Security Vulnerabilities - CVEs Published In September 2024
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.
CVSS Score
7.4
EPSS Score
0.006
Published
2024-09-10
cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.
CVSS Score
6.1
EPSS Score
0.015
Published
2024-09-10
An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVSS Score
7.2
EPSS Score
0.12
Published
2024-09-10
A reflected cross-site scripting (XSS) vulnerability in moziloCMS v3.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-09-10
An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-09-10
Microsoft Outlook for iOS Information Disclosure Vulnerability
CVSS Score
6.5
EPSS Score
0.064
Published
2024-09-10
Windows Mark of the Web Security Feature Bypass Vulnerability
CVSS Score
6.5
EPSS Score
0.051
Published
2024-09-10
Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.
This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.
Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support.
CVSS Score
9.8
EPSS Score
0.201
Published
2024-09-10
Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
CVSS Score
7.8
EPSS Score
0.008
Published
2024-09-10
Windows libarchive Remote Code Execution Vulnerability
CVSS Score
7.3
EPSS Score
0.016
Published
2024-09-10