Security Vulnerabilities - CVEs Published In July 2024
Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.
CVSS Score
5.4
EPSS Score
0.007
Published
2024-07-17
Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.
CVSS Score
5.4
EPSS Score
0.009
Published
2024-07-17
A SQL injection vulnerability was found in 'ajax.php' of Sourcecodester Simple Library Management System 1.0. This vulnerability stems from insufficient user input validation of the 'username' parameter, allowing attackers to inject malicious SQL queries.
CVSS Score
6.3
EPSS Score
0.0
Published
2024-07-17
silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
4.3
EPSS Score
0.005
Published
2024-07-17
Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
5.4
EPSS Score
0.011
Published
2024-07-17
IBM ClearQuest (CQ) 9.1 through 9.1.0.6 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 286833.
CVSS Score
6.4
EPSS Score
0.001
Published
2024-07-17
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 could disclose sensitive information in the HTTP response using man in the middle techniques. IBM X-Force ID: 265507.
CVSS Score
3.1
EPSS Score
0.001
Published
2024-07-17
NATO NCI ANET 3.4.1 allows Insecure Direct Object Reference via a modified ID field in a request for a private draft report (that belongs to an arbitrary user).
CVSS Score
8.1
EPSS Score
0.004
Published
2024-07-17
NATO NCI ANET 3.4.1 mishandles report ownership. A user can create a report and, despite the restrictions imposed by the UI, change the author of that report to an arbitrary user (without their consent or knowledge) via a modified UUID in a POST request.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-07-17
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.
This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
CVSS Score
10.0
EPSS Score
0.914
Published
2024-07-17