Security Vulnerabilities - CVEs Published In September 2024
The goTenna Pro App does not encrypt callsigns in messages. It is
recommended to not use sensitive information in callsigns when using
this and previous versions of the app and update your app to the current
app version which uses AES-256 encryption for callsigns in encrypted
operation.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro App does not authenticate public keys which allows an
unauthenticated attacker to manipulate messages. It is advised to update
your app to the current release for enhanced encryption protocols.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-09-26
The goTenna Pro App does not use SecureRandom when generating passwords
for sharing cryptographic keys. The random function in use makes it
easier for attackers to brute force this password if the broadcasted
encryption key is captured over RF. This only applies to the optional
broadcast of an encryption key, so it is advised to share the key with
local QR code for higher security operations.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-26
In the goTenna Pro App there is a vulnerability that makes it possible
to inject any custom message with any GID and Callsign using a software
defined radio in existing goTenna mesh networks. This vulnerability can
be exploited if the device is being used in an unencrypted environment
or if the cryptography has already been compromised. It is advised to
share encryption keys via QR scanning for higher security operations and
update your app to the current release for enhanced encryption
protocols.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-26
The goTenna Pro App encryption key name is always sent unencrypted when
the key is shared over RF through a broadcast message. It is advised to
share the encryption key via local QR for higher security operations.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-09-26
The goTenna Pro App does not inject extra characters into broadcasted
frames to obfuscate the length of messages. This makes it possible to
tell the length of the payload regardless of the encryption used.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-09-26
The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It
is advised to not use sensitive information in callsigns when using this
and previous versions of the plugin. Update to current plugin version
which uses AES-256 encryption for callsigns in encrypted operation
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
A Cross Site Scripting (XSS) vulnerability in add_donor.php of Blood Bank And Donation Management System 1.0 allows an attacker to inject malicious scripts that will be executed when the Donor List is viewed.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-09-26
A Cross Site Scripting (XSS) vulnerability in update_contact.php of Blood Bank and Donation Management System v1.0 allows an attacker to inject malicious scripts via the name parameter of the update_contact.php
CVSS Score
4.7
EPSS Score
0.001
Published
2024-09-26
Projectworld Online Voting System Version 1.0 is vulnerable to Cross Site Request Forgery (CSRF) via voter.php. This vulnerability allows an attacker to craft a malicious link that, when clicked by an authenticated user, automatically submits a vote for a specified party without the user's consent or knowledge. The attack leverages the user's active session to perform the unauthorized action, compromising the integrity of the voting process.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-26