Security Vulnerabilities - CVEs Published In July 2024
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
CVSS Score
9.9
EPSS Score
0.783
Published
2024-07-04
supOS 5.0 allows api/image/download?fileName=../ directory traversal for reading files.
CVSS Score
8.6
EPSS Score
0.004
Published
2024-07-04
An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS Score
8.6
EPSS Score
0.002
Published
2024-07-04
A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function isJsonRequest of the component Content-Type Handler. The manipulation of the argument HttpHeaders.CONTENT_TYPE leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270343.
CVSS Score
3.5
EPSS Score
0.006
Published
2024-07-04
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.This issue affects Woffice Core: from n/a through 5.4.8.
CVSS Score
7.1
EPSS Score
0.001
Published
2024-07-04
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice allows Reflected XSS.This issue affects Woffice: from n/a through 5.4.8.
CVSS Score
7.1
EPSS Score
0.002
Published
2024-07-04
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Ads allows Stored XSS.This issue affects Newspack Ads: from n/a through 1.47.1.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-07-04
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.This issue affects Newspack Campaigns: from n/a through 2.31.1.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-07-04
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
CVSS Score
9.9
EPSS Score
0.045
Published
2024-07-04
Gogs through 0.13.0 allows deletion of internal files.
CVSS Score
9.9
EPSS Score
0.072
Published
2024-07-04