Security Vulnerabilities - CVEs Published In September 2024
In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed.
This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish.
This vulnerability only affects applications that are explicitly deployed to the root context ('/').
CVSS Score
6.1
EPSS Score
0.002
Published
2024-09-11
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02.
CVSS Score
9.8
EPSS Score
0.008
Published
2024-09-11
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.
CVSS Score
9.8
EPSS Score
0.785
Published
2024-09-11
Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS Score
8.8
EPSS Score
0.002
Published
2024-09-11
Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-11
A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-09-11
An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database by exporting it as a CSV file. The vulnerability has been remediated in version 1.52.02.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-09-11
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user passwords, which could lead to gain unauthorized access and compromise other user accounts.
CVSS Score
9.8
EPSS Score
0.005
Published
2024-09-11
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as 'whoami' and '/bin/whoami'. An attacker can circumvent this restriction by executing commands with a modified path, such as '/bin/./whoami', which is not recognized by the denylist.
CVSS Score
9.8
EPSS Score
0.004
Published
2024-09-11
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to transmission of sensitive information in plain text in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL and intercepting response of the API request leading to exposure of sensitive information belonging to other users.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-11