-07 CVE-2024-41248 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/add_subject.php and /smsa/add_subject_submit.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to add a new subject entry.

5.3
2024-08-07 CVE-2024-41249 Lopalopa Unspecified vulnerability in Lopalopa Responsive School Management System 3.2.0

An Incorrect Access Control vulnerability was found in /smsa/view_subject.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view SUBJECT details.

5.3
2024-08-07 CVE-2024-41432 Likeshop Authentication Bypass by Spoofing vulnerability in Likeshop 2.5.7.20210311

An IP Spoofing vulnerability has been discovered in Likeshop up to 2.5.7.20210811.

5.3
2024-08-06 CVE-2024-42398 Arubanetworks
HP
Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Soft AP daemon accessed via the PAPI protocol.
5.3
2024-08-06 CVE-2024-42399 Arubanetworks
HP
Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Soft AP daemon accessed via the PAPI protocol.
5.3
2024-08-06 CVE-2024-42400 Arubanetworks
HP
Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Soft AP daemon accessed via the PAPI protocol.
5.3
2024-08-06 CVE-2024-42396 HP Unspecified vulnerability in HP Instantos

Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the AP Certificate Management daemon accessed via the PAPI protocol.

5.3
2024-08-06 CVE-2024-42397 HP Unspecified vulnerability in HP Instantos

Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the AP Certificate Management daemon accessed via the PAPI protocol.

5.3
2024-08-06 CVE-2024-39229 GL Inet Unspecified vulnerability in Gl-Inet products

An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.

5.3
2024-08-06 CVE-2024-6201 Haloservicesolutions Unspecified vulnerability in Haloservicesolutions Haloitsm 2.143.8/2.144/2.146

HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails.

5.3
2024-08-07 CVE-2024-7355 The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping.
4.9
2024-08-06 CVE-2024-23464 Zscaler Unspecified vulnerability in Zscaler Client Connector

In certain cases, Zscaler Internet Access (ZIA) can be disabled by PowerShell commands with admin rights.

4.9
2024-08-06 CVE-2024-7551 Juzaweb Path Traversal vulnerability in Juzaweb CMS

A vulnerability was found in juzaweb CMS up to 3.4.2.

4.9
2024-08-08 CVE-2024-7394 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName().

4.8
2024-08-07 CVE-2024-41239 Lopalopa Cross-site Scripting vulnerability in Lopalopa Responsive School Management System 3.2.0

A Stored Cross Site Scripting (XSS) vulnerability was found in "/smsa/add_class_submit.php" in Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via "class_name" parameter field.

4.8
2024-08-07 CVE-2024-20479 Cisco Cross-site Scripting vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system.

4.8
2024-08-05 CVE-2024-41960 Mailcow Cross-site Scripting vulnerability in Mailcow Mailcow: Dockerized

mailcow: dockerized is an open source groupware/email suite based on docker.

4.8
2024-08-05 CVE-2024-6498 Micro Company Cross-site Scripting vulnerability in Micro.Company Collect.Chat

The Chatbot for WordPress by Collect.chat ?? WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2024-08-08 CVE-2024-42253 Linux Improper Locking vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: gpio: pca953x: fix pca953x_irq_bus_sync_unlock race Ensure that `i2c_lock' is held when setting interrupt latch and mask in pca953x_irq_bus_sync_unlock() in order to avoid races. The other (non-probe) call site pca953x_gpio_set_multiple() ensures the lock is held before calling pca953x_write_regs(). The problem occurred when a request raced against irq_bus_sync_unlock() approximately once per thousand reboots on an i.MX8MP based system. * Normal case 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 * Race case 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register *** 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0

4.7
2024-08-06 CVE-2024-42218 1Password Unspecified vulnerability in 1Password

1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by bypassing macOS-specific security mechanisms.

4.7
2024-08-06 CVE-2024-6995 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.7
2024-08-08 CVE-2024-7480 Avaya Unspecified vulnerability in Avaya Aura System Manager

An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x.

4.4
2024-08-08 CVE-2024-6824 The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38.
4.3
2024-08-08 CVE-2024-6987 The Orchid Store theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'orchid_store_activate_plugin' function in all versions up to, and including, 1.5.6.
4.3
2024-08-08 CVE-2024-6254 The Brizy – Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1.
4.3
2024-08-07 CVE-2024-7266 Nask Incorrect Authorization vulnerability in Nask EZD RP

Incorrect User Management vulnerability in Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.

4.3
2024-08-07 CVE-2024-42222 Apache Unspecified vulnerability in Apache Cloudstack 4.19.1.0

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts.

4.3
2024-08-06 CVE-2024-39751 IBM Information Exposure Through an Error Message vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

4.3
2024-08-06 CVE-2024-6999 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.

4.3
2024-08-06 CVE-2024-7001 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.

4.3
2024-08-06 CVE-2024-7003 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.

4.3
2024-08-06 CVE-2024-7004 Google Unspecified vulnerability in Google Chrome

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file.

4.3
2024-08-06 CVE-2024-7005 Google Unspecified vulnerability in Google Chrome

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file.

4.3

14 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-08-08 CVE-2024-42408 Dorsettcontrols Path Traversal vulnerability in Dorsettcontrols Infoscan 1.32/1.33/1.35

The InfoScan client download page can be intercepted with a proxy, to expose filenames located on the system, which could lead to additional information exposure.

3.7
2024-08-07 CVE-2024-42233 Linux Unspecified vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: filemap: replace pte_offset_map() with pte_offset_map_nolock() The vmf->ptl in filemap_fault_recheck_pte_none() is still set from handle_pte_fault().

3.3
2024-08-07 CVE-2024-42249 Linux Unspecified vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: spi: don't unoptimize message in spi_async() Calling spi_maybe_unoptimize_message() in spi_async() is wrong because the message is likely to be in the queue and not transferred yet.

3.3
2024-08-07 CVE-2024-34617 Samsung Incorrect Default Permissions vulnerability in Samsung Android 14.0

Improper handling of insufficient permission in Telephony prior to SMR Aug-2024 Release 1 allows local attackers to configure default Message application.

3.3
2024-08-07 CVE-2024-34618 Samsung Unspecified vulnerability in Samsung Android 12.0/13.0/14.0

Improper access control in System property prior to SMR Aug-2024 Release 1 allows local attackers to access cell related information.

3.3
2024-08-07 CVE-2024-34632 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in uuid parsing in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.

3.3
2024-08-07 CVE-2024-34633 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in parsing object header in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.

3.3
2024-08-07 CVE-2024-34634 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in parsing connected object list in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.

3.3
2024-08-07 CVE-2024-34635 Samsung Out-of-bounds Read vulnerability in Samsung Notes 2.0.02.31/4.2.00.22/4.3.02.61

Out-of-bounds read in parsing textbox object in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.

3.3
2024-08-06 CVE-2024-7540 Ofono Project Use of Uninitialized Resource vulnerability in Ofono Project Ofono 1.34

oFono AT CMGL Command Uninitialized Variable Information Disclosure Vulnerability.

3.3
2024-08-06 CVE-2024-7541 Ofono Project Use of Uninitialized Resource vulnerability in Ofono Project Ofono 1.34

oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability.

3.3
2024-08-06 CVE-2024-7542 Ofono Project Use of Uninitialized Resource vulnerability in Ofono Project Ofono 1.34

oFono AT CMGR Command Uninitialized Variable Information Disclosure Vulnerability.

3.3
2024-08-05 CVE-2024-40096 RD Labs LLC Information Exposure Through Log Files vulnerability in RD Labs LLC WHO 15.0

The com.cascadialabs.who (aka Who - Caller ID, Spam Block) application 15.0 for Android places sensitive information in the system log.

3.3
2024-08-06 CVE-2024-6996 Google Race Condition vulnerability in Google Chrome

Race in Frames in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.

3.1