CVE-2024-52301 – Laravel allows environment manipulation via query string
https://notcve.org/view.php?id=CVE-2024-52301
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs. • https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2024-4336 – Múltiple vulnerabilities on Adive Framework
https://notcve.org/view.php?id=CVE-2024-4336
Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/tables/add, in multiple parameters. An attacker could retrieve the session details of an authenticated user. Adive Framework 2.0.8 no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad persistente de Cross Site Scripting (XSS) a través de /adive/admin/tables/add, en múltiples parámetros. Un atacante podría recuperar los detalles de la sesión de un usuario autenticado. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-adive-framework • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4337 – Múltiple vulnerabilities on Adive Framework
https://notcve.org/view.php?id=CVE-2024-4337
Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/nav/add, in multiple parameters. This vulnerability allows an attacker to retrieve the session details of an authenticated user. Adive Framework 2.0.8 no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad persistente de Cross Site Scripting (XSS) a través de /adive/admin/nav/add, en múltiples parámetros. Esta vulnerabilidad permite a un atacante recuperar los detalles de la sesión de un usuario autenticado. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-adive-framework • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-48714 – Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
https://notcve.org/view.php?id=CVE-2023-48714
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. Silverstripe Framework es el framework que forma la base del sistema de gestión de contenidos Silverstripe. Antes de las versiones 4.13.39 y 5.1.11, si un usuario no podía ver un registro, pero ese registro se podía agregar a un `GridField` usando el componente `GridFieldAddExistingAutocompleter`, ese usuario podía acceder al título del registro. • https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v https://www.silverstripe.org/download/security-releases/CVE-2023-48714 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-22729 – Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen
https://notcve.org/view.php?id=CVE-2023-22729
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. • https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •