Security Vulnerabilities - CVEs Published In October 2024
Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile.
CVSS Score
4.9
EPSS Score
0.001
Published
2024-10-25
Funadmin v5.0.2 has an arbitrary file deletion vulnerability in /curd/index/delfile.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-10-25
Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield.
CVSS Score
7.2
EPSS Score
0.001
Published
2024-10-25
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
CVSS Score
5.3
EPSS Score
0.008
Published
2024-10-25
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
CVSS Score
7.5
EPSS Score
0.012
Published
2024-10-25
MangoOS before 5.2.0 was discovered to contain a Client-Side Template Injection (CSTI) vulnerability via the Platform Management Edit page.
CVSS Score
4.6
EPSS Score
0.001
Published
2024-10-25
An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file.
CVSS Score
8.8
EPSS Score
0.004
Published
2024-10-25
A stored cross-site scripting (XSS) vulnerability in MangoOS before 5.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-10-25
MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature.
CVSS Score
7.2
EPSS Score
0.02
Published
2024-10-25
A SQL Injection vulnerability in ESAFENET CDG 5 and earlier allows an attacker to execute arbitrary code via the id parameter of the dataSearch.jsp page.
CVSS Score
6.3
EPSS Score
0.001
Published
2024-10-25