Our news and updates

In Python versions before 3.12.0 and from 3.12.0a1 to 3.12.0b1 a medium severity vulnerability CVE-2024-11168 was detected. This vulnerability allows attackers to exploit improper validation of bracketed hosts in the urlsplit() and urlparse() functions, potentially leading to SSRF (Server-Side Request Forgery). To address this issue, upgrade to Python 3.12.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11168.

In Kanboard version 1.2.40 a medium severity vulnerability CVE-2024-54001 was detected. This vulnerability allows attackers to inject malicious HTML or JavaScript into the application, potentially leading to unauthorized actions or data theft. To fix this issue, users should upgrade Kanboard to version 1.2.41. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-54001.

In WordPress Contact Forms by Cimatti versions up to 1.9.2 a medium severity vulnerability CVE-2024-10521 was detected. This vulnerability allows unauthenticated attackers to delete forms via a forged request by exploiting missing or incorrect nonce validation in the process_bulk_action function. To address this issue, users must upgrade to WordPress Contact Forms by Cimatti version 1.9.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10521.

In Wallet for WooCommerce plugin versions up to 1.5.6 a medium severity vulnerability CVE-2024-7747 was detected. This vulnerability allows attackers with Subscriber access or higher to generate fake funds and transfer them to users or themselves. They could also request withdrawals if approved by an admin. To address this issue, users must upgrade to Wallet for WooCommerce version 1.5.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7747.

In Browser WebDriver for Zabbix versions from 7.0.0 to 7.0.3 a medium severity vulnerability CVE-2024-42328 was detected. This vulnerability allows attackers to crash the application by exploiting a NULL pointer dereference when the server returns an empty response. To fix this issue, users should upgrade Zabbix to version 7.0.4rc1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-42328.

In Zabbix versions from 6.0.0 to 6.0.33, from 6.4.0 to 6.4.18, from 7.0.0 to 7.0.3 a critical severity vulnerability CVE-2024-42330 was detected. This vulnerability allows attackers to manipulate HTTP headers to access hidden properties of objects by exploiting improper encoding of server data for JavaScript. To fix this issue, users should upgrade Zabbix to versions 6.0.34rc1, 6.4.19rc1, and 7.0.4rc1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-42330.

In Zabbix versions from 6.0.0 to 6.0.31, from 6.4.0 to 6.4.16 and 7.0.0 a high severity vulnerability CVE-2024-36466 was detected. This vulnerability allows attackers to forge and sign a zbx_session cookie, granting them admin permissions. To fix this issue, users should upgrade Zabbix to versions 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-36466.

In Jenkins Simple Queue Plugin versions 1.4.4 and prior a high severity vulnerability CVE-2024-54003 was detected. This vulnerability allows attackers with View/Create permissions to exploit stored XSS due to improper handling of the view name. To address this issue, users must upgrade to version 1.4.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54003.

In Backstage Scaffolder Plugin versions prior to 0.4.12, from 0.5.0 before 0.5.1 and from 0.6.0 before 0.6.1 a medium severity vulnerability CVE-2024-53983 was detected. This vulnerability allows attackers to exploit Server-Side Template Injection (SSTI) to perform Git config injection, enabling the capture of privileged Git tokens and unauthorized access to sensitive resources. To address this issue, users must upgrade to versions 0.4.12, 0.5.1 or 0.6.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53983.