Security Vulnerabilities - CVEs Published In July 2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine.
Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
CVSS Score
5.3
EPSS Score
0.005
Published
2024-07-11
A Stored Cross-Site Scripting (XSS) vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
CVSS Score
7.4
EPSS Score
0.002
Published
2024-07-11
CWE-200: Information Exposure vulnerability exists that could cause disclosure of
credentials when a specially crafted message is sent to the device.
CVSS Score
9.8
EPSS Score
0.003
Published
2024-07-11
CWE-20: Improper Input Validation vulnerability exists that could cause local denial-of-service,
privilege escalation, and potentially kernel execution when a malicious actor with local user
access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVSS Score
7.8
EPSS Score
0.001
Published
2024-07-11
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists that could cause a vulnerability leading to a cross-site scripting
condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a
page containing the injected payload.
CVSS Score
5.4
EPSS Score
0.007
Published
2024-07-11
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability exists that could result in remote code execution when an authenticated
user executes a saved project file that has been tampered by a malicious actor.
CVSS Score
7.3
EPSS Score
0.041
Published
2024-07-11
CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, or
kernel memory leak when a malicious actor with local user access crafts a script/program using
an IOCTL call in the Foxboro.sys driver.
CVSS Score
7.1
EPSS Score
0.001
Published
2024-07-11
CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service when a malicious actor with local user access crafts a script/program using an IOCTL
call in the Foxboro.sys driver.
CVSS Score
7.1
EPSS Score
0.001
Published
2024-07-11
Nuvoton - CWE-305: Authentication Bypass by Primary Weakness
An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock
reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code
execution.
CVSS Score
6.7
EPSS Score
0.0
Published
2024-07-11
The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Score
8.8
EPSS Score
0.008
Published
2024-07-11