Security Vulnerabilities - CVEs Published In October 2024
Wavelog 1.8.5 allows Oqrs_model.php get_worked_modes station_id SQL injectioin.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-10-14
VULNERABILITY DETAILS
Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82.
A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.
CVSS Score
7.7
EPSS Score
0.003
Published
2024-10-14
When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. This vulnerability affects Firefox < 131.0.3.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-10-14
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
CVSS Score
5.4
EPSS Score
0.002
Published
2024-10-14
X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.
CVSS Score
5.4
EPSS Score
0.009
Published
2024-10-14
Cloudlog 2.6.15 allows Oqrs.php delete_oqrs_line id SQL injection.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-10-14
Cloudlog 2.6.15 allows Oqrs.php get_station_info station_id SQL injection.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-10-14
Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4.
Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue.
Roller 6.1.4 release announcement: https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw
CVSS Score
4.7
EPSS Score
0.001
Published
2024-10-14
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35, <2.1.0p48 and <=2.0.0p39 (EOL) causes SNMP and IMPI secrets of host and folder properties to be written to audit log files accessible to administrators.
CVSS Score
4.4
EPSS Score
0.002
Published
2024-10-14
Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35 and <2.1.0p48 could lead to a leak of the token to facilitate targeted phishing attacks.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-10-14