Security Vulnerabilities - CVEs Published In March 2024
Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-03-21
Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
CVSS Score
7.5
EPSS Score
0.939
Published
2024-03-21
OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
CVSS Score
6.5
EPSS Score
0.006
Published
2024-03-21
Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-03-21
Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability
CVSS Score
4.3
EPSS Score
0.012
Published
2024-03-21
An access control issue in Dreamer CMS v4.0.1 allows attackers to download backup files and leak sensitive information.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-03-21
An issue in zuoxingdong lagom v.0.1.2 allows a local attacker to execute arbitrary code via the pickle_load function of the serialize.py file.
CVSS Score
6.6
EPSS Score
0.001
Published
2024-03-21
Cross Site Scripting vulnerability in eblog v1.0 allows a remote attacker to execute arbitrary code via a crafted script to the argument description parameter when submitting a comment on a post.
CVSS Score
6.1
EPSS Score
0.005
Published
2024-03-21
SQL Injection vulnerability in Sourcecodester Employee Management System v1.0 allows attackers to run arbitrary SQL commands via crafted POST request to /emloyee_akpoly/Account/login.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-03-21
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.
CVSS Score
5.9
EPSS Score
0.001
Published
2024-03-21