CyberAlerts

CVE-2024-48863

Description: A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: License Center 1.9.43 and later

CVSS: HIGH (7.7)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-47791

Ruijie Reyee OS Improper Neutralization of Wildcards or Matching Symbols

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-47043

Ruijie Reyee OS Insecure Storage of Sensitive Information

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-46874

Ruijie Reyee OS Improper Handling of Insufficient Permissions or Privileges

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. Attackers with device credentials could issue commands to other devices on behalf of Ruijie's cloud.

CVSS: HIGH (8.1)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-45722

Ruijie Reyee OS Use of Weak Credentials

Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x uses weak credential mechanism that could allow an attacker to easily calculate MQTT credentials.

CVSS: HIGH (7.5)

EPSS Score: 0.09%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-39689

Certifi removes GLOBALTRUST root certificate

Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-37222

WordPress Master Slider plugin <= 3.9.10 - Reflected Cross Site Scripting (XSS) vulnerability

Description: Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through 3.9.10.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-21571

Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute...

Description: Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute arbitrary code within the Code Agent container. Exploiting this vulnerability would require an attacker to have network access to the Code Agent within the deployment environment. External exploitation of this vulnerability is unlikely and depends on both misconfigurations of the cluster and/or chaining with another vulnerability. However, internal exploitation (with a cluster misconfiguration) could still be possible.

CVSS: HIGH (8.1)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-21167

Vulnerability in the Oracle Trading Community product of Oracle E-Business Suite (component: Party Search UI). Supported versions that are...

Description: Vulnerability in the Oracle Trading Community product of Oracle E-Business Suite (component: Party Search UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Trading Community. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Trading Community accessible data as well as unauthorized access to critical data or complete access to all Oracle Trading Community accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVSS: HIGH (8.1)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (5 months ago)

CVE-2024-12254

Unbounded memory buffering in SelectorSocketTransport.writelines()

Description: Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

CVSS: HIGH (8.7)

EPSS Score: 0.04%

Source: CVE

December 7th, 2024 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-48863	License Center Description: A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: License Center 1.9.43 and later CVSS: HIGH (7.7) EPSS Score: 0.04% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-47791	Ruijie Reyee OS Improper Neutralization of Wildcards or Matching Symbols Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices. CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-47043	Ruijie Reyee OS Insecure Storage of Sensitive Information Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address. CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-46874	Ruijie Reyee OS Improper Handling of Insufficient Permissions or Privileges Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. Attackers with device credentials could issue commands to other devices on behalf of Ruijie's cloud. CVSS: HIGH (8.1) EPSS Score: 0.05% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-45722	Ruijie Reyee OS Use of Weak Credentials Description: Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x uses weak credential mechanism that could allow an attacker to easily calculate MQTT credentials. CVSS: HIGH (7.5) EPSS Score: 0.09% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-39689	Certifi removes GLOBALTRUST root certificate Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues." CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-37222	WordPress Master Slider plugin <= 3.9.10 - Reflected Cross Site Scripting (XSS) vulnerability Description: Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through 3.9.10. CVSS: HIGH (7.1) EPSS Score: 0.04% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-21571	Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute... Description: Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute arbitrary code within the Code Agent container. Exploiting this vulnerability would require an attacker to have network access to the Code Agent within the deployment environment. External exploitation of this vulnerability is unlikely and depends on both misconfigurations of the cluster and/or chaining with another vulnerability. However, internal exploitation (with a cluster misconfiguration) could still be possible. CVSS: HIGH (8.1) EPSS Score: 0.04% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-21167	Vulnerability in the Oracle Trading Community product of Oracle E-Business Suite (component: Party Search UI). Supported versions that are... Description: Vulnerability in the Oracle Trading Community product of Oracle E-Business Suite (component: Party Search UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Trading Community. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Trading Community accessible data as well as unauthorized access to critical data or complete access to all Oracle Trading Community accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). CVSS: HIGH (8.1) EPSS Score: 0.04% Source: CVE December 7th, 2024 (5 months ago)
CVE-2024-12254	Unbounded memory buffering in SelectorSocketTransport.writelines() Description: Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected. CVSS: HIGH (8.7) EPSS Score: 0.04% Source: CVE December 7th, 2024 (5 months ago)