Security Vulnerabilities - CVEs Published In September 2024
In the goTenna Pro App there is a vulnerability that makes it possible
to inject any custom message with any GID and Callsign using a software
defined radio in existing goTenna mesh networks. This vulnerability can
be exploited if the device is being used in an unencrypted environment
or if the cryptography has already been compromised. It is advised to
share encryption keys via QR scanning for higher security operations and
update your app to the current release for enhanced encryption
protocols.
CVSS Score
6.5
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro App encryption key name is always sent unencrypted when
the key is shared over RF through a broadcast message. It is advised to
share the encryption key via local QR for higher security operations.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro App does not inject extra characters into broadcasted
frames to obfuscate the length of messages. This makes it possible to
tell the length of the payload regardless of the encryption used.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It
is advised to not use sensitive information in callsigns when using this
and previous versions of the plugin. Update to current plugin version
which uses AES-256 encryption for callsigns in encrypted operation
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
A Cross Site Scripting (XSS) vulnerability in add_donor.php of Blood Bank And Donation Management System 1.0 allows an attacker to inject malicious scripts that will be executed when the Donor List is viewed.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-09-26
A Cross Site Scripting (XSS) vulnerability in update_contact.php of Blood Bank and Donation Management System v1.0 allows an attacker to inject malicious scripts via the name parameter of the update_contact.php
CVSS Score
4.7
EPSS Score
0.001
Published
2024-09-26
Projectworld Online Voting System Version 1.0 is vulnerable to Cross Site Request Forgery (CSRF) via voter.php. This vulnerability allows an attacker to craft a malicious link that, when clicked by an authenticated user, automatically submits a vote for a specified party without the user's consent or knowledge. The attack leverages the user's active session to perform the unauthorized action, compromising the integrity of the voting process.
CVSS Score
6.5
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro App uses a weak password for sharing encryption keys via
the key broadcast method. If the broadcasted encryption key is captured
over RF, and password is cracked via brute force attack, it is possible
to decrypt it and use it to decrypt all future and past messages sent
via encrypted broadcast with that particular key. This only applies when
the key is broadcasted over RF. This is an optional feature, so it is
recommended to use local QR encryption key sharing for additional
security on this and previous versions.
CVSS Score
5.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro ATAK Plugin's default settings are to share Automatic
Position, Location, and Information (PLI) updates every 60 seconds once
the plugin is active and goTenna is connected. Users that are unaware of
their settings and have not activated encryption before a mission may
accidentally broadcast their location unencrypted. It is advised to
verify PLI settings are the desired rate and activate encryption prior
to mission. Update to the latest Plugin to disable this default setting.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro ATAK plugin uses a weak password for sharing encryption
keys via the key broadcast method. If the broadcasted encryption key is
captured over RF, and password is cracked via brute force attack, it is
possible to decrypt it and use it to decrypt all future and past
messages sent via encrypted broadcast with that particular key. This
only applies when the key is broadcasted over RF. This is an optional
feature, so it is advised to use local QR encryption key sharing for
additional security on this and previous versions.
CVSS Score
5.3
EPSS Score
0.0
Published
2024-09-26