Security Vulnerabilities - CVEs Published In July 2024
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userGroup_deal.php?mudi=del
CVSS Score
8.8
EPSS Score
0.003
Published
2024-07-09
zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to.
This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0.
CVSS Score
4.3
EPSS Score
0.004
Published
2024-07-09
A vulnerability was discovered in Samsung Wearable Processor and Modems with versions Exynos 9110, Exynos Modem 5123, Exynos Modem 5300 that allows an out-of-bounds write in the heap in 2G (no auth).
CVSS Score
8.1
EPSS Score
0.003
Published
2024-07-09
Premiere Pro versions 23.6.5, 24.4.1 and earlier are affected by an Untrusted Search Path vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by inserting a malicious file into the search path, which the application might execute instead of the legitimate file. This could occur when the application uses a search path to locate executables or libraries. Exploitation of this issue requires user interaction, attack complexity is high.
CVSS Score
7.0
EPSS Score
0.003
Published
2024-07-09
SQL injection vulnerability in processscore.php in Learning Management System Project In PHP With Source Code 1.0 allows attackers to execute arbitrary SQL commands via the id parameter.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-07-09
A vulnerability was discovered in Samsung Mobile Processor, Wearable Processor, and Modems with versions Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, Exynos Modem 5300 that allows an out-of-bounds write in the heap in 2G (no auth).
CVSS Score
8.1
EPSS Score
0.003
Published
2024-07-09
A vulnerability was discovered in Samsung Mobile Processor, Wearable Processor, and Modems with versions Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850 Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380 Exynos 1330, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, Exynos Modem 5300 that allows out-of-bounds access to a heap buffer in the SIM Proactive Command.
CVSS Score
8.4
EPSS Score
0.001
Published
2024-07-09
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/add.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-07-09
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/{id}/edit/.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-07-09
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-feeds/add.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-07-09