CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47072 – XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
https://notcve.org/view.php?id=CVE-2024-47072
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. • https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266 https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q https://x-stream.github.io/CVE-2024-47072.html • CWE-121: Stack-based Buffer Overflow CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30636 – Limited directory traversal vulnerability on Windows in golang.org/x/crypto
https://notcve.org/view.php?id=CVE-2022-30636
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. • https://go.dev/cl/408694 https://go.dev/issue/53082 https://pkg.go.dev/vuln/GO-2024-2961 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24792 – Panic when parsing invalid palette-color images in golang.org/x/image
https://notcve.org/view.php?id=CVE-2024-24792
Parsing a corrupt or malicious image with invalid color indices can cause a panic. • https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37111 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Denial of Service Attack vulnerability
https://notcve.org/view.php?id=CVE-2024-37111
Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. Vulnerabilidad de autorización faltante en el software de membresía WishList Member X. Este problema afecta a WishList Member X: desde n/a hasta 3.25.1. The Wishlist Member plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 3.25.1. This makes it possible for unauthenticated attackers to limit access to a site. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-denial-of-service-attack-vulnerability?_s_id=cve • CWE-400: Uncontrolled Resource Consumption CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37110 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Settings & Users Data Dump vulnerability
https://notcve.org/view.php?id=CVE-2024-37110
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en el software de membresía WishList Member X. Este problema afecta a WishList Member X: desde n/a antes del 3.26.7. The Wishlist Member plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on a function in all versions up to, and including, 3.25.1. This makes it possible for unauthenticated attackers to retrieve settings and user data. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-settings-users-data-dump-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •