CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 1CVE-2024-42010 – Debian Security Advisory 5743-1
https://notcve.org/view.php?id=CVE-2024-42010
05 Aug 2024 — mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. An update that fixes three vulnerabilities is now availab... • https://github.com/victoni/Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 4%CPEs: 5EXPL: 4CVE-2024-42008 – Debian Security Advisory 5743-1
https://notcve.org/view.php?id=CVE-2024-42008
05 Aug 2024 — A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. An update that fixes three vulnerabilities is now available. This update for roundcubemail fixes the following issues. • https://packetstorm.news/files/id/195349 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 87%CPEs: 5EXPL: 5CVE-2024-42009 – RoundCube Webmail Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2024-42009
05 Aug 2024 — A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. An update that fixes three vulnerabilities is now available. This update for roundcubemail fixes the following issues. RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and ... • https://packetstorm.news/files/id/195349 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-39330 – python-django: Potential directory-traversal in django.core.files.storage.Storage.save()
https://notcve.org/view.php?id=CVE-2024-39330
10 Jul 2024 — An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) Se descubrió un problema en Django 5.0 anterior a 5.0.7 y 4.2 anterior a 4.2.14. Las clases derivadas de la clase base django.core.file... • https://docs.djangoproject.com/en/dev/releases/security • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2024-39329 – python-django: Username enumeration through timing difference for users with unusable passwords
https://notcve.org/view.php?id=CVE-2024-39329
10 Jul 2024 — An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. Se descubrió un problema en Django 5.0 anterior a 5.0.7 y 4.2 anterior a 4.2.14. El método django.contrib.auth.backends.ModelBackend.authenticate() permite a atacantes remotos enumerar usuarios mediante un ataque de sincronización que involucra ... • https://docs.djangoproject.com/en/dev/releases/security • CWE-208: Observable Timing Discrepancy •
CVSS: 7.8EPSS: 3%CPEs: 8EXPL: 1CVE-2024-39614 – python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant()
https://notcve.org/view.php?id=CVE-2024-39614
10 Jul 2024 — An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. Se descubrió un problema en Django 5.0 anterior a 5.0.7 y 4.2 anterior a 4.2.14. get_supported_language_variant() estaba sujeto a un posible ataque de denegación de servicio cuando se usaba con cadenas muy largas que contenían caracteres específicos. A vulnerability was found in Python-D... • https://github.com/Abdurahmon3236/-CVE-2024-39614 • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-38875 – python-django: Potential denial-of-service in django.utils.html.urlize()
https://notcve.org/view.php?id=CVE-2024-38875
10 Jul 2024 — An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. Se descubrió un problema en Django 4.2 anterior a 4.2.14 y 5.0 anterior a 5.0.7. urlize y urlizetrunc estuvieron sujetos a un posible ataque de denegación de servicio a través de ciertas entradas con una gran cantidad de corchetes. A vulnerability was found in the Django framework's urlize and urlizetrun... • https://docs.djangoproject.com/en/dev/releases/security • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.3EPSS: 0%CPEs: 17EXPL: 0CVE-2024-6610 – Ubuntu Security Notice USN-6890-1
https://notcve.org/view.php?id=CVE-2024-6610
09 Jul 2024 — Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128. Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. • https://bugzilla.mozilla.org/show_bug.cgi?id=1883396 • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 10.0EPSS: 0%CPEs: 18EXPL: 0CVE-2024-6609 – Ubuntu Security Notice USN-6890-1
https://notcve.org/view.php?id=CVE-2024-6609
09 Jul 2024 — When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128. When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. Multiple security issues were discovered in Firefox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1839258 •
CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0CVE-2024-6608 – Gentoo Linux Security Advisory 202412-04
https://notcve.org/view.php?id=CVE-2024-6608
09 Jul 2024 — It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128. It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. • https://bugzilla.mozilla.org/show_bug.cgi?id=1743329 •