Security Vulnerabilities - CVEs Published In November 2024
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
8.5
EPSS Score
0.007
Published
2024-11-08
Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
4.3
EPSS Score
0.005
Published
2024-11-08
Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
7.6
EPSS Score
0.07
Published
2024-11-08
vmir e8117 was discovered to contain a stack overflow via the init_local_vars function at /src/vmir_wasm_parser.c.
CVSS Score
9.8
EPSS Score
0.008
Published
2024-11-08
vmir e8117 was discovered to contain a segmentation violation via the export_function function at /src/vmir_wasm_parser.c.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-11-08
Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
8.1
EPSS Score
0.01
Published
2024-11-08
wac commit 385e1 was discovered to contain a heap overflow.
CVSS Score
6.2
EPSS Score
0.002
Published
2024-11-08
vmir e8117 was discovered to contain a segmentation violation via the wasm_parse_block function at /src/vmir_wasm_parser.c.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-11-08
vmir e8117 was discovered to contain a heap buffer overflow via the wasm_call function at /src/vmir_wasm_parser.c.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-11-08
vmir e8117 was discovered to contain a heap buffer overflow via the wasm_parse_section_functions function at /src/vmir_wasm_parser.c.
CVSS Score
7.8
EPSS Score
0.003
Published
2024-11-08