Security Vulnerabilities - CVEs Published In September 2024
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters. Users are advised to upgrade. It's possible to fix manually the vulnerability by editing the document `XWiki.Notifications.Code.NotificationPreferenceService` to apply the changes performed in commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.
CVSS Score
6.5
EPSS Score
0.009
Published
2024-09-18
Victure PC420 1.1.39 was discovered to contain a hardcoded root password which is stored in plaintext.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-18
Victure PC420 1.1.39 was discovered to use a weak and partially hardcoded key to encrypt data.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-18
Victure PC420 1.1.39 was discovered to use a weak encryption key for the file enabled_telnet.dat on the Micro SD card.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-18
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.
CVSS Score
5.0
EPSS Score
0.001
Published
2024-09-18
FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/delete/123
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-18
Prior to the patched version, an authenticated user of Mautic could read system files and access the internal addresses of the application due to a Server-Side Request Forgery (SSRF) vulnerability.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-18
Draytek Vigor 3910 v4.3.2.6 was discovered to contain a buffer overflow in the sIpv6AiccuUser parameter at inetipv6.cgi. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVSS Score
7.5
EPSS Score
0.004
Published
2024-09-18
Draytek Vigor 3910 v4.3.2.6 was discovered to contain a buffer overflow in the ssidencrypt%d parameter at v2x00.cgi. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-09-18
Draytek Vigor 3910 v4.3.2.6 was discovered to contain a buffer overflow in the sDnsPro parameter at v2x00.cgi. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-09-18