Our news and updates

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51497 was found. It allows logged-in users to add harmful code through the “Custom OID” tab. OID (Object Identifier) is a unique number used to identify specific items or settings in network devices. When creating a new OID, this issue could let attackers run malicious actions on other users’ accounts. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51497.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51496 was found in the “metric” parameter of the “/wireless” and “/health” pages. This issue allows attackers to inject harmful code that runs when a user visits these pages. This could compromise the user’s session and allow unauthorized actions. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51496.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51495 was found in the Device Overview page. This issue allows authenticated users to inject harmful code through the “overwrite_ip” parameter when editing a device. When the page is visited, the malicious code is executed, potentially compromising the accounts of other users. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51495.

In Apache Airflow versions prior to 2.10.3 a high severity vulnerability CVE-2024-45784 was detected. This vulnerability could expose sensitive configuration variables in task logs, potentially allowing unauthorized access and exploitation. Masking secrets in logs is recommended to prevent exposure. To fix this problem, users should upgrade to version 2.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45784.

In Harbor versions prior to 2.5.2 a high severity vulnerability CVE-2022-31670 was detected. This vulnerability allows an attacker to modify tag retention policies in projects they don’t have access to by sending a request with a policy ID from another project, due to Harbor’s failure to validate user permissions. To fix this issue, users need to update to version 2.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-31670.

In WooCommerce in all versions up to and including 2.2.9 a medium severity vulnerability CVE-2024-10852 was detected. This vulnerability allows attackers with low-level access to export plugin settings, potentially exposing sensitive data. To fix this problem, users should upgrade to the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10852.

In WordPress in all versions up to and including 16.6 a high severity vulnerability CVE-2024-10800 was detected. This vulnerability allows attackers with low-level access to escalate their privileges to administrator, potentially compromising the site. To fix this problem, users should upgrade to version 16.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10800.

In WordPress in all versions up to and including 16.6 a critical severity vulnerability CVE-2024-11150 was detected. This vulnerability allows attackers to delete arbitrary files on the server, potentially enabling remote code execution. To fix this problem, users should upgrade to version 16.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11150.

In WooCommerce in all versions up to and including 2.2.9 a medium severity vulnerability CVE-2024-10854 was detected. This vulnerability allows attackers with low-level access to import and modify plugin settings, potentially compromising data. To fix this problem, users should upgrade to the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10854.