Our news and updates

In Kanboard versions prior to 1.2.42 a critical severity vulnerability CVE-2024-51747 was detected. This vulnerability allows attackers to exploit misconfigured file paths in the database, enabling them to read or delete arbitrary files on the server. To fix this issue, users should upgrade Kanboard to version 1.2.42. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-51747.

In Moodle versions 4.1.0 and above, prior to 4.1.12, 4.2.0 and above, prior to 4.2.9, 4.3.0 and above, prior to 4.3.6, 4.4.0 and above, prior to 4.4.2 a medium severity vulnerability CVE-2024-43439 was detected. This vulnerability allows H5P error messages to be exploited for cross-site scripting attacks, requiring improved sanitization. To fix this issue, users need to update to versions 4.1.12, 4.2.9, 4.3.6, 4.4.2, or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43439.

In Moodle versions 4.4.0 and above, prior to 4.4.2, 4.3.0 and above, prior to 4.3.6, 4.2.0 and above, prior to 4.2.9, 4.1.0 and above, prior to 4.1.12 a medium severity vulnerability CVE-2024-43429 was detected. This vulnerability makes some hidden profile fields visible in gradebook reports. This allows users who shouldn’t see hidden fields to access them. To fix this issue, users need to update to versions 4.4.2, 4.3.6, 4.2.9, 4.1.12, or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-43429.

In Moodle versions 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 a medium severity vulnerability CVE-2024-43437 was detected. This vulnerability allows attackers to inject malicious scripts into Moodle’s backup restore process, potentially leading to cross-site scripting attacks when users restore maliciously crafted backup files. To fix this issue, users should upgrade Moodle to version 4.4.2, 4.3.6, 4.2.9 and 4.1.12. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-43437.

In Kanboard versions before 1.2.41 a high severity vulnerability CVE-2024-51748 was detected. This vulnerability allows attackers to execute arbitrary PHP code on the server by exploiting a misconfigured file path in the sqlite.db settings. To fix this issue, users should upgrade Kanboard to version 1.2.42. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-51748.

In WordPress in all versions up to and including 1.9.244 a medium severity vulnerability CVE-2024-10647 was detected. This vulnerability allows attackers to inject malicious scripts into pages, which execute if a user clicks a specially crafted link. To fix this problem, users should upgrade to version 1.9.245. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10647.

In Mattermost versions 10.0.x ≤ 10.0.0 and 9.11.x ≤ 9.11.2 a medium severity vulnerability, CVE-2024-52032, was detected. This vulnerability allows attackers to retrieve the names of private channels they are not a member of when using the channel switcher feature, provided Elasticsearch v8 is enabled. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52032.

In Mattermost versions 9.10.x up to 9.10.2, 9.11.x up to 9.11.1, 9.5.x up to 9.5.9 and 10.0.x up to 10.0.0 a low severity vulnerability CVE-2024-42000 was detected. This vulnerability allows attackers with “Read Groups” permission, but without access to specific channels, to retrieve details about private channels they are not members of by sending a request to /api/v4/channels. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-42000.

In Mattermost versions 9.11.x up to 9.11.2 and 9.5.x up to 9.5.10 a low severity vulnerability CVE-2024-36250 was detected. This vulnerability allows attackers to reuse the MFA code within approximately 30 seconds, exploiting inadequate replay protection. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36250.