CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45507 – Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE
https://notcve.org/view.php?id=CVE-2024-45507
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad de Server-Side Request Forgery (SSRF) y control inadecuado de la generación de código ('inyección de código') en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. Se recomienda a los usuarios que actualicen a la versión 18.12.16, que soluciona el problema. • https://issues.apache.org/jira/browse/OFBIZ-13132 https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49582 – Apache Portable Runtime (APR): Unexpected lax shared memory permissions
https://notcve.org/view.php?id=CVE-2023-49582
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue. • https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41937 – Apache Airflow: Stored XSS Vulnerability on provider link
https://notcve.org/view.php?id=CVE-2024-41937
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. • https://github.com/apache/airflow/pull/40933 https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22281 – Apache Helix Front (UI): Helix front hard-coded secret in the express-session
https://notcve.org/view.php?id=CVE-2024-22281
The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. This issue affects Apache Helix Front (UI): all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. • https://lists.apache.org/thread/zt26fpmrqx3fzcy8nv3b43kb3xllo5ny • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42362 – GHSL-2023-255: HertzBeat Authenticated (user role) RCE via unsafe deserialization in /api/monitors/import
https://notcve.org/view.php?id=CVE-2024-42362
Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0. • https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat https://github.com/apache/hertzbeat/pull/1611 https://github.com/apache/hertzbeat/pull/1620 https://github.com/apache/hertzbeat/pull/1620/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8 https://github.com/apache/hertzbeat/commit/79f5408e345e8e89da97be05f43e3204a950ddfb https://github.com/apache/hertzbeat/commit/9dbbfb7812fc4440ba72bdee66799edd519d06bb • CWE-502: Deserialization of Untrusted Data •