Security Vulnerabilities - CVEs Published In January 2024
A vulnerability classified as critical has been found in Inis up to 2.0.1. Affected is an unknown function of the file /app/api/controller/default/Sqlite.php. The manipulation of the argument sql leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-250110 is the identifier assigned to this vulnerability.
CVSS Score
6.3
EPSS Score
0.001
Published
2024-01-09
A vulnerability classified as problematic was found in CodeAstro Simple House Rental System 5.6. Affected by this vulnerability is an unknown functionality of the component Login Panel. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250111.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-01-09
jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-01-09
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker
logged in with a user level account to gain higher privileges by providing a harmful serialized
object.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-01-09
Microsoft Identity Denial of service vulnerability
CVSS Score
6.8
EPSS Score
0.003
Published
2024-01-09
react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. This bug is not present on iOS devices. By logging the encryption secret to the system logs, attackers can trivially recover the secret by enabling ADB and undermining an app's thread model. This issue has been patched in version 2.11.0.
CVSS Score
4.4
EPSS Score
0.003
Published
2024-01-09
A vulnerability was found in Inis up to 2.0.1. It has been rated as problematic. This issue affects some unknown processing of the file /app/api/controller/default/File.php of the component GET Request Handler. The manipulation of the argument path leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. The identifier VDB-250109 was assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.006
Published
2024-01-09
Windows Themes Spoofing Vulnerability
CVSS Score
6.5
EPSS Score
0.23
Published
2024-01-09
Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability
CVSS Score
7.8
EPSS Score
0.006
Published
2024-01-09
.NET Framework Denial of Service Vulnerability
CVSS Score
7.5
EPSS Score
0.053
Published
2024-01-09