CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-9487
https://notcve.org/view.php?id=CVE-2018-9487
In setVpnForcedLocked of Vpn.java, there is a possible blocking of internet traffic through vpn due to a bad uid check. This could lead to local denial of service with no additional execution privileges needed. • https://source.android.com/security/bulletin/2018-09-01 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52796 – Password Pusher's rate limiter can be bypassed by forging proxy headers
https://notcve.org/view.php?id=CVE-2024-52796
In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. • https://docs.pwpush.com/docs/proxies/#trusted-proxies https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0 https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52598 – 2FAuth vulnerable to Server Side Request Forgery + URI validation bypass in 2fauth /api/v1/twofaccounts/preview
https://notcve.org/view.php?id=CVE-2024-52598
The endpoint at POST /api/v1/twofaccounts/preview allows setting a remote URI to retrieve the image of a 2fa site. ... The combination of these two issues allows an attacker to retrieve URIs accessible from the application, as long as their content type is text based. ... Version 5.4.1 fixes the issues. 2FAuth es una aplicación web para administrar cuentas de autenticación de dos factores (2FA) y generar sus códigos de seguridad. Existen dos vulnerabilidades interconectadas en la versión 5.4.1: un problema de omisión de validación de SSRF y URI. ... La combinación de estos dos problemas permite a un atacante recuperar URI accesibles desde la aplicación, siempre que su tipo de contenido esté basado en texto. • https://github.com/Bubka/2FAuth/security/advisories/GHSA-xwxc-w7v3-2p4j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52597 – 2FAuth vulnerable to stored cross-site scripting via SVG upload and direct access render
https://notcve.org/view.php?id=CVE-2024-52597
One of the accepted types of image is SVG, which allows JS scripting. ... Version 5.4.1 contains a patch for the issue. 2FAuth es una aplicación web para administrar cuentas de autenticación de dos factores (2FA) y generar sus códigos de seguridad. • https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-48530
https://notcve.org/view.php?id=CVE-2024-48530
An issue in the Instructor Appointment Availability module of eSoft Planner 3.24.08271-USA allows attackers to cause a Denial of Service (DoS) via a crafted POST request. • https://github.com/esoft-planner-cve/esoft_planner_cve •