From 6fc5dc167865757ea1119bae733e086acd5d91ad Mon Sep 17 00:00:00 2001 From: Github-Bot Date: Mon, 16 Dec 2024 18:34:48 +0000 Subject: [PATCH] Updated by Github Bot --- cache/Tenable (Nessus).dat | 10 +++ data/cves.db | Bin 50507776 -> 50520064 bytes docs/index.html | 162 ++++++++++++++++++------------------- 3 files changed, 91 insertions(+), 81 deletions(-) diff --git a/cache/Tenable (Nessus).dat b/cache/Tenable (Nessus).dat index 8a848c29927..8603a160476 100644 --- a/cache/Tenable (Nessus).dat +++ b/cache/Tenable (Nessus).dat @@ -118,3 +118,13 @@ d67d18f4f091b4254f51d85161939ca0 dadaf9bb405058212d1c71f06d95ea59 b53a1f01f88188e5cf796ab64f39e3ba 91b3b46fcd53438c089d99cdf8412d03 +a4e974165785ddf24fd970bc098dd3bc +1edfab03e102d44e92b29f1ed47a23f2 +65b7efcc88c6008c0e1cad5ffcd5f61b +367169ac31e04d6b422a10d5a9b1ba22 +547fa52dac331557e1b14f3f21f99493 +e43d3adfe02255c292babe3226af2c7b +8bf99a69ac5c5e77af2a00dee97f0c31 +594936095c8c3c421f9605a13558eb31 +286d1bce15445150c4f662c6cd7e40d6 +aa1e25452e020caa59e946d938f4420c diff --git a/data/cves.db b/data/cves.db index 56b89f696c063e98de7ca89d116cbcd869d41576..79c8356f5c02e465f4ac0649babfe05f34bf40eb 100644 GIT binary patch delta 8191 zcmeI$2Y3|ax(9G(l2Aeo5Lze$(n-RW*@pC9H53s<<(-|KO;)zCB@h$|dnnc+gq-jDR-XKMc6x;m;@$~DTOJODUGQ-Qw64qOqH0@nJP0?VXDeh zjj1|Q4WM%RVUn1dGBsnmfvGuD3#OJ# zt(aOfwP9+@)Q%~eDTgVSsXdd4$;@P7vNFj`HYPihgUQL{V(P$jBU4AFPE4Jdx-fNR z>c-TasRvU}rd~|FnffsGW$MS&pJ@QoK&C-VH!AJbh-W0?F*0j3~Rh$+l8mMOv% zWr{JynF^W4F^y*`Vw%8oH`6^#6PfO1n#5GhG?{4%(^RHuOw4p2({!d8OeIV+nPxHF z&orCq0j4=jbD8EbJ;*elX#vwiOb;_9m=-cEVtRyWG1C&JrA*71bf)D@E0`W-dW>l$ z)8kA}Fs)*GlIba?r+{(<@A`GQGz1 zI@1QGH<&guZDQKY^d{3=Om8!7VcN>HjcGg6J528~?O@u;^d8eLruUh4GwosefN3w& zhfE(a?PJ={bb#q&rh`nMFn!8&i0LrX5vHR|$Cy52`kd(trsGT}n97*GWID<871JrE zubECWoniWh>073=Oy4n`WBQ)yJkt+M7nm+G{m68Q=_jVkOg}UI!gQsCgxMs32q};X zX;2<2Kt-qo=};M}Kvk#))u9GtKuxFxwILJgKwYQ@^`QY|K|^Q+jiCuh&=i`%4bU7~ zKuc%^t)UIHg?5k)IgktO!31WofE8r0fgK#+1Q&FG8=)g~g3izdx0Or74m8He^B_s0;O=J~V(VXb6p6ZwSLg=ap$GJYUeFu* zKwszw{b2wMgh6l<+zfdz7>2-57zVe%aJUslz(}|aM#1fH2iysx!Ki-)+@OL7H1I+` z6o3!zf-&HS00bcfVHgV$h(ZkFPzd8-JQTqMxEt<)iEuAWf?}8qQ(!7g1BUxxI?R9) zm70- z6g&;jz_YL#*1&U63TxqccmdYIi|`VxhnL|McoklQ*I@&^0UKcxY=$@CEqEKYz*g7> z+u-4Kzz47wK7@~8AMA$%@G%^OPvBEH1c%`W9ED@>8GH_3z;QSM zW$-1Ogs;R6bV^(~r{cPlrR9vptG;~79~e{W-LX&(x51;O56WpX&1{`!R;+f1+3r$Qt64M29=lt%SQN9# zV^dsivs=;U?bsq_rP^eZQ$HIo6El06O}XaW@lwZ5QnF;pHa<(Oh%488?VMyu zHjdb?o?;Zt7QM!kSHvuR`P3pIH6vCO)})YEQWd{HFA@qz^|L2a#LPjl5Dvwonxsgo z-=_s*Qq@PL4#4TZNTK%%{fvN<>l%lweTv z>&54v5Hj`RakYhNiAEO}Rj487m@PSGyJT{9FxxtqY`QRXn^^l#@qXJ+KGaHExC)XUFZwuOCBYrNWLKYOiWV(#y1s7O2p_x$=?-Ez!%K5m@L2F z`hSeK?Q@;pRyXx86SFPJ)|{EaWxb7VP*UGoQeQD^9sPSkxV4y)qh~Z! zgyFhr^%5afUwzLxv9c}|Wr@}G1s|OdbJNDged-u}2g-8QziL6VNk9A27V(BZ+Cz@C zp#JQZnLW6ySF+*sETth%}58BDiki|o*a z^;tsWzxPrZW2Xq+^yN=IE>ur^d-vK@eg5Hh#G3l9Z6n0WnOBES`>P+Lje*wQ++N?j z>NBCaUZc|U;`D#E+S7llcD>2hN5z(ZsK*+QHnC92iP(VNONJ6Nqcb(WxsF~PUc~p5_4jd6O zEEp^brnx{EvzxJ{_8=M9&|2EC0;+bSwWi=r_t@Hg|RBbiO@|E{$ERB7d}R$AiNcSY^= zuC3k>Q%&eyGa7N(z+}g4VV&MWvAJZI)oyaxRHtfHWsBMCvYTv**=n;nHTUAdeN!5? zvDoGRQT@(c-Bv8GcXE7%dAe(xPALB$_07sgCN}Z`de#3<_tf`~6k6%+$MhAdBqo+U zTSb3v;u^8>_3fVj@2c;2JF0!EkIM$2qqdq7wN8nScDlVTmtyQ3Y^qIjI25l%F_}CX z(wo<$>c{$?#R|e@cO;}r+gj+7e}+&#v**A(sn__J7K~!*k+4TFeiCQL9|D!TR5RH1I-v{06j*nN0qYPDaNZpo=8aqMEO<@LJ% zrXwrU_2SDL#D-=(x^pTvbN!RA?66L8jMikU$EtX|n#p3Z*;ES_O^REyS}b6FQH5%Orj9W-491o5Ft!cGFR=na zOYHvgd>tV-A-s65QDXUJnH15Yv4~Giwvch3sD_|O zZePAW$#RR>pruX58G3{67ZQ8=Dub2;%-2R?|j<>VsW7gj!ktP(G&1h&DEk z+eUv|YGH?}@7j7wZ17L+PW}XSla{QT#M#y3v$1cNo#-ycGEYd~S1x^HM(G4$OUg#6 z^pIGwLiWrSTy~Su1xs?QB{_jZ(0do6_xZauqLnh@22_(nyT}^)>Qf) MT})}0iiN5C7vO|!;Q#;t delta 2929 zcmWmGWsnwR7=>YW7o@vWq`SL8rMsI0lG3nrNFBPnmu{sy7Ens1LAtxU%lrFr-ShrF zGtbOBXz!RLgRYNGGBJ6iBM~Cx$~q}^$)F>HWd&KmR)`hRie!CfMYf_?QLSiJbSs7x z(~4!qw&GZEt$0>^D}j~JN@OLrl2}QtWL9!3g_Y7uWqog@wtleESZS?vR(dOgmC?#% zWwx?dS*>hVb}NUK)5>M#w(?kct$bE~tAJI|Dr6P5idaRhVpeghgjLciWtFzdSU*}n zSwCB4t#Vd*tAbV0s$^BRs#sO6YF2fthE>z5W!1LoSaq#>R(-31)zE5WHMW{qO|51Y z`!u&&Sie{;tyWfRtBuvxYG?gwwYNH09j#7QXRC|V)#_$-w?eHRR!^&!)!XW0^|kt0 z{jCAkKxBjr!TI;O!)&^^% zwaMCSZLzjm+pO)@4r`~i%i3-2vBIsr);?>$^{4fhb-+4k9kLEvN36fCf2@D4qt-F& zxOKuhX`Ql8TW74Z)_>MH>%4Wrx@cXpE?ZZutJXE^x^=_4Y2C7JTX(Fx);;UK^}u>) zJ+dBKPpqfbGwZqa!g^`FvR+$nthd%X>%H~C`e=Q!K3iX`uhzFw3L2*%1S13y5eeTR zGNK?Vq9HnBASPlVHsT;I;vqf~AR!VVF_IuDk|8-#ASF`ad!)t>NQ1OUhxEvRjL3w{ z$bziMhV00JoXCaT$b-Ddhx{mjf+&Q-D1xFWhT4JD1#sI6MjZnltXz`Kt)tS zWmG{`R6}*tKuy#_ZPYCfiG(%wj=4gRm&=RfC8g0-P?eHtwqXRmk z6FQ>{x}qDpBNRQ*6TQ$Ieb5*E&>sUZ5Wis%24e_@Vi=6!7=e)(h0z#;u^5N(n1G3x zgvpqKshEc8n1Pv?h1r;cxtNFf2*Uy_#3C%l5-i0sEXNA0#44=D8vKqwuommE9viR` zo3I&Muoc^|9XqfSyRaL35RSdrhyC~yf8hWQ;t&qw2>!-D_!mcU499T-Cvgg=aRz7c zAI{-CF5n_A;WDn^Dz4!=Zr~>EXoyB=j3#J` zW(e%x94+t*TA~$NqYc`k9ezc7bU;URLT7YAS9C*ngrWy}q8ECj5Bj1X`eOhF;x`P! zU<|=f41+NoBQO%9FdAbp7UM7;6EG2zFd0)Y71J;sGcXggFdK6)7xOS5VOW5LScJt` zf~8o7T*eh##Wh^V4cx>n+{PW;#Xa1| z13V1gtw+I2CPY~uGA}~l^BT5b$jRVLGm>;EQD$q7=8c90g@2s%C^$4IZ03|l!CArs ztq~oeH2U{2l6D4r-3{R + @@ -283,6 +283,86 @@

眈眈探求 | TITLE URL + + a4e974165785ddf24fd970bc098dd3bc + CVE-2024-12478 + 2024-12-16 11:15:04 + A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. + 详情 + + + + 1edfab03e102d44e92b29f1ed47a23f2 + CVE-2024-12362 + 2024-12-16 10:15:05 + A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. + 详情 + + + + 65b7efcc88c6008c0e1cad5ffcd5f61b + CVE-2024-54682 + 2024-12-16 08:15:05 + Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. + 详情 + + + + 367169ac31e04d6b422a10d5a9b1ba22 + CVE-2024-54083 + 2024-12-16 08:15:05 + Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. + 详情 + + + + 547fa52dac331557e1b14f3f21f99493 + CVE-2024-48872 + 2024-12-16 08:15:04 + Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests + 详情 + + + + e43d3adfe02255c292babe3226af2c7b + CVE-2024-9679 + 2024-12-16 07:15:07 + A Hardcoded Cryptographic key vulnerability existed in DLP Extension 11.11.1.3 which allowed the decryption of previously encrypted user credentials. + 详情 + + + + 8bf99a69ac5c5e77af2a00dee97f0c31 + CVE-2024-9678 + 2024-12-16 07:15:06 + An SQL Injection vulnerability existed in DLP Extension 11.11.1.3. The vulnerability allowed an attacker to perform arbitrary SQL queries potentially leading to command execution. + 详情 + + + + 594936095c8c3c421f9605a13558eb31 + CVE-2024-12646 + 2024-12-16 07:15:06 + The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. + 详情 + + + + 286d1bce15445150c4f662c6cd7e40d6 + CVE-2024-12645 + 2024-12-16 07:15:06 + The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user's system. + 详情 + + + + aa1e25452e020caa59e946d938f4420c + CVE-2024-12644 + 2024-12-16 07:15:06 + The tbm-client from Chunghwa Telecom has an Arbitrary File vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes. + 详情 + + e06b7f31f7e95d61e3c590929fb78aaf CVE-2024-11858 @@ -443,86 +523,6 @@

眈眈探求 | 详情 - - 70b0c874b65eb15736584d9223cbcc5a - CVE-2024-48007 - 2024-12-13 14:15:22 - Dell RecoverPoint for Virtual Machines 6.0.x contains use of hard-coded credentials vulnerability. A Remote unauthenticated attacker could potentially exploit this vulnerability by gaining access to the source code, easily retrieving these secrets and reusing them to access the system leading to gaining access to unauthorized data. - 详情 - - - - cc216ee3385a6efb3943afdc4f13811a - CVE-2024-38488 - 2024-12-13 14:15:21 - Dell RecoverPoint for Virtual Machines 6.0.x contains a vulnerability. An improper Restriction of Excessive Authentication vulnerability where a Network attacker could potentially exploit this vulnerability, leading to a brute force attack or a dictionary attack against the RecoverPoint login form and a complete system compromise. This allows attackers to brute-force the password of valid users in an automated manner. - 详情 - - - - 60c21f6d930064addaba4e1846c23e18 - CVE-2024-22461 - 2024-12-13 14:15:21 - Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gaining of root-level access and compromise of complete system. - 详情 - - - - 21f47697a5ce427001fb9ff687fd0a45 - CVE-2024-11986 - 2024-12-13 14:15:21 - Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or 'Cross-Site Scripting'. - 详情 - - - - 03282aa37629779cf4a49f1c85ad5c2d - CVE-2024-9608 - 2024-12-13 12:15:20 - The MyParcel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.24.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the WooCommerce store is set to Belgium. - 详情 - - - - 174bfe7512da199b532e861da77a3173 - CVE-2024-21577 - 2024-12-13 12:15:19 - ComfyUI-Ace-Nodes is vulnerable to Code Injection. The ACE_ExpressionEval node contains an eval() in its entrypoint function that accepts arbitrary user-controlled data. A user can create a workflow that results in executing arbitrary code on the server. - 详情 - - - - 4abf3988708229d0b36d1e26a5592d66 - CVE-2024-21576 - 2024-12-13 12:15:19 - ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval which can be triggered by generating a workflow that injects a crafted string into the node. This can result in executing arbitrary code on the server. - 详情 - - - - 358ae56ec177d1253a16832e41ba3f2b - CVE-2024-11827 - 2024-12-13 12:15:19 - The Out of the Block: OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ootb_query shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. - 详情 - - - - a391db25adf8c2cd2cc34bb4ea442274 - CVE-2024-50584 - 2024-12-12 14:15:22 - An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the /class/template_io.php file and supplying malicious GET parameters. The "templates" parameter is vulnerable against blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the templates parameter. - 详情 - - - - 1539d0272e54965789a7f9ab1c27f401 - CVE-2024-28146 - 2024-12-12 14:15:22 - The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device. - 详情 - -