CVSS: 9.0EPSS: 1%CPEs: 4EXPL: 1CVE-2024-5585 – Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)
https://notcve.org/view.php?id=CVE-2024-5585
09 Jun 2024 — In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8.2.20, 8.3.* anter... • http://www.openwall.com/lists/oss-security/2024/06/07/1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 10.0EPSS: 0%CPEs: 7EXPL: 1CVE-2024-5458 – Filter bypass in filter_var (FILTER_VALIDATE_URL)
https://notcve.org/view.php?id=CVE-2024-5458
09 Jun 2024 — In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8... • http://www.openwall.com/lists/oss-security/2024/06/07/1 • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-4058 – Debian Security Advisory 5675-1
https://notcve.org/view.php?id=CVE-2024-4058
29 Apr 2024 — Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) La confusión de tipos en ANGLE en Google Chrome anterior a 124.0.6367.78 permitía a un atacante remoto explotar potencialmente la corrupción del montón a través de una página HTML manipulada. (Severidad de seguridad de Chromium: crítica) Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which ... • https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.9EPSS: 3%CPEs: 8EXPL: 3CVE-2024-31497 – Gentoo Linux Security Advisory 202407-11
https://notcve.org/view.php?id=CVE-2024-31497
15 Apr 2024 — In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forw... • https://github.com/sh1k4ku/CVE-2024-31497 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 7.8EPSS: 88%CPEs: 5EXPL: 2CVE-2024-27316 – Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
https://notcve.org/view.php?id=CVE-2024-27316
04 Apr 2024 — HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Los encabezados entrantes HTTP/2 que exceden el límite se almacenan temporalmente en nghttp2 para generar una respuesta HTTP 413 informativa. Si un cliente no deja de enviar encabezados, esto provoca que se agote la memoria. A vulnerability was found in how Apache httpd implements the HTTP/2 protocol... • https://github.com/lockness-Ko/CVE-2024-27316 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2631 – Debian Security Advisory 5648-1
https://notcve.org/view.php?id=CVE-2024-2631
20 Mar 2024 — Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) La implementación inapropiada en iOS en Google Chrome anterior a 123.0.6312.58 permitió a un atacante remoto realizar una suplantación de interfaz de usuario a través de una página HTML manipulada. (Severidad de seguridad de Chrome: baja) Security issues were discovered in Chromium, which could result in the execution of arbit... • https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2024-2630 – Debian Security Advisory 5648-1
https://notcve.org/view.php?id=CVE-2024-2630
20 Mar 2024 — Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) La implementación inadecuada en iOS en Google Chrome anterior a 123.0.6312.58 permitió a un atacante remoto filtrar datos de orígenes cruzados a través de una página HTML manipulada. (Severidad de seguridad de Chromium: media) Security issues were discovered in Chromium, which could result in the execution of arbitrary c... • https://github.com/Roud-Roud-Agency/CVE-2024-26304-RCE-exploits • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2629 – Debian Security Advisory 5648-1
https://notcve.org/view.php?id=CVE-2024-2629
20 Mar 2024 — Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) La interfaz de usuario de seguridad incorrecta en iOS en Google Chrome anterior a 123.0.6312.58 permitió a un atacante remoto realizar una suplantación de la interfaz de usuario a través de una página HTML manipulada. (Severidad de seguridad de Chromium: media) Security issues were discovered in Chromium, which could result in the... • https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2628 – Debian Security Advisory 5648-1
https://notcve.org/view.php?id=CVE-2024-2628
20 Mar 2024 — Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL. (Chromium security severity: Medium) La implementación inapropiada en Descargas en Google Chrome anterior a 123.0.6312.58 permitió a un atacante remoto realizar una suplantación de interfaz de usuario a través de una URL manipulada. (Severidad de seguridad de Chromium: media) Security issues were discovered in Chromium, which could result in the execution of a... • https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html • CWE-474: Use of Function with Inconsistent Implementations •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2627 – Debian Security Advisory 5648-1
https://notcve.org/view.php?id=CVE-2024-2627
20 Mar 2024 — Use after free in Canvas in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) El uso gratuito en Canvas en Google Chrome anterior a 123.0.6312.58 permitía a un atacante remoto explotar potencialmente la corrupción del montón a través de una página HTML manipulada. (Severidad de seguridad de Chromium: media) Security issues were discovered in Chromium, which could result in the execution of arbit... • https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html • CWE-416: Use After Free •