Aggregator

A vulnerability was found in Tenda W15E 15.11.0.14. It has been declared as critical. This vulnerability affects the function formIPMacBindDel of the file /goform/delIpMacBind. The manipulation of the argument IPMacBindIndex leads to stack-based buffer overflow. This vulnerability was named CVE-2024-4119. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda W15E 15.11.0.14. It has been rated as critical. This issue affects the function formIPMacBindModify of the file /goform/modifyIpMacBind. The manipulation of the argument IPMacBindRuleId/IPMacBindRuleIp/IPMacBindRuleMac/IPMacBindRuleRemark leads to stack-based buffer overflow. The identification of this vulnerability is CVE-2024-4120. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in Tenda W15E 15.11.0.14. Affected is the function formQOSRuleDel. The manipulation of the argument qosIndex leads to stack-based buffer overflow. This vulnerability is traded as CVE-2024-4121. It is possible to launch the attack remotely. There is no exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical was found in Tenda W15E 15.11.0.14. Affected by this vulnerability is the function formSetDebugCfg of the file /goform/setDebugCfg. The manipulation of the argument enable/level/module leads to stack-based buffer overflow. This vulnerability is known as CVE-2024-4122. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in Tenda W15E 15.11.0.14. Affected by this issue is the function formSetPortMapping of the file /goform/SetPortMapping. The manipulation of the argument portMappingServer/portMappingProtocol/portMappingWan/porMappingtInternal/portMappingExternal leads to stack-based buffer overflow. This vulnerability is handled as CVE-2024-4123. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in Tenda W15E 15.11.0.14. This affects the function formSetRemoteWebManage of the file /goform/SetRemoteWebManage. The manipulation of the argument remoteIP leads to stack-based buffer overflow. This vulnerability is uniquely identified as CVE-2024-4124. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in Tenda W15E 15.11.0.14 and classified as critical. This vulnerability affects the function formSetStaticRoute of the file /goform/setStaticRoute. The manipulation of the argument staticRouteIndex leads to stack-based buffer overflow. This vulnerability was named CVE-2024-4125. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda W15E 15.11.0.14 and classified as critical. This issue affects the function formSetSysTime of the file /goform/SetSysTimeCfg. The manipulation of the argument manualTime leads to stack-based buffer overflow. The identification of this vulnerability is CVE-2024-4126. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda W15E 15.11.0.14. It has been classified as critical. Affected is the function guestWifiRuleRefresh. The manipulation of the argument qosGuestDownstream leads to stack-based buffer overflow. This vulnerability is traded as CVE-2024-4127. It is possible to launch the attack remotely. There is no exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, has been found in Tutor LMS Plugin up to 2.6.2 on WordPress. Affected by this issue is the function tutor_instructor_list of the component Shortcode Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-3994. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in Tutor LMS Plugin up to 2.6.2 on WordPress. Affected is an unknown function of the component Options Update Handler. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2024-3553. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Jeg Elementor Kit Plugin up to 2.6.4 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Countdown Widget. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-3161. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Jeg Elementor Kit Plugin up to 2.6.4 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Widget URL Custom Attribute Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-0334. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Tenda W15E 15.11.0.14. Affected is the function formAddDnsForward of the file /goform/AddDnsForward. The manipulation of the argument DnsForwardRule leads to stack-based buffer overflow. This vulnerability is traded as CVE-2024-4115. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in Tenda W15E 15.11.0.14 and classified as critical. Affected by this vulnerability is the function formDelDhcpRule of the file /goform/DelDhcpRule. The manipulation of the argument delDhcpIndex leads to stack-based buffer overflow. This vulnerability is known as CVE-2024-4116. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda W15E 15.11.0.14 and classified as critical. Affected by this issue is the function formDelPortMapping of the file /goform/DelPortMapping. The manipulation of the argument portMappingIndex leads to stack-based buffer overflow. This vulnerability is handled as CVE-2024-4117. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda W15E 15.11.0.14. It has been classified as critical. This affects the function formIPMacBindAdd of the file /goform/addIpMacBind. The manipulation of the argument IPMacBindRule leads to stack-based buffer overflow. This vulnerability is uniquely identified as CVE-2024-4118. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

Overview Recently, NSFOCUS CERT detected that Fortinet has issued a security notification and fixed the identity authentication bypass vulnerability in FortiOS and FortiProxy (CVE-2024-55591). Unauthenticated attackers can bypass system identity authentication by sending special packets to the Node.js websocket module, thus obtaining super administrator permissions of the target system. The CVSS score is 9.8. At […]

The post Fortinet OS & FortiProxy Authentication Bypass Vulnerability (CVE-2024-55591) Notification appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Fortinet OS & FortiProxy Authentication Bypass Vulnerability (CVE-2024-55591) Notification appeared first on Security Boulevard.

[This is a Guest Diary by Curtis Dibble, an ISC intern as part of the SANS.edu BACS [1] program]

HackerNews 编译，转载请注明出处： SAP已修复影响NetWeaver Web应用服务器的两个关键漏洞，这些漏洞可能被利用来提升权限并访问受限信息。 作为一月安全补丁日的一部分，该供应商还发布了针对其他产品的更新，以修复12个被评为中高严重性的其他问题。 SAP的安全公告指出：“SAP强烈建议客户访问支持门户，并优先应用补丁，以保护其SAP环境。” 本月SAP解决的最严重的四个安全问题概述如下： CVE-2025-0070（关键严重性，9.9分）：SAP NetWeaver ABAP应用服务器及ABAP平台的认证不当，使得经过认证的攻击者可以利用认证检查不当的漏洞，导致权限提升，并严重影响保密性、完整性和可用性。 CVE-2025-0066（关键严重性，9.9分）：SAP NetWeaver ABAP应用服务器（互联网通信框架）中存在信息泄露漏洞，由于访问控制薄弱，攻击者能够访问受限信息，严重损害保密性、完整性和可用性。 CVE-2025-0063（高严重性，8.8分）：SAP NetWeaver ABAP应用服务器及ABAP平台中存在SQL注入漏洞，原因是某些RFC功能模块缺少授权检查。这使得拥有基本权限的攻击者能够危及Informix数据库，导致保密性、完整性和可用性完全丧失。 CVE-2025-0061（高严重性，8.7分）：SAP BusinessObjects商业智能平台中存在多个漏洞，由于信息泄露问题，未经认证的攻击者可以在网络上执行会话劫持，从而访问并修改所有应用数据。 SAP产品服务于制造业、金融业、零售业、医疗保健和政府等多个行业的大型企业，在管理业务运营和客户关系方面发挥着关键作用。 SAP NetWeaver是运行ABAP应用程序和通过互联网通信框架实现安全通信的核心平台。它通常由管理财务、人力资源和供应链ERP系统的企业IT管理员、开发人员和顾问使用。 SAP BusinessObjects是一个用于报告、分析和数据可视化的平台，由分析师、决策者和IT团队使用，以获取见解并支持战略决策。 过去，黑客曾针对未更新以修复已知漏洞或配置不当的SAP产品，导致网络面临泄露风险。 这家德国供应商强烈建议客户应用最新的可用补丁，以保护其SAP环境。   消息来源：Bleeping Computer, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文