Security Vulnerabilities - CVEs Published In January 2024
The vulnerability allows a remote attacker to download arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-01-10
The vulnerability allows an unauthenticated remote attacker to read arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-01-10
The vulnerability allows an authenticated remote attacker to upload a malicious file to the SD card containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned file.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-01-10
The vulnerability allows an authenticated remote attacker to download arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-01-10
The vulnerability allows a remote attacker to upload arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.
By abusing this vulnerability, it is possible to obtain remote code execution (RCE) with root privileges on the device.
CVSS Score
8.1
EPSS Score
0.021
Published
2024-01-10
The vulnerability allows a remote attacker to inject and execute arbitrary client-side script code inside a victim’s session via a crafted URL or HTTP request.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-01-10
Zentao versions 4.1.3 and before has a URL redirect vulnerability, which prevents the system from functioning properly.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-01-10
Buffer Overflow vulnerability in Tenda AX12 V22.03.01.46, allows remote attackers to cause a denial of service (DoS) via list parameter in SetNetControlList function.
CVSS Score
7.5
EPSS Score
0.011
Published
2024-01-10
Blind Server-Side Request Forgery (SSRF) vulnerability in karlomikus Bar Assistant before version 3.2.0 does not validate a parameter before making a request through Image::make(), which could allow authenticated remote attackers to execute arbitrary code.
CVSS Score
8.8
EPSS Score
0.154
Published
2024-01-10
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.
This issue affects Apache Answer: through 1.2.0.
Under normal circumstances, a user can only bookmark a question once, and will only increase the number of questions bookmarked once. However, repeat submissions through the script can increase the number of collection of the question many times.
Users are recommended to upgrade to version [1.2.1], which fixes the issue.
CVSS Score
3.1
EPSS Score
0.01
Published
2024-01-10