CyberAlerts

CVE-2024-7882

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Special Minds Design and Software e-Commerce allows SQL Injection.This issue affects e-Commerce: before 22.11.2024.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-6972

Description: In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-6831

Description: Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only check. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS: MEDIUM (4.4)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-6749

Description: Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-6476

Description: Gee-netics, member of the AXIS Camera Station Pro Bug Bounty Program has found that it is possible for a non-admin user to gain system privileges by redirecting a file deletion upon service restart. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS: MEDIUM (4.2)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-53976

Description: Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. This vulnerability affects Firefox for iOS < 133.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-53975

Description: Accessing a non-secure HTTP site that uses a non-existent port may cause the SSL padlock icon in the location URL bar to, misleadingly, appear secure. This vulnerability affects Firefox for iOS < 133.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-53930

Description: WikiDocs before 1.0.65 allows stored XSS by authenticated users via data that comes after $$\\, which is mishandled by a KaTeX parser.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-53849

Several stack buffer overflows and pointer overflows in editorconfig-core-c

Description: editorconfig-core-c is theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case '[' when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.05%

Source: CVE

November 27th, 2024 (5 months ago)

CVE-2024-53844

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in labsai/eddi

Description: E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots. A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in `RestExportService.java`. This vulnerability allows an attacker to access sensitive files on the server by manipulating the `botFilename` parameter in requests. The application fails to sanitize user input, enabling malicious inputs such as `..%2f..%2fetc%2fpasswd` to access arbitrary files. However, the **severity of this vulnerability is significantly limited** because EDDI typically runs within a **Docker container**, which provides additional layers of isolation and restricted permissions. As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers. A patch is required to sanitize and validate the botFilename input parameter. Users should ensure they are using version 5.4 which contains this patdch. For temporary mitigation, access to the vulnerable endpoint should be restricted through firewall rules or authentication mechanisms.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-7882	SQLi in Special Minds' e-Commerce Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Special Minds Design and Software e-Commerce allows SQL Injection.This issue affects e-Commerce: before 22.11.2024. CVSS: MEDIUM (6.5) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-6972	Description: In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. CVSS: MEDIUM (6.5) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-6831	Description: Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only check. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. CVSS: MEDIUM (4.4) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-6749	Description: Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. CVSS: MEDIUM (6.3) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-6476	Description: Gee-netics, member of the AXIS Camera Station Pro Bug Bounty Program has found that it is possible for a non-admin user to gain system privileges by redirecting a file deletion upon service restart. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. CVSS: MEDIUM (4.2) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-53976	Description: Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. This vulnerability affects Firefox for iOS < 133. CVSS: MEDIUM (5.4) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-53975	Description: Accessing a non-secure HTTP site that uses a non-existent port may cause the SSL padlock icon in the location URL bar to, misleadingly, appear secure. This vulnerability affects Firefox for iOS < 133. CVSS: MEDIUM (5.4) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-53930	Description: WikiDocs before 1.0.65 allows stored XSS by authenticated users via data that comes after $$\\, which is mishandled by a KaTeX parser. CVSS: MEDIUM (5.4) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-53849	Several stack buffer overflows and pointer overflows in editorconfig-core-c Description: editorconfig-core-c is theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case '[' when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVSS: MEDIUM (4.8) EPSS Score: 0.05% Source: CVE November 27th, 2024 (5 months ago)
CVE-2024-53844	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in labsai/eddi Description: E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots. A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in `RestExportService.java`. This vulnerability allows an attacker to access sensitive files on the server by manipulating the `botFilename` parameter in requests. The application fails to sanitize user input, enabling malicious inputs such as `..%2f..%2fetc%2fpasswd` to access arbitrary files. However, the severity of this vulnerability is significantly limited because EDDI typically runs within a Docker container, which provides additional layers of isolation and restricted permissions. As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers. A patch is required to sanitize and validate the botFilename input parameter. Users should ensure they are using version 5.4 which contains this patdch. For temporary mitigation, access to the vulnerable endpoint should be restricted through firewall rules or authentication mechanisms. CVSS: MEDIUM (6.3) EPSS Score: 0.04% Source: CVE November 27th, 2024 (5 months ago)