Security Vulnerabilities - CVEs Published In November 2024
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption) via a crafted INV message.
CVSS Score
7.5
EPSS Score
0.01
Published
2024-11-18
Bitcoin Core before 0.15.0 allows a denial of service (OOM kill of a daemon process) via a flood of minimum difficulty headers.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-11-18
Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-11-18
Bitcoin Core before 22.0 has a CAddrMan nIdCount integer overflow and resultant assertion failure (and daemon exit) via a flood of addr messages.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-11-18
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed GETDATA message.
CVSS Score
7.5
EPSS Score
0.008
Published
2024-11-18
A flaw was found in GNOME Maps, which is vulnerable to a code injection attack via its service.json configuration file. If the configuration file is malicious, it may execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.004
Published
2024-11-17
In Flagsmith before 2.134.1, the get_document endpoint is not correctly protected by permissions.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-11-17
In Flagsmith before 2.134.1, it is possible to bypass the ALLOW_REGISTRATION_WITHOUT_INVITE setting.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-11-17
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up to, and including, 5.61.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and import or check on the status.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-11-16
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Score
9.8
EPSS Score
0.93
Published
2024-11-16