CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47849 – Backticks can allow the usage of not-allowed SQL functions
https://notcve.org/view.php?id=CVE-2024-47849
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1055963 https://phabricator.wikimedia.org/T368628 https://phabricator.wikimedia.org/T370632 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-47845 – CSS sanitizer used incorrectly, and is easily bypassed
https://notcve.org/view.php?id=CVE-2024-47845
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. • https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53 https://phabricator.wikimedia.org/T368594 https://phabricator.wikimedia.org/T368628 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-47848 – User can review/unreview articles while blocked
https://notcve.org/view.php?id=CVE-2024-47848
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - PageTriage allows Authentication Bypass.This issue affects Mediawiki - PageTriage: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. • https://gerrit.wikimedia.org/r/q/I0288a715f7040a14ab7f70b2888fe1ef77a44588 https://phabricator.wikimedia.org/T366991 https://phabricator.wikimedia.org/T368628 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47554 – Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader
https://notcve.org/view.php?id=CVE-2024-47554
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue. A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed. • https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1 https://access.redhat.com/security/cve/CVE-2024-47554 https://bugzilla.redhat.com/show_bug.cgi?id=2316271 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47561 – Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)
https://notcve.org/view.php?id=CVE-2024-47561
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. El análisis de esquemas en el SDK de Java de Apache Avro 1.11.3 y versiones anteriores permite que actores maliciosos ejecuten código arbitrario. Se recomienda a los usuarios actualizar a la versión 1.11.4 o 1.12.0, que solucionan este problema. A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. • https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x https://access.redhat.com/security/cve/CVE-2024-47561 https://bugzilla.redhat.com/show_bug.cgi?id=2316116 • CWE-502: Deserialization of Untrusted Data •