Security Vulnerabilities - CVEs Published In September 2024
Insertion of Sensitive Information into Log File vulnerability in Oceanic Software ValeApp allows Query System for Information.This issue affects ValeApp: before v2.0.0.
CVSS Score
7.5
EPSS Score
0.0
Published
2024-09-27
A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
3.5
EPSS Score
0.004
Published
2024-09-27
Access permission verification vulnerability in the App Multiplier module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVSS Score
6.7
EPSS Score
0.001
Published
2024-09-27
Path traversal vulnerability in the Bluetooth module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVSS Score
6.2
EPSS Score
0.0
Published
2024-09-27
Out-of-bounds write vulnerability in the HAL-WIFI module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
4.7
EPSS Score
0.0
Published
2024-09-27
Access permission verification vulnerability in the input method framework module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
4.4
EPSS Score
0.001
Published
2024-09-27
Input validation vulnerability in the USB service module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
5.5
EPSS Score
0.0
Published
2024-09-27
Permission vulnerability in the ActivityManagerService (AMS) module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
5.6
EPSS Score
0.0
Published
2024-09-27
In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers.
However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering.
This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way.
Affected code:
DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java
CVSS Score
5.3
EPSS Score
0.001
Published
2024-09-27
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
7.2
EPSS Score
0.016
Published
2024-09-27