CVE-2024-55658

SiYuan has a path traversal vulnerability in its API: /api/export/exportResources allows arbitrary file reads on versions prior to 3.1.16 by manipulating the paths parameter to traverse the workspace directory structure. The issue is confirmed across multiple sources confirming 3.1.16 includes a ...

CVE-2024-55652

CVE-2024-55652 affects PenDoc (also referenced as PwnDoc) where, prior to a particular commit, an attacker able to control a DOCX template could inject expressions that escape the JavaScript sandbox and execute arbitrary code on the host. The root cause is a template processing flaw that allowed ...

CVE-2024-47538

CVE-2024-47538 affects GStreamer’s vorbis handling in the Vorbis decoder. A stack-buffer overflow is triggered in the function vorbis_handle_identification_packet within gstvorbisdec.c: a stack-allocated position buffer of size 64 is overflowed when vd->vi.channels exceeds 64, writing the valu...

kcp's impersonation allows access to global administrative groups

Impact Impersonation is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege usually assigned to cluster admins is required for impersonation. The vulnerability in kc...

CVE-2024-48912

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue...

CVE-2024-47760

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-48912 GLPI vulnerable to authenticated insecure account deletion

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue...

CVE-2024-48912 GLPI vulnerable to authenticated insecure account deletion

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue...

CVE-2024-47761 GLPI vulnerable to account takeover via the password reset feature

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47760 GLPI vulnerable to account takeover via API

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47758

CVE-2024-47758 affects GLPI: authenticated users can via the API take control of another user with equal or lower privileges in versions 9.3.0 up to, but not including, 10.0.17. A patch is available in 10.0.17. Connected documents corroborate GLPI context and indicate multiple vendor advisories f...

CVE-2024-53677

CVE-2024-53677 affects Apache Struts 2 (from 2.0.0 up to, but not including, 6.4.0). The root cause is flawed file upload logic that can be manipulated to enable path traversal, potentially allowing a malicious file upload and, under certain conditions, remote code execution (RCE). Public PoCs an...

CVE-2024-49967 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-49967 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2024-50230 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-50230 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2024-47720 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-47720 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2024-47723 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-47723 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2024-47742 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-47742 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2024-47690 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-47690 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2024-50007 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-50007 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2024-50167 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-50167 affecting package kernel for versions less than 5.15.173.1-1. An upgraded version of the package is available that resolves this issue...