Security Vulnerabilities - CVEs Published In November 2024
A heap-based buffer under-read in tsMuxer version nightly-2024-05-12-02-01-18 allows attackers to cause Denial of Service (DoS) via a crafted MOV video file.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-11-14
07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component 'erp.07fly.net:80/admin/SysNotifyUser/del.html?id=93'.
CVSS Score
4.7
EPSS Score
0.002
Published
2024-11-14
Cross-Site Request Forgery (CSRF) vulnerability in gentlesource Appointmind appointmind allows Stored XSS.This issue affects Appointmind: from n/a through <= 4.0.0.
CVSS Score
7.1
EPSS Score
0.002
Published
2024-11-14
A business logic vulnerability exists in the Add to Cart function of itsourcecode Agri-Trading Online Shopping System 1.0, which allows remote attackers to manipulate the quant parameter when adding a product to the cart. By setting the quantity value to -0, an attacker can exploit a flaw in the application's total price calculation logic. This vulnerability causes the total price to be reduced to zero, allowing the attacker to add items to the cart and proceed to checkout.
CVSS Score
7.5
EPSS Score
0.09
Published
2024-11-14
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVSS Score
5.4
EPSS Score
0.004
Published
2024-11-14
A malicious server can crash the OpenAFS cache manager and other client utilities, and possibly execute arbitrary code.
CVSS Score
7.7
EPSS Score
0.002
Published
2024-11-14
A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-11-14
An authenticated user can provide a malformed ACL to the fileserver's StoreACL RPC, causing the fileserver to crash, possibly expose uninitialized memory, and possibly store garbage data in the audit log. Malformed ACLs provided in responses to client FetchACL RPCs can cause client processes to crash and possibly expose uninitialized memory into other ACLs stored on the server.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-11-14
In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset emails. This not only overwhelms the victim's mailbox, making it difficult to manage and locate legitimate emails, but also significantly impacts mail servers by consuming their resources. The increased load can cause performance degradation and, in severe cases, make the mail servers unresponsive or unavailable, disrupting email services for the entire organization.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-11-14
Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.This issue affects Podlove Podcast Publisher: from n/a through <= 4.1.15.
CVSS Score
9.1
EPSS Score
0.006
Published
2024-11-14