CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38826 – CVE-2024-38826 Cloud Controller Denial of Service Attack
https://notcve.org/view.php?id=CVE-2024-38826
11 Nov 2024 — Authenticated users can upload specifically crafted files to leak server resources. This behavior can potentially be used to run a denial of service attack against Cloud Controller. The Cloud Foundry project recommends upgrading the following releases: * Upgrade capi release version to 1.194.0 or greater * Upgrade cf-deployment version to v44.1.0 or greater. This includes a patched capi release • https://www.cloudfoundry.org/blog/cve-2024-38826-cloud-controller-denial-of-service-attack • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48548
https://notcve.org/view.php?id=CVE-2024-48548
24 Oct 2024 — The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack. • https://cloudsmartlock.com/m/app.html • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9858 – Insecure user permissions in Google Cloud Migrate to Containers for Windows
https://notcve.org/view.php?id=CVE-2024-9858
16 Oct 2024 — There exists an insecure default user permission in Google Cloud Migrate to containers from version 1.1.0 to 1.2.2 Windows installs. A local "m2cuser" was greated with administrator privileges. This posed a security risk if the "analyze" or "generate" commands were interrupted or skipping the action to delete the local user “m2cuser”. We recommend upgrading to 1.2.3 or beyond Existe un permiso de usuario predeterminado inseguro en las instalaciones de Google Cloud Migrate to Containers desde la versión 1.1.... • https://cloud.google.com/migrate/containers/docs/m2c-cli-relnotes#october_8_2024 • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42905
https://notcve.org/view.php?id=CVE-2024-42905
28 Aug 2024 — Beijing Digital China Cloud Technology Co., Ltd. DCME-320 v.7.4.12.60 has a command execution vulnerability, which can be exploited to obtain device administrator privileges via the getVar function in the code/function/system/tool/ping.php file. • https://github.com/ZackSecurity/VulnerReport/blob/cve/DCN/1.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37082
https://notcve.org/view.php?id=CVE-2024-37082
03 Jul 2024 — Security check loophole in HAProxy release (in combination with routing release) in Cloud Foundry prior to v40.17.0 potentially allows bypass of mTLS authentication to applications hosted on Cloud Foundry. La laguna de control de seguridad en la versión HAProxy (en combinación con la versión de enrutamiento) en Cloud Foundry anterior a v40.17.0 potencialmente permite omitir la autenticación mTLS en aplicaciones alojadas en Cloud Foundry. When deploying Cloud Foundry together with the haproxy-boshrelease and... • https://www.cloudfoundry.org/blog/cve-2024-37082-mtls-bypass • CWE-290: Authentication Bypass by Spoofing •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2024-5166 – Insecure Direct Object Reference In Looker
https://notcve.org/view.php?id=CVE-2024-5166
22 May 2024 — An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model. Una referencia de objeto directa insegura en Looker de Google Cloud permitió la exposición de metadatos entre usuarios autenticados de Looker que compartían el mismo modelo LookML. • https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32777 – WordPress BizPrint plugin <= 4.3.39 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32777
22 Apr 2024 — Missing Authorization vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint.This issue affects BizPrint: from n/a through 4.3.39. Vulnerabilidad de autorización faltante en BizSwoop de CPF Concepts, LLC Brand BizPrint. Este problema afecta a BizPrint: desde n/a hasta 4.3.39. The BizPrint plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showTemplatePreview() function in versions up to, and including, 4.3.39. This makes it possible for unauthent... • https://patchstack.com/database/vulnerability/print-google-cloud-print-gcp-woocommerce/wordpress-bizprint-plugin-4-3-39-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29773 – WordPress BizPrint plugin <= 4.5.5 - CSRF to XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-29773
25 Mar 2024 — Cross-Site Request Forgery (CSRF) vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint allows Cross-Site Scripting (XSS).This issue affects BizPrint: from n/a through 4.5.5. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en BizSwoop a CPF Concepts, LLC Brand BizPrint permite cross-site scripting (XSS). Este problema afecta a BizPrint: desde n/a hasta 4.5.5. The BizPrint plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.5. This is due to missi... • https://patchstack.com/database/vulnerability/print-google-cloud-print-gcp-woocommerce/wordpress-bizprint-plugin-4-5-5-csrf-to-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 66%CPEs: 3EXPL: 0CVE-2023-5914
https://notcve.org/view.php?id=CVE-2023-5914
17 Jan 2024 — Cross-site scripting (XSS) • https://support.citrix.com/article/CTX583759/citrix-storefront-security-bulletin-for-cve20235914 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 91EXPL: 1CVE-2023-49091 – Jwttoken in Cosmos server never expires after password changed and logging out
https://notcve.org/view.php?id=CVE-2023-49091
29 Nov 2023 — Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0. Cosmos ofrece a los usuarios la posibilidad de auto... • https://github.com/azukaar/Cosmos-Server/security/advisories/GHSA-hpvm-x7m8-3c6x • CWE-613: Insufficient Session Expiration •