Security Vulnerabilities - CVEs Published In April 2024
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the photo.php component.
CVSS Score
5.4
EPSS Score
0.006
Published
2024-04-18
SQL Injection vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the where Clause in Award Document Rendering.
CVSS Score
9.8
EPSS Score
0.035
Published
2024-04-18
SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering
CVSS Score
9.8
EPSS Score
0.035
Published
2024-04-18
A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
CVSS Score
7.5
EPSS Score
0.005
Published
2024-04-18
Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more.
CVSS Score
7.3
EPSS Score
0.007
Published
2024-04-18
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `\033[6n` sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. This vulnerability allows an attacker to bypass Deno permission policy. This vulnerability is fixed in 1.42.2.
CVSS Score
7.7
EPSS Score
0.002
Published
2024-04-18
Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability
CVSS Score
5.4
EPSS Score
0.002
Published
2024-04-18
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVSS Score
6.5
EPSS Score
0.003
Published
2024-04-18
HCL Connections contains a user enumeration vulnerability. Certain actions could allow an attacker to determine if the user is valid or not, leading to a possible brute force attack.
CVSS Score
3.5
EPSS Score
0.004
Published
2024-04-18
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.
CVSS Score
7.1
EPSS Score
0.0
Published
2024-04-18