CVE-2024-42467

The CVE concerns openHAB’s CometVisu add-on (prior to 4.2.1) where the proxy endpoint can be accessed without authentication. The underlying issue enables Server-Side Request Forgery (SSRF) to trigger GET requests to internal-only servers if openHAB is exposed on a non-private network, and also e...

CVE-2024-42467 CometVisu Backend for openHAB affected by SSRF/XSS

openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forger...

CVE-2024-42467 CometVisu Backend for openHAB affected by SSRF/XSS

openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forger...

CVE-2024-29831 Apache DolphinScheduler: RCE by arbitrary js execution

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2...

CVE-2024-29831 Apache DolphinScheduler: RCE by arbitrary js execution

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2...

CVE-2024-29831

CVE-2024-29831 relates to an improper input validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server, potentially enabling remote code execution. Affected: DolphinScheduler; remediation guidance consistentl...

OpenHAB CometVisu addon -- Multiple vulnerabilities

OpenHAB reports: This patch release addresses the following security advisories: SSRF/XSS CometVisu - GHSA-v7gr-mqpj-wwh3 Sensitive information disclosure CometVisu - GHSA-3g4c-hjhr-73rj RCE through path traversal CometVisu - GHSA-f729-58x4-gqgf Path traversal CometVisu - GHSA-pcwp-26pw-j98w All ...

CVE-2024-42365 Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan

Asterisk is an open source private branch exchange PBX and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with write=originate may change all configuration files in the /etc/asterisk/ directory. Thi...

FreeBSD : jenkins -- multiple vulnerabilities (db8fa362-0ccb-4aa8-9220-72b7763e9a4a)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the db8fa362-0ccb-4aa8-9220-72b7763e9a4a advisory. Jenkins Security Advisory: Arbitrary file read vulnerability through agent connections can lea...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Critical SECURITY-3430 / CVE-2024-43044 Arbitrary file read vulnerability through agent connections can lead to RCE Description Medium SECURITY-3349 / CVE-2024-43045 Missing permission check allows accessing other users' "My Views"...

Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training. In the opignomodule module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site...

CVE-2024-42395

There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise...

CVE-2024-42394

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise...

CVE-2024-42393

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise...

CVE-2024-42393

Technical details for CVE-2024-42393 are not publicly available in the provided documents. Monitor for updates from NVD/CVE and vendor advisories.

CVE-2024-42394

CVE-2024-42394 describes unauthenticated remote code execution via the Soft AP Daemon Service, accessed by the PAPI protocol. The vulnerability allows an attacker to execute arbitrary commands on the underlying OS, potentially leading to full system compromise. Documents consistently identify the...

CVE-2024-42394 Unauthenticated Stack-Based Buffer Overflow Remote Command Execution (RCE) in the Soft AP Daemon Service Accessed by the PAPI Protocol

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise...

CVE-2024-42395

CVE-2024-42395 describes an unauthenticated remote code execution in the AP Certificate Management Service . Exploitation could allow an attacker to run arbitrary commands on the underlying OS, potentially leading to complete system compromise. The CVSS metrics indicate a network-based , no-authe...

CVE-2024-39225

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution RCE vulnerability...

Android vulnerability used in targeted attacks patched by Google

Google has released patches for 46 vulnerabilities in Android, including a remote code execution RCE vulnerability that it says has been used in limited, targeted attacks. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app...