CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2024-5657 – CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure
https://notcve.org/view.php?id=CVE-2024-5657
El complemento CraftCMS Autenticación de dos factores en las versiones 3.3.1, 3.3.2 y 3.3.3 revela el hash de contraseña del usuario actualmente autenticado después de enviar un TOTP válido. • http://www.openwall.com/lists/oss-security/2024/06/06/1 https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4 https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure https://plugins.craftcms.com/two-factor-authentication?craft4 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36306 – Trend Micro Apex One Damage Cleanup Engine Link Following Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2024-36306
A link following vulnerability in the Trend Micro Apex One and Apex One as a Service Damage Cleanup Engine could allow a local attacker to create a denial-of-service condition on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Un enlace que sigue a una vulnerabilidad en Trend Micro Apex One and Apex One as a Service Damage Cleanup Engine podría permitir a un atacante local crear una condición de denegación de servicio en las instalaciones afectadas. ... This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Trend Micro Apex One Security Agent. ... By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. • https://success.trendmicro.com/dcx/s/solution/000298063 https://www.zerodayinitiative.com/advisories/ZDI-24-568 •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 1CVE-2024-36129 – OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
https://notcve.org/view.php?id=CVE-2024-36129
This flaw allows an attacker using a specially crafted HTTP or gRPC request to trigger a denial of service. • https://github.com/open-telemetry/opentelemetry-collector/pull/10289 https://github.com/open-telemetry/opentelemetry-collector/pull/10323 https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v https://opentelemetry.io/blog/2024/cve-2024-36129 https://access.redhat.com/security/cve/CVE-2024-36129 https://bugzilla.redhat.com/show_bug.cgi?id=2291337 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 0%CPEs: 26EXPL: 0CVE-2023-50803
https://notcve.org/view.php?id=CVE-2023-50803
This can lead to denial of service. • https://semiconductor.samsung.com/support/quality-support/product-security-updates •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-36121 – netty-incubator-codec-ohttp's BoringSSLAEADContext Repeats Nonces
https://notcve.org/view.php?id=CVE-2024-36121
Desafortunadamente, se combinan dos errores separados que permitirían a un atacante provocar que el número de secuencia se desborde y, por lo tanto, que se repita el nonce. • https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f316001/codec-ohttp-hpke-classes-boringssl/src/main/java/io/netty/incubator/codec/hpke/boringssl/BoringSSLAEADContext.java#L112-L114 https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g762-h86w-8749 • CWE-190: Integer Overflow or Wraparound CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-323: Reusing a Nonce, Key Pair in Encryption •