CyberAlerts

CVE-2024-48868

Description: An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

CVSS: HIGH (8.7)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-48865

QTS, QuTS hero

Description: An improper certificate validation vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow attackers with local network access to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

CVSS: HIGH (7.3)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-48863

License Center

Description: A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: License Center 1.9.43 and later

CVSS: HIGH (7.7)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-47791

Ruijie Reyee OS Improper Neutralization of Wildcards or Matching Symbols

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-47043

Ruijie Reyee OS Insecure Storage of Sensitive Information

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-46874

Ruijie Reyee OS Improper Handling of Insufficient Permissions or Privileges

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. Attackers with device credentials could issue commands to other devices on behalf of Ruijie's cloud.

CVSS: HIGH (8.1)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-45722

Ruijie Reyee OS Use of Weak Credentials

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x uses weak credential mechanism that could allow an attacker to easily calculate MQTT credentials.

CVSS: HIGH (7.5)

EPSS Score: 0.09%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-39689

Certifi removes GLOBALTRUST root certificate

Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-37222

WordPress Master Slider plugin <= 3.9.10 - Reflected Cross Site Scripting (XSS) vulnerability

Description: Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through 3.9.10.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (4 months ago)

CVE-2024-21571

Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute...

Description: Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute arbitrary code within the Code Agent container. Exploiting this vulnerability would require an attacker to have network access to the Code Agent within the deployment environment. External exploitation of this vulnerability is unlikely and depends on both misconfigurations of the cluster and/or chaining with another vulnerability. However, internal exploitation (with a cluster misconfiguration) could still be possible.

CVSS: HIGH (8.1)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-48868	QTS, QuTS hero Description: An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later CVSS: HIGH (8.7) EPSS Score: 0.04% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-48865	QTS, QuTS hero Description: An improper certificate validation vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow attackers with local network access to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later CVSS: HIGH (7.3) EPSS Score: 0.04% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-48863	License Center Description: A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: License Center 1.9.43 and later CVSS: HIGH (7.7) EPSS Score: 0.04% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-47791	Ruijie Reyee OS Improper Neutralization of Wildcards or Matching Symbols Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices. CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-47043	Ruijie Reyee OS Insecure Storage of Sensitive Information Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address. CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-46874	Ruijie Reyee OS Improper Handling of Insufficient Permissions or Privileges Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. Attackers with device credentials could issue commands to other devices on behalf of Ruijie's cloud. CVSS: HIGH (8.1) EPSS Score: 0.05% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-45722	Ruijie Reyee OS Use of Weak Credentials Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x uses weak credential mechanism that could allow an attacker to easily calculate MQTT credentials. CVSS: HIGH (7.5) EPSS Score: 0.09% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-39689	Certifi removes GLOBALTRUST root certificate Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues." CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-37222	WordPress Master Slider plugin <= 3.9.10 - Reflected Cross Site Scripting (XSS) vulnerability Description: Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through 3.9.10. CVSS: HIGH (7.1) EPSS Score: 0.04% Source: CVE December 7th, 2024 (4 months ago)
CVE-2024-21571	Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute... Description: Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute arbitrary code within the Code Agent container. Exploiting this vulnerability would require an attacker to have network access to the Code Agent within the deployment environment. External exploitation of this vulnerability is unlikely and depends on both misconfigurations of the cluster and/or chaining with another vulnerability. However, internal exploitation (with a cluster misconfiguration) could still be possible. CVSS: HIGH (8.1) EPSS Score: 0.04% Source: CVE December 7th, 2024 (4 months ago)