Security Vulnerabilities - CVEs Published In February 2024
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.
CVSS Score
5.4
EPSS Score
0.027
Published
2024-02-28
Cross-Site Request Forgery (CSRF) vulnerability in bytesforall Atahualpa.This issue affects Atahualpa: from n/a through 3.7.24.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-02-28
Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce.This issue affects Customer Reviews for WooCommerce: from n/a through 5.38.1.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-28
Cross-Site Request Forgery (CSRF) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart.This issue affects Ecwid Ecommerce Shopping Cart: from n/a through 6.12.4.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-02-28
Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, IPT, JT, SAT, STL, STP, X_B or X_T file. NOTE: CVE-2024-3298 and CVE-2024-3299 were SPLIT from this ID.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-02-28
A Null pointer dereference in usr/sbin/httpd in ASUS AC68U 3.0.0.4.384.82230 allows remote attackers to trigger DoS via network packet.
CVSS Score
7.5
EPSS Score
0.004
Published
2024-02-28
Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2.
CVSS Score
6.1
EPSS Score
0.005
Published
2024-02-28
Cross-Site Request Forgery (CSRF) vulnerability in Advanced Flamingo.This issue affects Advanced Flamingo: from n/a through 1.0.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-28
A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.
CVSS Score
6.3
EPSS Score
0.001
Published
2024-02-28
Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au 1 click disable all.This issue affects 1 click disable all: from n/a through 1.0.1.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-02-28