Security Vulnerabilities - CVEs Published In June 2024
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
CVSS Score
6.1
EPSS Score
0.004
Published
2024-06-04
An improper access control vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically in version 20240410. This vulnerability allows any user on the server to access the chat history of any other user without requiring any form of interaction between the users. Exploitation of this vulnerability could lead to data breaches, including the exposure of sensitive personal details, financial data, or confidential conversations. Additionally, it could facilitate identity theft and manipulation or fraud through the unauthorized access to users' chat histories. This issue is due to insufficient access control mechanisms in the application's handling of chat history data.
CVSS Score
7.5
EPSS Score
0.005
Published
2024-06-04
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
CVSS Score
5.4
EPSS Score
0.007
Published
2024-06-04
Missing Authorization vulnerability in moveaddons Move Addons for Elementor.This issue affects Move Addons for Elementor: from n/a through 1.2.9.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-06-04
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
CVSS Score
9.8
EPSS Score
0.01
Published
2024-06-04
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
CVSS Score
7.5
EPSS Score
0.021
Published
2024-06-04
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
CVSS Score
9.8
EPSS Score
0.031
Published
2024-06-04
Tenda O3V2 v1.0.0.12(3880) was discovered to contain a Blind Command Injection via stpEn parameter in the SetStp function. This vulnerability allows attackers to execute arbitrary commands with root privileges.
CVSS Score
9.8
EPSS Score
0.02
Published
2024-06-04
Broken Authentication vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.93.
CVSS Score
5.3
EPSS Score
0.004
Published
2024-06-04
Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.19.
CVSS Score
7.5
EPSS Score
0.005
Published
2024-06-04