Security Vulnerabilities - CVEs Published In September 2024
Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a
session is closed. Forging requests with a legitimate cookie, even if
the session was terminated, allows an unauthorized attacker to act with
the same level of privileges of the legitimate user.
CVSS Score
8.0
EPSS Score
0.001
Published
2024-09-27
TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-09-27
A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate.
CVSS Score
9.8
EPSS Score
0.575
Published
2024-09-27
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. NOTE: this is not part of any NGINX software shipped by F5.
CVSS Score
6.3
EPSS Score
0.01
Published
2024-09-27
A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php.
CVSS Score
6.1
EPSS Score
0.155
Published
2024-09-27
A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email field.
CVSS Score
6.1
EPSS Score
0.267
Published
2024-09-27
Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same
origin policy, which is designed to prevent different websites from
interfering with each other.
CVSS Score
8.0
EPSS Score
0.001
Published
2024-09-27
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
CVSS Score
5.7
EPSS Score
0.001
Published
2024-09-27
Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.
CVSS Score
5.7
EPSS Score
0.001
Published
2024-09-27
Advantech ADAM 5550's web application includes a "logs" page where all
the HTTP requests received are displayed to the user. The device doesn't
correctly neutralize malicious code when parsing HTTP requests to
generate page output.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-27