CVE-2024-48914 Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy

Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...

CVE-2024-48914

Summary (CVE-2024-48914): Vendure’s asset server plugin allows an attacker to traverse the server filesystem and read arbitrary files, including configs and environment data, due to using the decoded request path directly in path.join (no normalization). A second vector in the same code path can ...

CVE-2024-48914 Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy

Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...

Vulnerability fixed in Ivanti Endpoint Manager Mobile

Ivanti has fixed a vulnerability in Endpoint Manager Mobile. A locally authenticated malicious party could exploit the vulnerability to obtain read and write permissions to sensitive configuration files. Ivanti has released updates to fix the vulnerability in Endpoint Manager Mobile. See the...

Huawei EulerOS: Security Advisory for c-ares (EulerOS-SA-2024-2498)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for c-ares (EulerOS-SA-2024-2573)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP12 : c-ares (EulerOS-SA-2024-2522)

According to the versions of the c-ares package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : c-ares is a C library for asynchronous DNS requests. aresreadline is used to parse local configuration files such as /etc/resolv.conf, /etc/...

EulerOS 2.0 SP12 : cups (EulerOS-SA-2024-2523)

According to the versions of the cups package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the...

EulerOS 2.0 SP11 : cups (EulerOS-SA-2024-2574)

According to the versions of the cups package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the...

EulerOS 2.0 SP12 : c-ares (EulerOS-SA-2024-2498)

According to the versions of the c-ares package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : c-ares is a C library for asynchronous DNS requests. aresreadline is used to parse local configuration files such as /etc/resolv.conf, /etc/...

EulerOS 2.0 SP12 : cups (EulerOS-SA-2024-2499)

According to the versions of the cups package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the...

Huawei EulerOS: Security Advisory for c-ares (EulerOS-SA-2024-2522)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2024-7612

Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components...

CVE-2024-7612

Ivanti EPMM (Endpoint Manager Mobile, formerly MobileIron Core) prior to version 12.1.0.4 is affected by an insecure permissions issue that allows a locally authenticated attacker to modify sensitive application components and configuration files. Core impact is high, including potential read/wri...

CVE-2024-7612

Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components...

Ivanti EPMM 安全漏洞

Ivanti EPMM is a product from Ivanti USA that enables IT departments to set policies for mobile devices, applications and content. A security vulnerability exists in Ivanti EPMM versions prior to 12.1.0.4 that stems from the presence of an insecure privilege that allows a locally authenticated...

Authorization Bypass

www.velocidex.com/golang/velociraptor is vulnerable to Authorization Bypass. The vulnerability is due to improper permission checks in the copy VQL function, which applies checks for reading files but does not check for permission to write files, allowing low-privilege users to overwrite server...

CVE-2024-38040

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files...

CVE-2024-25658

Cleartext storage of passwords in Infinera TNMS Transcend Network Management System Server 19.10.3 allows attackers with access to the database or exported configuration files to obtain SNMP users' usernames and passwords in cleartext...

CVE-2024-8459

Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials...