Security Vulnerabilities - CVEs Published In February 2024
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs.
Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.
CVSS Score
9.8
EPSS Score
0.004
Published
2024-02-29
Cross-Site Request Forgery (CSRF) vulnerability in M&S Consulting Email Before Download.This issue affects Email Before Download: from n/a through 6.9.7.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-02-29
Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.
CVSS Score
7.5
EPSS Score
0.006
Published
2024-02-29
Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java.` The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0.
CVSS Score
9.1
EPSS Score
0.007
Published
2024-02-29
Cross-site scripting (XSS) vulnerability in Parents & Student Portal in Genesis School Management Systems in Genesis AIMS Student Information Systems v.3053 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-02-29
Cross Site Request Forgery vulnerability in FlyCms v.1.0 allows a remote attacker to execute arbitrary code via the system/article/category_edit component.
CVSS Score
8.8
EPSS Score
0.024
Published
2024-02-29
An issue in WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 allows a remote attacker to execute arbitrary code via the parseObject() function in the fastjson component.
CVSS Score
9.8
EPSS Score
0.768
Published
2024-02-29
VMware Workstation and Fusion contain an out-of-bounds read vulnerability in the USB CCID (chip card interface device). A malicious actor with local administrative privileges on a virtual machine may trigger an out-of-bounds read leading to information disclosure.
CVSS Score
5.9
EPSS Score
0.001
Published
2024-02-29
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
CVSS Score
6.3
EPSS Score
0.0
Published
2024-02-29
Inadequate parsing of URLs could result into an open redirect.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-02-29