CVE-2024-23656 – Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
https://notcve.org/view.php?id=CVE-2024-23656
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0. • https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17 https://github.com/dexidp/dex/issues/2848 https://github.com/dexidp/dex/pull/2964 https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r • CWE-326: Inadequate Encryption Strength CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVE-2024-20802
https://notcve.org/view.php?id=CVE-2024-20802
Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users' notification in a multi-user environment. Una vulnerabilidad de control de acceso inadecuado en Samsung DeX anterior a la versión 1 de SMR de enero de 2024 permite al propietario acceder a las cuentas de otros usuarios. Notificación en un entorno multiusuario. • https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01 •
CVE-2009-3650
https://notcve.org/view.php?id=CVE-2009-3650
Cross-site scripting (XSS) vulnerability in Dex 5.x-1.0 and earlier and 6.x-1.0-rc1 and earlier, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo de Drupal "Dex" en sus versiones v5.x-1.0 y anteriores y v6.x-1.0-RC1 y anteriores, permite a atacantes remotos inyectar HTML o scripts web aleatorios a través de vectores no especificados. • http://drupal.org/node/592394 http://www.securityfocus.com/bid/36559 https://exchange.xforce.ibmcloud.com/vulnerabilities/53569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •