In OpenSSH’s server (sshd) versions 4.13, 4.14, 4.15, and 4.16 a high severity vulnerability CVE-2024-6409 was detected. If a remote attacker doesn’t authenticate within a specific time frame, sshd’s signal handler can be triggered asynchronously. This handler calls non-async-signal-safe functions like syslog(), potentially allowing a successful attacker to execute remote code on the sshd server with unprivileged user privileges. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6409.
In Rocket.Chat a medium severity vulnerability CVE-2024-37405 was detected. This vulnerability allows attackers to access sensitive data. There is no fix to this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37405/.
Read more Communication
In Discourse versions before 3.2.3 a medium severity vulnerability CVE-2024-38360 was detected. This vulnerability allows attackers to reduce the availability of a Discourse instance. To address this issue, users should update to version 3.2.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38360/.
Read more Communication
In Bootstrap versions from 2.0.0 up to 3.4.1 a medium severity vulnerability CVE-2024-6485 was detected. This vulnerability is related to the button plugin’s data-loading-text attribute. Attackers can exploit this vulnerability by injecting harmful JavaScript code into the attribute. This code executes when the button enters its loading state, potentially enabling Cross-Site Scripting (XSS) attacks. To address this issue, users should upgrade to versions 4.0.0 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6485.
Read more Application Development
In Bootstrap carousel component versions from 2.0.0 up to 3.4.1 a medium severity vulnerability CVE-2024-6484 was detected. This vulnerability can expose users to Cross-Site Scripting (XSS) attacks. The problem occurs because the data-slide and data-slide-to attributes are not properly sanitized, allowing attackers to insert malicious code through the href attribute of an tag. To address this issue users should upgrade to version 5.0.0-beta1 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6484.
Read more Application Development
In Node.js versions 20 and 21, with the experimental permission model a low severity vulnerability CVE-2024-22018 was detected. This vulnerability allows unauthorized access to file information using the fs.lstat API, even without proper permissions. At the time this CVE was issued, the permission model is an experimental feature of Node.js. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-22018.
Read more Application Development
In Django versions 5.0 till 5.0.7 and 4.2 till 4.2.14 a medium severity vulnerability CVE-2024-39329 was detected. This vulnerability allows attackers to enumerate users via a timing attack involving login requests. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39329/.
Read more Application Development
In Django versions 5.0 to 5.0.7 and 4.2 to 4.2.14 a low severity vulnerability CVE-2024-38875 was detected. This vulnerability allows attackers to cause a denial of service attack via certain inputs with a very large number of brackets. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38875/.
Read more Application Development
In GitLab versions from 15.8 through 16.11.6, from 17.0 through 17.0.4 and from 17.1 through 17.1.2 a high severity vulnerability CVE-2024-6385 was detected. This vulnerability allows attackers to trigger a pipeline as another user under certain circumstances. To fix this problem, users should upgrade GitLab to one of the following versions 16.11.6, 17.0.4, or 17.1.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6385.
Read more Developer Tools