We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT

CVE 

Welcome

This is a FREE service that contains information on publicly disclosed Cybersecurity vulnerabilities based on data from the CVE® Program, please see the official CVE website and CVE List V5 on GitHub.

Whenever applicable we also show information from the Known Exploited Vulnerabilities Catalog provided by CISA as the authoritative source of vulnerabilities that have been exploited in the wild.

New

CVE-2024-51736
Command execution hijack on Windows with Process class in symfony/process: Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, ...

CVE-2024-10941
A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. This vulnerability affects Firefox < 126.

CVE-2024-51754
Unguarded calls to __toString() when nesting an object into an array in Twig: Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advise...

CVE-2024-51755
Unguarded calls to __isset() and to array-accesses when the sandbox is enabled in Twig: Twig is a template language for PHP. In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. A...

CVE-2024-51757
Fixes security vulnerability that allowed for server side code to be executed by a <script> tag: happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.1 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.1. There are no known workarounds for this vulnerabili...

Updated

CVE-2024-9139
OS Command Injection in Restricted Command: The affected product permits OS command injection through improperly restricted commands, potentially allowing attackers to execute arbitrary code.

CVE-2024-28895
'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of 'Yahoo! JAPAN' App via other app installed on the user's device.

CVE-2023-32339
IBM Business Automation Workflow cross-site scripting: IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 255587.

CVE-2023-26276
IBM QRadar information disclosure: IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 248147.

CVE-2023-3034
Reflected XSS in BKG Ntrip Professional Caster version <=2.0.44: Reflected XSS affects the ‘mode’ parameter in the /admin functionality of the web application in versions <=2.0.44

CISA Known Exploited Vulnerabilities

CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.

CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras
PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.

CVE-2024-20481 Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service.

CVE-2024-37383 Roundcube Webmail
RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.

CVE-2024-47575 Fortinet FortiManager
Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.