Security Vulnerabilities - CVEs Published In September 2024
Access permission verification vulnerability in the App Multiplier module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVSS Score
6.7
EPSS Score
0.001
Published
2024-09-27
Path traversal vulnerability in the Bluetooth module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVSS Score
6.2
EPSS Score
0.001
Published
2024-09-27
Out-of-bounds write vulnerability in the HAL-WIFI module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-09-27
Access permission verification vulnerability in the input method framework module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
4.4
EPSS Score
0.001
Published
2024-09-27
Input validation vulnerability in the USB service module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-09-27
Permission vulnerability in the ActivityManagerService (AMS) module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
5.6
EPSS Score
0.0
Published
2024-09-27
In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers.
However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering.
This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way.
Affected code:
DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java
CVSS Score
5.3
EPSS Score
0.004
Published
2024-09-27
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
7.2
EPSS Score
0.272
Published
2024-09-27
Improper Certificate Validation in Checkmk Exchange plugin MikroTik allows attackers in MitM position to intercept traffic. This issue affects MikroTik: from 2.0.0 through 2.5.5, from 0.4a_mk through 2.0a.
CVSS Score
7.4
EPSS Score
0.002
Published
2024-09-27
In Logmanager service, there is a possible missing verification incorrect input. This could lead to local escalation of privilege with no additional execution privileges needed.
CVSS Score
6.5
EPSS Score
0.0
Published
2024-09-27