Our news and updates

In Gogs versions 0.12.7 and prior a critical severity vulnerability CVE-2022-1884 was found. This vulnerability allows attackers to execute arbitrary commands on the server by uploading a malicious config file. It affects all Windows installations with repository uploads enabled, risking unauthorized access and system compromise. To fix this issue, users are advised to upgrade to version 0.12.8 or the latest 0.13.0+dev. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2022-1884.

In Harbor versions before 2.5.2 a high severity vulnerability CVE-2022-31669 was detected. This vulnerability allows attackers to modify tag immutability policies in other projects by sending requests with an ID that belongs to a project the currently authenticated user doesn’t have access to. To fix this issue, users must upgrade to Harbor version 2.5.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-31669.

In Harbor versions prior to 2.7.0 a high severity vulnerability CVE-2022-31668 was detected. This vulnerability allows attackers to modify P2P preheat policies in projects they don’t have permission to access. To fix this issue, users should upgrade Harbor to version 2.7.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2022-31668.

In Moodle versions starting from 0 before 4.1.0, from 4.1.0 before 4.1.14, from 4.2.0 before 4.2.11, from 4.3.0 before 4.3.8, and from 4.4.0 before 4.4.4 a medium severity vulnerability CVE-2024-48901 was detected. This vulnerability allows attackers to access and view the schedule of a report in Moodle without having the necessary permissions to edit it. To fix this issue, users should upgrade Moodle to versions 4.5.0-rc2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-48901.

In Graylog versions 6.1.0 and 6.1.1 a medium severity vulnerability CVE-2024-52506 was detected. This vulnerability allows attackers to potentially access and view reports containing log messages or aggregated data belonging to other users. To fix this issue, users should upgrade Graylog to version 6.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-52506.

In Mastodon versions 4.1.x prior to 4.1.17 and 4.2.x prior to 4.2.9 a high severity vulnerability CVE-2023-49952 was detected. This vulnerability allows attackers to bypass limits on how many requests they can make by sending a special request to the server. To fix this issue, users need to update to versions 4.2.9 or above. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-49952.

In Moodle versions prior to 4.1.14, from 4.2.0 before 4.2.11, from 4.3.0 before 4.3.8, and from 4.4.0 before 4.4.4 a medium severity vulnerability CVE-2024-48896 was detected. This vulnerability allows users with “send message” rights to see names of other users through an error message, even if they shouldn’t have access. The displayed name follows the site’s configured full-name format. To fix this issue, users need to update to versions 4.1.14, 4.2.11, 4.3.8, or 4.4.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-48896.

In Apache Airflow versions prior to 2.10.3 a medium severity vulnerability CVE-2024-50378 was detected. This vulnerability allows authenticated users with audit log access to view sensitive variable values, potentially leading to unauthorized access. To fix this problem, users should upgrade to version 2.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-50378.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-52526 was detected. This vulnerability allows authenticated users to inject arbitrary JavaScript through the “descr” parameter in the “Services” tab of the Device page. This could result in the execution of malicious code within the context of other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52526.