Security Vulnerabilities - CVEs Published In August 2024
Insecure Permission vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are executing several processes with elevated privileges.
CVSS Score
8.8
EPSS Score
0.007
Published
2024-08-02
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 use a unique key to encrypt the configuration parameters. This is fixed in version 21.2s10 and 22.1s3, the key is now unique per device.
CVSS Score
6.6
EPSS Score
0.003
Published
2024-08-02
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server.
CVSS Score
9.8
EPSS Score
0.701
Published
2024-08-02
Feripro <= v2.2.3 is vulnerable to Cross Site Scripting (XSS) via "/admin/programm/<program_id>/zuordnung/veranstaltungen/<event_id>" through the "school" input field.
CVSS Score
5.4
EPSS Score
0.002
Published
2024-08-02
AndServer 2.1.12 is vulnerable to Directory Traversal.
CVSS Score
7.5
EPSS Score
0.007
Published
2024-08-02
An Incorrect Access Control vulnerability in "/admin/benutzer/institution/rechteverwaltung/uebersicht" in Feripro <= v2.2.3 allows remote attackers to get a list of all users and their corresponding privileges.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-08-02
An Incorrect Access Control vulnerability in "/admin/programm/<program_id>/export/statistics" in Feripro <= v2.2.3 allows remote attackers to export an XLSX file with information about registrations and participants.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-08-02
Commands can be injected over the network and executed without authentication.
CVSS Score
8.8
EPSS Score
0.929
Published
2024-08-02
Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0.
CVSS Score
8.3
EPSS Score
0.008
Published
2024-08-02
An issue in Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 and possibly later versions allows a local attacker to perform an Authentication Bypass by Capture-replay attack due to insufficient protection against capture-replay attacks.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-08-02