Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2023-22697
WordPress Survey Maker plugin <= 3.2.0 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Survey Maker team Survey Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through 3.2.0.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-9387
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
Description: An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.

CVSS: MEDIUM (6.4)

EPSS Score: 0.06%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-9367
Allocation of Resources Without Limits or Throttling in GitLab
Description: An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-8647
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
Description: An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-8179
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
Description: An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-55886
OpenTelemetry Logs source may lack authentication with some custom plugins
Description: OpenSearch Data Prepper is a component of the OpenSearch project that accepts, filters, transforms, enriches, and routes data at scale. A vulnerability exists in the OpenTelemetry Logs source in Data Prepper starting inversion 2.1.0 and prior to version 2.10.2 where some custom authentication plugins will not perform authentication. This allows unauthorized users to ingest OpenTelemetry Logs data under certain conditions. This vulnerability does not affect the built-in `http_basic` authentication provider in Data Prepper. Pipelines which use the `http_basic` authentication provider continue to require authentication. The vulnerability exists only for custom implementations of Data Prepper’s `GrpcAuthenticationProvider` authentication plugin which implement the `getHttpAuthenticationService()` method instead of `getAuthenticationInterceptor()`. Data Prepper 2.10.2 contains a fix for this issue. For those unable to upgrade, one may use the built-in `http_basic` authentication provider in Data Prepper and/or add an authentication proxy in front of one's Data Prepper instances running the OpenTelemetry Logs source.

CVSS: MEDIUM (6.9)

EPSS Score: 0.04%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-55885
Beego Vulnerable to Collision Hazards of MD5 in Cache Key Filenames
Description: beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256.

CVSS: MEDIUM (6.9)

EPSS Score: 0.04%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-55878
Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx
Description: SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct publication via toHTMLEx.

CVSS: MEDIUM (6.8)

EPSS Score: 0.04%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-55876
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
Description: XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-54122
Concurrent variable access vulnerability in the ability module Impact: Successful exploitation of this vulnerability may affect availability.
Description: Concurrent variable access vulnerability in the ability module Impact: Successful exploitation of this vulnerability may affect availability.

CVSS: MEDIUM (6.2)

EPSS Score: 0.04%

Source: CVE
December 13th, 2024 (4 months ago)