In Magento versions before 20.10.1 a medium severity vulnerability CVE-2024-41676 was detected. This vulnerability allows attackers to view sensitive files in GitLab. To fix this problem, users should upgrade Magento to version 20.10.1 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.
Read more E-commerce
In CPython a medium severity CVE-2024-3219 was detected. The socket module provides a fallback for socket.socketpair() on Windows using AF_INET/AF_INET6, but this method is insecure against local attacks. Linux, macOS, and CPython versions before 3.5 are not affected. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-3219.
Read more Application Development
In all WooCommerce versions up to, and including 3.5.1 a medium severity vulnerability CVE-2024-6458 was detected. Attackers with basic access can change post titles without permission. This can also lead to harmful scripts being saved, which can affect admins who view these posts. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6458.
Read more E-commerce
In GitLab CE/EE all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 a high severity vulnerability CVE-2024-7047 was detected. A cross-site scripting (XSS) vulnerability allows an attacker to run arbitrary scripts as the logged-in user, potentially leading to unauthorized actions and access to sensitive information. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-7047.
Read more Developer Tools
In Magento versions prior to 20.10.1 a medium severity vulnerability CVE-2024-41676 was detected. There is a security issue where admins can accidentally add harmful code in these settings: design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt. These settings allow text or image URLs but may unintentionally include dangerous code. This issue is fixed in version 20.10.1 and later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.
Read more E-commerce
In Python versions prior to 3.12.6-r0 a low severity vulnerability CVE-2024-4032 was detected. The ipaddress module is incorrectly labeling some IP addresses as “global” or “private.” This causes errors in the is_private and is_global properties. To fix this problem, users should upgrade to versions 3.12.4 and 3.13.0a6. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4032.
In Elasticsearch versions 7.0.0 prior to 7.17.16 and 8.0.0 prior to 8.11.2 a medium severity vulnerability CVE-2023-49921 was detected. This allows attackers to access and view sensitive information stored in Elasticsearch through the detailed log files. To fix this problem, users should upgrade Elasticsearch to versions 7.17.16, and 8.11.2. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-49921.
Read more Data Analytics
In GitLab versions 6.7 prior to 17.0.5, 17.1 prior to 17.1.3 and 17.2 prior to 17.2.1 a medium severity vulnerability CVE-2024-7057 was detected. This vulnerability allows attackers to view sensitive files in GitLab. To fix this problem, users should upgrade GitLab CE/EE to versions 17.0.5, 17.1.3 or 17.2.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-7057.
Read more Developer Tools
In GitLab EE versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 a medium severity vulnerability CVE-2024-5067 was detected. Certain project-level analytics settings could be visible in the DOM to group members with Developer or higher roles. To address this issue users should upgrade GitLab EE to versions 17.2.1, 17.1.3 or 17.0.5. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5067.
Read more Developer Tools