Aggregator

A vulnerability has been found in nuxt icon up to 1.4.4 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /api/_nuxt_icon/[name]. The manipulation leads to server-side request forgery. This vulnerability is known as CVE-2024-42352. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in oFono 1.34. Affected is an unknown function of the component AT CMGR Command Handler. The manipulation leads to use of uninitialized variable. This vulnerability is traded as CVE-2024-7542. An attack has to be approached locally. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in oFono 1.34. This issue affects some unknown processing of the component AT CMT Command Handler. The manipulation leads to use of uninitialized variable. The identification of this vulnerability is CVE-2024-7541. The attack needs to be approached locally. There is no exploit available.

A vulnerability classified as problematic was found in oFono 1.34. This vulnerability affects unknown code of the component AT CMGL Command Handler. The manipulation leads to use of uninitialized variable. This vulnerability was named CVE-2024-7540. It is possible to launch the attack on the local host. There is no exploit available.

A vulnerability classified as critical has been found in oFono 1.34. This affects an unknown part of the component CUSD Handler. The manipulation leads to stack-based buffer overflow. This vulnerability is uniquely identified as CVE-2024-7539. Attacking locally is a requirement. There is no exploit available.

有报道称针对上周末被披露的Apache OFBiz 安全漏洞（CVE-2024-38856）的攻击企图日益增多，使用 Apache OFBiz 的组织被敦促修补一个严重漏洞。 Apache OFBiz 开发人员称，18.12.14 之前的版本都受到影响，18.12.15 包含一个修复程序。 开发人员在一份咨询报告中表示： “如果满足某些先决条件（例如，当屏幕定义没有明确检查用户的权限，因为它们依赖于其端点的配置时），未经身份验证的端点可能会允许执行屏幕的屏幕渲染代码。” 发现该漏洞的 SonicWall 威胁研究人员将其描述为一个严重问题，可能允许未经身份验证的远程代码执行。 SonicWall 解释称：“漏洞的根本原因在于身份验证机制存在缺陷。该缺陷允许未经身份验证的用户访问通常需要用户登录才能使用的功能，从而为远程代码执行铺平了道路。” SonicWall 尚未发现利用 CVE-2024-38856 的攻击。 然而，最近发现的另一个 Apache OFBiz 漏洞似乎已被恶意攻击者利用。该漏洞于 5 月被发现，编号为 CVE-2024-32113，是一个路径遍历错误，可能导致远程命令执行。 SANS 技术研究所的互联网风暴中心报告称，7 月底发现攻击尝试有所增加。 有证据表明攻击者正在试验该漏洞并可能将其添加到 Mirai 僵尸网络变种的攻击中。 Apache OFBiz 是一个用于创建企业资源规划 (ERP) 应用程序的免费框架。OFBiz被多家大型公司使用。大多数用户在美国，其次是印度和欧洲。 SANS 的 Johannes Ullrich 指出：“OFBiz 似乎远不如商业替代方案那么流行。然而，就像任何其他 ERP 系统一样，组织依靠它来存储敏感的业务数据，而这些 ERP 系统的安全性至关重要。”   转自军哥网络安全读报，原文链接：https://mp.weixin.qq.com/s/_RfZplteHa9jDl1FXXRqtA 封面来源于网络，如有侵权请联系删除

A vulnerability was found in oFono 1.34. It has been rated as critical. Affected by this issue is some unknown functionality of the component CUSD AT Command Handler. The manipulation leads to stack-based buffer overflow. This vulnerability is handled as CVE-2024-7538. Local access is required to approach this attack. There is no exploit available.

A vulnerability was found in oFono 1.34. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component QMI SMS Handler. The manipulation leads to out-of-bounds read. This vulnerability is known as CVE-2024-7537. An attack has to be approached locally. There is no exploit available.

A vulnerability was found in Nuxt up to 3.12.3. It has been classified as problematic. Affected is the function navigateTo of the component URL Parser. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-34343. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

印尼通讯部以在线赌博和色情理由封锁了 DuckDuckGo。印尼的穆斯林人口高居世界第一，它严格禁止在网络上分享淫秽色情内容。此前它已经屏蔽了社媒平台 Reddit 和视频平台 Vimeo。通讯部官员称，DuckDuckGo 被封锁是因为有很多人投诉上面能搜索到大量的赌博和色情内容。通讯部没有解释 DuckDuckGo 与 Google 和 Bing 等搜索引擎之间的差异。DuckDuckGo 的搜索引擎主要来自于 Bing。

A vulnerability was found in Cybozu Office up to 10.8.6 and classified as problematic. This issue affects some unknown processing of the component Search. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2024-39817. The attack can only be done within the local network. There is no exploit available.

A vulnerability has been found in Nuxt up to 3.12.3 and classified as problematic. This vulnerability affects the function NuxtTestComponentWrapper. The manipulation of the argument path leads to cross site scripting. This vulnerability was named CVE-2024-34344. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Dell Command & Update, Update and Alienware Update up to 5.3. This affects an unknown part. The manipulation leads to externally controlled reference. This vulnerability is uniquely identified as CVE-2024-28962. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in mailcow-dockerized. Affected by this issue is some unknown functionality of the component Relay Hosts Configuration Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-41960. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in mailcow-dockerized. Affected by this vulnerability is an unknown functionality of the component API Log Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-41959. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in kubean-io kubean up to 0.17.x. Affected is an unknown function. The manipulation leads to incorrect permission assignment. This vulnerability is traded as CVE-2024-41820. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in mailcow-dockerized. It has been rated as problematic. This issue affects some unknown processing of the component Two-factor Authentication Handler. The manipulation leads to incorrect comparison. The identification of this vulnerability is CVE-2024-41958. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Icinga ipl-web up to 0.10.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. This vulnerability was named CVE-2024-41811. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. This vulnerability is uniquely identified as CVE-2024-7055. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Natnael Samson (@NattiSamson)' was reported to the affected vendor on: 2024-08-06, 63 days ago. The vendor is given until 2024-12-04 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.