Security Vulnerabilities - CVEs Published In February 2024
The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-02-21
Cross-Site Request Forgery (CSRF) vulnerability in John Tendik JTRT Responsive Tables.This issue affects JTRT Responsive Tables: from n/a through 4.1.9.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-21
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()
If authblob->SessionKey.Length is bigger than session key
size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.
cifs_arc4_crypt copy to session key array from SessionKey from client.
CVSS Score
7.8
EPSS Score
0.008
Published
2024-02-21
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix out of bounds in init_smb2_rsp_hdr()
If client send smb2 negotiate request and then send smb1 negotiate
request, init_smb2_rsp_hdr is called for smb1 negotiate request since
need_neg is set to false. This patch ignore smb1 packets after ->need_neg
is set to false.
CVSS Score
7.8
EPSS Score
0.0
Published
2024-02-21
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate session id and tree id in compound request
`smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session()
will always return the first request smb2 header in a compound request.
if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will
return 0, i.e. The tree id check is skipped.
This patch use ksmbd_req_buf_next() to get current command in compound.
CVSS Score
5.5
EPSS Score
0.002
Published
2024-02-21
Cross-Site Request Forgery (CSRF) vulnerability in SoniNow Team Debug.This issue affects Debug: from n/a through 1.10.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-21
Cross-Site Request Forgery (CSRF) vulnerability in Mondula GmbH Multi Step Form.This issue affects Multi Step Form: from n/a through 1.7.18.
CVSS Score
5.4
EPSS Score
0.0
Published
2024-02-21
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor.This issue affects Admin Menu Editor: from n/a through 1.12.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-21
Cross-Site Request Forgery (CSRF) vulnerability in David Stockl TinyMCE and TinyMCE Advanced Professsional Formats and Styles.This issue affects TinyMCE and TinyMCE Advanced Professsional Formats and Styles: from n/a through 1.1.2.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-21
Cross-Site Request Forgery (CSRF) vulnerability in Mark Stockton Quicksand Post Filter jQuery Plugin.This issue affects Quicksand Post Filter jQuery Plugin: from n/a through 3.1.1.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-21