Security Vulnerabilities - CVEs Published In December 2024
IBM Cognos Controller 11.0.0 and 11.0.1
is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Score
6.5
EPSS Score
0.0
Published
2024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1
contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1
could allow an authenticated user to upload insecure files, due to insufficient file type distinction.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Score
5.9
EPSS Score
0.0
Published
2024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1
is vulnerable to malicious file upload by allowing unrestricted filetype attachments in the Journal entry page. Attackers can make use of this weakness and upload malicious executable files into the system and can be sent to victims for performing further attacks.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-12-03
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-12-03
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-12-03
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
CVSS Score
9.1
EPSS Score
0.001
Published
2024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1
could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.
CVSS Score
8.0
EPSS Score
0.001
Published
2024-12-03
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-12-03