From be8d8935aa4aee611356cdc5c5c752623afc23e5 Mon Sep 17 00:00:00 2001 From: Github-Bot Date: Sun, 7 Apr 2024 23:23:41 +0000 Subject: [PATCH] Updated by Github Bot --- cache/Tenable (Nessus).dat | 10 +++ data/cves.db | Bin 46985216 -> 46989312 bytes docs/index.html | 162 ++++++++++++++++++------------------- 3 files changed, 91 insertions(+), 81 deletions(-) diff --git a/cache/Tenable (Nessus).dat b/cache/Tenable (Nessus).dat index 9d262194cb1..668ed3763bd 100644 --- a/cache/Tenable (Nessus).dat +++ b/cache/Tenable (Nessus).dat @@ -154,3 +154,13 @@ a0fda00325d2d253664ffc2f471328d9 c17360d00386202e7ea37ce361d2cf54 d34d96cba8f286450fd7c8d5d11f8308 06da8ad377ff1d904dc32af7038f0c81 +93dd0369eae4bcea64811d3481dda1b5 +5bdaad99079d0bd6b78cb220f492778b +d23663b48f5d29aa9cd2ba59ac88e890 +0eb2b923b164a1d18aa874473ff5b811 +07032626ff056060e31105d464abdaef +4e182befdb9a68117d0620c95c33b1d5 +d9b9f84eb54c6fd61eeef29c848aa448 +20bcf172618e2af057ec2ad31724bf04 +b67f27af951f9a41befbb990dabe7d1b +fb589e94e464f0fa8a0eeee28df875e6 diff --git a/data/cves.db b/data/cves.db index 839dbf7c87e6b1cdbd308eb1180d4dfbb4238ef9..2a0490db495d48f233af9c604de0bf844b483a63 100644 GIT binary patch delta 5143 zcmd7U2Xs_r76)+VO94Ux214j$5CLgn-kT0e6_F+hQdAV~o0g0z1Ia{*1wz6fMMXf6 z!9pG?3Rof#5EYf8C(`=3O1J-a!(>e)SKbMm`$=9TZguiX1h#e21x z6%`vZ7j;PL-KbHYeT%JwEWPIl!~#)}1V|zz36czH3~2&s3Q2)9gQP;zAk85yAg4jn zAuS=TAQ_O>kW5G$NLxrdNP9>JNJmH~NM}eE#0u#GIUUj!at5Ruq&uVsZifK%5X4#0~L4ypaBo0g$sGXF~=;20;cxhCqfwhC$AO42PTx z838#DG7>ThG8!@lG8S?^WE><1k_#CRxd1W&G7&NfG8u9qLZ(4D zJ_f`G@k0WTAS49IgXBZPkjo$ikU~fiq!x~snUHeGm5{3- zS3|CW%!15@R6yoHDj`*nxe!3+L9T^d2bmAK9&!WZM#uulO^}6Fg**n?0(l(r1msD`R>(HUcE}FMQ;?@2J0Z_No`vj! z?1nrC*#p@Nc^>itQ$06T9zJ+`T`5y8ERs%BAsi0ZpKZG>InDg>(^J zOjGC*x|F8UG>VVEK|bdjsDw%>N@a98T|qOcoUWv+ z=xVx#X3=b_pgB}YRWz4C^XOW-j^@+#bOYT;3+N_VNQ-DO-AqepDcwTLC`QZaR=SOD zr#ol`Rg+08=}x+f?xt0A58X?vX$`HV`{;gpfF7h8dWhE1dfGs>w2?N^!?c+mp-1U4 z+Cq=h6Z9l)rERpGcFFB2lX_Aw>P>y9FJ)6dvXMqQ*~vjpa*>-n zS&k7#d6G(>ThZTpCXo&;*)DlV~zs zNEgw?G=(mqOKB=iqxkq6kFKTbXg*y}H_(l=fNr9Nw1^hd&9sD;(k--%VziuY zrQ7Isx`S3wHJP-M?xefuZdyh6(7m*p*3eqIkM5@j=s~KXhiDzGrwvp~8)*|gte%j~ zYSp_46H29xHrE~Atj^lHjPau;vGk*t?oaCT zB5JG)#~<0O7#@j-N8{nKc-RsTkH^Ck@$h6kY>kI)@vuD}cErO|@$hs!?2LzJ;^EnN z*cA`Et;0^wkB)H)$JGise24&?D*C{kh_UKlLm@koief0;vd&uHjE zbI~Z9YHj}bOs#63Y0K8Kb(`+!YvaG$s(Jcr&iI)iU~j^yJv#^A7hg zb9(Gmi8i~#HMb3Fvg(E>%U+db1a!O0W%oHeA!k7M8iv;&(0zu}Yxq5$pvOG+*-q6V zDLy(LQ=9avC1fu8q{Ncca(X0O94+Ojlt#lvk>apXXzo9>MV*=Qy90~YtW_E2zHz%% zVurJ!z8@E_f*XH&HY`%cY=l1x0 zx^4?Oyt>X5)*tyo;EI++zax2UmZ(T-)RWx}C~CFbC#mZ?nh0Oz$^+E^o8 zIJT_VpKm>NrnPxs)mqiY{B>8YN^0@X^I6}g0=AX$C)#>;ckQX(WZNCyd9zW|iM{DD zuc>`r(`jCNAYik*yg?)A@cDy=%i+b726() zc8{lxL-%ZL^~GLwB%xIrYesUy(nih4H#@)S^2Uy&Xu{_7ZT>118@y6G*|%y6YP!c~ zsM2q*^cx|c)8h?#9YKf75we904-=Jtx+f6wxSg@w!lmuZ;)8osvN@!6*rJ*1x+bdh z)UlDs$2O^ywBIM0X6E*|M-BNy zcVE3_lRA|xx>v6nfSPV~Z#~RjIn406+#%g^$V~#kQ-RzZFGWeNi;0pX{bGGwMrYUHuzT77Z5rf+czN_0OzesY_}2g2e}F zRqIS=w!NV>S6~0EU&b?V;7FUwXt<5KBKsd7Vvbt6#&T-*>^4`GhMKN*v*)!}dRY*B z-jK%;^f?`VS191pxZpy%*Y9y~Q*fBu4{fZkbvD+$UMDQ}tVyFr7Kb9yAhUmRj&)?w z^hin6I(%l`$Cz-`%$@nVrFBMwrz{&bsf_maY;U&iYM|fxf9VMcd_pYu<+6Wt+5;Ak z)8m~+V>=ofj-ckzxlRKu{sA+&U(b7cSlm*8LhFz~5l_}% zl4IlrWBV@7%{1TSzR+3!^LJP0)v7MlPp(yoW@Oe5)g<-zDgFC>b5zd%-y0{--l2Nv z@qN=#)e|*c>K379uha~i+h*5Yx+}z_bJ<+Bpk32!&H&4x!A;BD|M+f}^SYlSi<9Hqpm XqpptrwdNAdG}foC_1kTN-QoNj-vUfR delta 2737 zcmWmGWtWx(6op}UsR4!@I%nwa?(Xhp)7{-eY`VLL?yjMSZUq|)P!tOku~E_c`EcDo zV6S!7I?>T5GDJT)o?&U$L{ahL6}i7GvU>ce>9XQmAuEBE&`M+_wvt$3R#GdOmD~!q zQdlXiR90#$jg{7lu+mxStqfL1E0dMk%3@`;vRT=!99B*%(u%TjS-Gt|R$eQgmES60 z6|@Rjg{>l1QLC6$+$v#}v`Sf}tuj_wtDIHds$f;LDp{4SDppminpNGZVb!#1S+%V? zR$Z%}Ro`l0HMAO8jjbkDQ>&TP+-hO9v|3rMtu|I$tDV)}>R@%WI$52qE>>5oo7LT7 zpB`3EtC!W=>SOh_`dR(00oFikkTuvEVhy#1S;MUn)<|oVHQE|ujkU&E$b-+4k9kLEvN35gPG3&T> z!a8Z4vSO{%)*0)pbd4vUSC}YF)FgTQ{tm)-CI{b;r7E-Lu}Z-nQ;r z53F~rcdhrV_pJ}C53P@^ht|i|C)TIdXV&M|BkQsC#QMVe(t2urWqoZuv%ayuwZ5~y zw|=mmTQ961t)Hxy*3Z@}>lf=+>o@Cn>ksQs>o4oI^|$qp^{@5D`fr}%FH(GjkN^ph z2#JvdVMvN(NRDu%KuV-SYNSD0L?9i~BLgxb6EY(UvLYL@BL{LK5>d#7+{lBx$cOwW zfPyH5!YG2GD2C!Ffs!bN(kO$nD2MW>fQqPu%BX^>sD|pOftsj=+NguNsE7J!fQD#< z#%O}3Xolu!ftF~6)@XyaXovRbfR5;d&gg=!=!WhH_V0n7=!M?sgTCm8{uqFP7=*zX zf}t3O;TVCD7=_UogRvNg@tA;#n1sogf~lB>XiUcp%)~4hvoQyAF%R>x01L4Qi?IYt zu?)+x0xPi!tFZ=au@3980UNOin-PO8*otk~jvd&EUD%C1*o%GGj{`V}LpY2hIErI9 zjuSYEQ;5ZBoWWU~!+Bi5Ma1C}F5?QW;u@~w25#aOZsQK_;vU|@+qjPhcn9y|J-m+( z@F70JLwt-+@F_mS=Xiw2c!DqRC7$9de2r)L2H)a4e2*XS953)Ae!@%qj92&tzv4Ii zjz91x{=#egjeqbj-r&FZ^AzIz5kdkaL?R?c5`-Zsk|8<5kpd}^3aOC>X%T^RNRJH2 zh)l?gEXay%$c`MyiAY2t7jh#H@**GdqW}t`5DKFRilP{bqXbH#6iTBE%Ay>~qXH_T z5-Ot#s-haIqXufC7HXpo>Y^U%qX8PC5gMZjnxYw+qXk-`6{ zx}qDpBiO$OdZHJ4qYwI`ANpee24WBfV+e*~7=~j6Mq(63V+_V(9L8e;CSnpMV+y8X z8lo{BGcXggV9drG%*8y+#{w+GA}q!dEX6V`#|o^(Dy+sDti?L4#|CV~CTvCwwqPr^ zVLNtUCw5^s_FymeVLuMwAP(U$j^HSc;W$p9eqys3*fh50|ug5gQ_>gPaL+Hpsak=Yw1baxq9; zkV`=>2e}gDYLII|t_Qgh + @@ -283,6 +283,86 @@

眈眈探求 | TITLE URL + + 93dd0369eae4bcea64811d3481dda1b5 + CVE-2024-3428 + 2024-04-07 18:15:13 + A vulnerability has been found in SourceCodester Online Courseware 1.0 and classified as problematic. This vulnerability affects unknown code of the file edit.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259600. + 详情 + + + + 5bdaad99079d0bd6b78cb220f492778b + CVE-2024-31349 + 2024-04-07 18:15:13 + Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch MailMunch – Grow your Email List allows Stored XSS.This issue affects MailMunch – Grow your Email List: from n/a through 3.1.6. + 详情 + + + + d23663b48f5d29aa9cd2ba59ac88e890 + CVE-2024-31348 + 2024-04-07 18:15:13 + Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Testimonials allows Stored XSS.This issue affects Testimonials: from n/a through 3.0.5. + 详情 + + + + 0eb2b923b164a1d18aa874473ff5b811 + CVE-2024-31346 + 2024-04-07 18:15:12 + Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blocksmarket Gradient Text Widget for Elementor allows Stored XSS.This issue affects Gradient Text Widget for Elementor: from n/a through 1.0.1. + 详情 + + + + 07032626ff056060e31105d464abdaef + CVE-2024-31345 + 2024-04-07 18:15:12 + Unrestricted Upload of File with Dangerous Type vulnerability in Sukhchain Singh Auto Poster.This issue affects Auto Poster: from n/a through 1.2. + 详情 + + + + 4e182befdb9a68117d0620c95c33b1d5 + CVE-2024-31344 + 2024-04-07 18:15:12 + Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Phpbits Creative Studio Easy Login Styler – White Label Admin Login Page for WordPress allows Stored XSS.This issue affects Easy Login Styler – White Label Admin Login Page for WordPress: from n/a through 1.0.6. + 详情 + + + + d9b9f84eb54c6fd61eeef29c848aa448 + CVE-2024-31308 + 2024-04-07 18:15:12 + Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.This issue affects WP Import Export Lite: from n/a through 3.9.26. + 详情 + + + + 20bcf172618e2af057ec2ad31724bf04 + CVE-2024-31306 + 2024-04-07 18:15:12 + Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Stored XSS.This issue affects Essential Blocks for Gutenberg: from n/a through 4.5.3. + 详情 + + + + b67f27af951f9a41befbb990dabe7d1b + CVE-2024-31296 + 2024-04-07 18:15:11 + Authorization Bypass Through User-Controlled Key vulnerability in Repute Infosystems BookingPress.This issue affects BookingPress: from n/a through 1.0.81. + 详情 + + + + fb589e94e464f0fa8a0eeee28df875e6 + CVE-2024-31292 + 2024-04-07 18:15:11 + Unrestricted Upload of File with Dangerous Type vulnerability in Moove Agency Import XML and RSS Feeds.This issue affects Import XML and RSS Feeds: from n/a through 2.1.5. + 详情 + + 05f884e2687893a376a43e52473403da CVE-2024-3413 @@ -443,86 +523,6 @@

眈眈探求 | 详情 - - 2a6dd1d0db696ec5e5b4e9921df99e08 - CVE-2024-30254 - 2024-04-04 19:15:08 - MesonLSP is an unofficial, unendorsed language server for meson written in C++. A vulnerability in versions prior to 4.1.4 allows overwriting arbitrary files if the attacker can make the victim either run the language server within a specific crafted project or `mesonlsp --full`. Version 4.1.4 contains a patch for this issue. As a workaround, avoid running `mesonlsp --full` and set the language server option `others.neverDownloadAutomatically` to `true`. - 详情 - - - - 4c1d461ce64c9a3960bb78179de2714e - CVE-2024-30252 - 2024-04-04 19:15:08 - Livemarks is a browser extension that provides RSS feed bookmark folders. Versions of Livemarks prior to 3.7 are vulnerable to cross-site request forgery. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL. An authenticated request is a request where the cookies of the browser are sent along with the request. The `subscribe.js` script uses the first parameter from the current URL location as the URL of the RSS feed to subscribe to and checks that the RSS feed is valid XML. `subscribe.js` is accessible by an attacker website due to its use in `subscribe.html`, an HTML page that is declared as a `web_accessible_resource` in `manifest.json`. This issue may lead to `Privilege Escalation`. A CSRF breaks the integrity of servers running on a private network. A user of the browser extension may have a private server with dangerous functionality, which is assumed to be safe due to network segmentation. Upon receiving an authenticated request instantiated from an attacker, this integrity is broken. Version 3.7 fixes this issue by removing subscribe.html from `web_accessible_resources`. - 详情 - - - - fe8aed4b9c5396cbe835bc3e6bd71374 - CVE-2024-30249 - 2024-04-04 19:15:08 - Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR1-20240330.101522-15` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to use Network as an amplification vector for a UDP denial of service attack against a third party or as an attempt to trigger service suspension of the host. All consumers of the library should upgrade to at least version `1.0.0.CR1-20240330.101522-15` to receive a fix. There are no known workarounds beyond updating the library. - 详情 - - - - e55d9623ae214233b037b634f2ee098b - CVE-2024-29193 - 2024-04-04 19:15:08 - gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API (`[0]`) in the client side. Then, it uses `Object.entries` to iterate over the result (`[1]`) whose first item (`name`) gets appended using `innerHTML` (`[2]`). In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available. - 详情 - - - - 64cc9bbf39a723abaaed7d86349bab1f - CVE-2024-25007 - 2024-04-04 19:15:07 - Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability. - 详情 - - - - ac37a39d3585b994812a60a5179bcad2 - CVE-2024-29192 - 2024-04-04 18:15:14 - gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an attacker may be able to achieve that depending on how go2rtc is set up on the upstream application, and given that this endpoint is not protected against CSRF, it allows requests from any origin (e.g. a "drive-by" attack) . The `exec` handler allows for any stream to execute arbitrary commands. An attacker may add a custom stream through `api/config`, which may lead to arbitrary command execution. In the event of a victim visiting the server in question, their browser will execute the requests against the go2rtc instance. Commit 8793c3636493c5efdda08f3b5ed5c6e1ea594fd9 adds a warning about secure API access. - 详情 - - - - d564b6bbe2e7319823aa9019e48521a5 - CVE-2024-28787 - 2024-04-04 18:15:14 - IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 could allow a remote attacker to obtain highly sensitive private information or cause a denial of service using a specially crafted HTTP request. IBM X-Force ID: 286584. - 详情 - - - - 1c6f68cbab6a0db99ba02ab3143ae8da - CVE-2024-2660 - 2024-04-04 18:15:14 - Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11. - 详情 - - - - c2d38650dcf41fa2e5137274a5046849 - CVE-2024-27268 - 2024-04-04 18:15:13 - IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.3 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 284574. - 详情 - - - - afeaec7f7ecf15b5b945861d3006ddd5 - CVE-2024-25709 - 2024-04-04 18:15:13 - There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. - 详情 - -