In the Keycloak OpenID Connect component in the “checkLoginIframe” a high severity vulnerability CVE-2024-1249 was detected. The vulnerability allows unvalidated cross-origin messages. Attackers can coordinate and send millions of requests in seconds using simple code. It significantly impacts the application’s availability without proper origin validation for incoming messages. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1249/.
Read more Security
In Dolibarr versions before 19.0.2 a low severity vulnerability CVE-2024-34051 was detected. This flaw allows attackers to execute harmful scripts through the “facid” parameter on the payment card page. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34051/.
Read more ERP
In Dolibarr version 9.0.1 a critical severity vulnerability CVE-2024-5315 was detected. This issue in ERP-CRM could let attackers access database information through a vulnerable parameter. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5315/.
Read more ERP
In Moodle versions from 4.0 through 4.3.3, from 4.2 through 4.2.6, and from 4.1 through 4.1.9 a medium severity vulnerability CVE-2024-34008 was detected. Admin actions for managing analytics models lacked the token needed to prevent CSRF risks. CSRF involves unauthorized requests made on behalf of a user without their consent. There is no proper solution yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34008.
Read more Educational
In MySQL Cluster versions 7.5.33 and prior, 7.6.29 and prior, 8.0.36 and prior and 8.3.0 and prior a low severity vulnerability CVE-2024-21101 was detected. High-privileged attackers with network access can exploit this vulnerability to read some data in the MySQL Cluster without authorization. Currently, there is no fix version for this vulnerability. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-21101/.
Read more Database
In Nginx a medium severity vulnerability CVE-2024-31079 was detected. A vulnerability can cause it to crash if specific, well-timed requests are made, though the attacker has limited control over the timing. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-31079/.
Read more Application Development
In OpenProject a high severity vulnerability CVE-2024-35224 was detected. A project admin could exploit a bug in the Cost Report feature to insert harmful code. Updating to version 13.4.2, 14.0.2, or 14.1.0 resolves this vulnerability. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-35224/.
Read more Project Management
In WooCommerce version 5.0.4 a medium severity vulnerability CVE-2024-35748 was detected. This vulnerability allows attackers to get access without an authorization check. There is no solution yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-35748/.
Read more E-commerce
In Mattermost versions 9.6.0 and 8.1.11 a medium severity vulnerability CVE-2024-31859 was detected. This vulnerability allows attackers to get the admin role. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-31859/.
Read more Communication