Infrastructure and Network

In Vaultwarden version 1.32.5 a low severity vulnerability CVE-2024-55226 was detected. This vulnerability allows attackers to execute authenticated reflected Cross-Site Scripting (XSS) attacks via the `/api/core/mod.rs` component. To address this issue, users should upgrade Vaultwarden to version 1.32.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55226.

In Nextcloud Server and Enterprise Server versions from 22.0.0 to 24.0.6 a medium severity vulnerability was detected. This vulnerability allows shared items to remain accessible to users after they are removed from a group, even when the server is configured to restrict sharing within groups. To address this issue, users should upgrade to Nextcloud Server versions 22.2.11, 23.0.11, or 24.0.6, and Nextcloud Enterprise Server versions 22.2.11, 23.0.11, or 24.0.6. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52516.

In OpenVPN versions prior to 2.6.11 a critical severity vulnerability CVE-2024-5594 was detected. This vulnerability allows attackers to exploit improperly sanitized PUSH_REPLY messages, potentially injecting arbitrary data into third-party executables or plug-ins. To address this issue, users should upgrade to OpenVPN version 2.6.11 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5594.

In Invoice Ninja versions before 5.10.43 a high severity vulnerability CVE-2024-55555 was detected. This vulnerability allows attackers with access to the APP_KEY to execute remote code without authentication. The issue arises from insecure handling of serialized objects in a pre-authenticated route. To address this issue, users must upgrade to Invoice Ninja version 5.10.43 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55555.

In Nextcloud Server and Enterprise Server versions from 25.0.0 to 30.0.1 a medium severity vulnerability CVE-2024-52517 was detected. This vulnerability allows attackers with access to an active user session to read global credentials in plain text. To address this issue, users should upgrade to Nextcloud Server versions 28.0.11, 29.0.8, or 30.0.1 and Nextcloud Enterprise Server versions 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8, or 30.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52517.

In Vaultwarden versions 1.32.6 and prior a high severity vulnerability CVE-2024-56335 was detected. This vulnerability allows attackers with specific conditions to update or delete groups from an organization, potentially causing denial of service or privilege escalation. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56335.

In MinIO versions from RELEASE.2022-06-25T15-50-16Z to RELEASE.2024-12-13T22-19-12Z a critical severity vulnerability CVE-2024-55949 was found. This vulnerability allows attackers to gain higher privileges. To address this issue, users are advised to upgrade to MinIO version RELEASE.2024-12-13T22-19-12Z or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-55949.

In the Keycloak versions before 25.0.0 and before 26.0.6 a medium severity vulnerability CVE-2024-10973 was detected. This vulnerability allows attackers on adjacent networks to access sensitive information due to unencrypted data transmission. To fix this issue, users should upgrade Keycloak to version 26.0.6 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10973.

In Keycloak OIDC-Client versions 34.0.1 and prior a medium severity vulnerability CVE-2024-12369 was detected. This vulnerability allows attackers to inject a stolen authorization code into their own session, impersonating a victim with the victim’s identity. This attack can be executed via a Man-in-the-Middle (MitM) or phishing attack. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12369.