Security Vulnerabilities - CVEs Published In July 2024
A vulnerability was found in SourceCodester Insurance Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /Script/admin/core/update_policy of the component Edit Insurance Policy Page. The manipulation of the argument pname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272805 was assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.001
Published
2024-07-30
A vulnerability was found in SourceCodester Medicine Tracker System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save_user of the component Password Change Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-272806 is the identifier assigned to this vulnerability.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-07-30
Mashov - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSS Score
6.1
EPSS Score
0.004
Published
2024-07-30
Matrix - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Score
5.4
EPSS Score
0.003
Published
2024-07-30
Matrix Tafnit v8
-
CWE-204: Observable Response Discrepancy
CVSS Score
5.3
EPSS Score
0.003
Published
2024-07-30
Matrix Tafnit v8
-
CWE-646: Reliance on File Name or Extension of Externally-Supplied File
CVSS Score
5.5
EPSS Score
0.001
Published
2024-07-30
Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge
any token to log in any user.
Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.
This issue affects Apache SeaTunnel: 1.0.0.
Users are recommended to upgrade to version 1.0.1, which fixes the issue.
CVSS Score
9.1
EPSS Score
0.003
Published
2024-07-30
Matrix Tafnit v8
- CWE-552: Files or Directories Accessible to External Parties
CVSS Score
7.5
EPSS Score
0.002
Published
2024-07-30
In the Linux kernel, the following vulnerability has been resolved:
crypto: aead,cipher - zeroize key buffer after use
I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
cryptographic information should be zeroized once they are no longer
needed. Accomplish this by using kfree_sensitive for buffers that
previously held the private key.
CVSS Score
4.1
EPSS Score
0.0
Published
2024-07-30
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries: Fix scv instruction crash with kexec
kexec on pseries disables AIL (reloc_on_exc), required for scv
instruction support, before other CPUs have been shut down. This means
they can execute scv instructions after AIL is disabled, which causes an
interrupt at an unexpected entry location that crashes the kernel.
Change the kexec sequence to disable AIL after other CPUs have been
brought down.
As a refresher, the real-mode scv interrupt vector is 0x17000, and the
fixed-location head code probably couldn't easily deal with implementing
such high addresses so it was just decided not to support that interrupt
at all.
CVSS Score
4.4
EPSS Score
0.0
Published
2024-07-30