Security Vulnerabilities - CVEs Published In February 2024
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-02-02
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-02-02
JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-02-02
MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do.
CVSS Score
5.4
EPSS Score
0.002
Published
2024-02-02
MRCMS 3.0 contains an Arbitrary File Read vulnerability in /admin/file/edit.do as the incoming path parameter is not filtered.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-02-02
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the update_post.php component.
CVSS Score
8.8
EPSS Score
0.008
Published
2024-02-02
open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.
CVSS Score
7.6
EPSS Score
0.001
Published
2024-02-02
An unchecked return value vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated administrators to place the system in a state that could lead to a crash or other unintended behaviors via unspecified vectors.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QuTS hero h5.1.5.2647 build 20240118 and later
CVSS Score
3.4
EPSS Score
0.0
Published
2024-02-02
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.
CVSS Score
7.5
EPSS Score
0.0
Published
2024-02-02
A potential buffer overflow exists in the Bluetooth LE HCI CPC sample application in the Gecko SDK which may result in a denial of service or remote code execution
CVSS Score
7.5
EPSS Score
0.032
Published
2024-02-02