Our news and updates

In WordPress versions from 6.4.0 to 6.4.2 a medium severity vulnerability CVE-2024-31211 was detected. The product deserializes untrusted data without sufficient verification, compromising data integrity and exposing it to manipulation. Attackers can exploit “gadget chains” during deserialization to execute unauthorized actions, posing serious security risks. This issue is resolved in WordPress version 6.4.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-31211/.

In Vault and Vault Enterprise versions from 1.14.0 up to 1.15.6 and 1.14.10 a medium severity vulnerability CVE-2024-2660 was detected. The TLS certificate authentication method failed to verify Online Certificate Status Protocol (OCSP) responses from multiple sources, potentially allowing unauthorized access. This issue is resolved in Vault version 1.16.0 and Vault Enterprise versions 1.16.1, 1.15.7, and 1.14.11. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-2660/.

In Spring Framework versions 5.3.0, 5.3.33, 6.0.0, 6.0.18, 6.1.0, and 6.1.5 a high-severity vulnerability CVE-2024-22262 was detected. This vulnerability could allow a remote attacker to conduct phishing attacks due to an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary websites. Upgrading to version 5.3.34, 6.0.19, or 6.1.6 fixes this vulnerability. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-22262/.

In pgAdmin versions before 8.4 a critical severity vulnerability CVE-2024-2044 was detected. Unauthenticated attackers can execute code by loading and deserializing remote pickle objects on Windows servers, while authenticated attackers on POSIX/Linux servers can upload and deserialize pickle objects to gain code execution. The issue is fixed in versions 8.4 or higher. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2044/.

In Node.js version 18.20.1-r0 and earlier a high severity vulnerability CVE-2024-27983 was detected. An issue in Node.js HTTP/2 server allows attackers to disrupt its function by sending a small amount of specially crafted packets, potentially leading to server unavailability, so it’s important to stay attentive for any unusual server behavior. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-27983/.

In Moodle version 3.10.9 a medium severity vulnerability CVE-2024-29374 was detected. Due to this bug, certain website links could be used by attackers to run harmful scripts in your browser, potentially causing harm. Currently, there is no fix version for this issue. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-29374/.

In pgAdmin version 8.4 and earlier a high severity vulnerability CVE-2024-3116 was detected. It allows attackers to run harmful code on the server, endangering the integrity of the database system and the safety of your data. To address this issue, users are advised to update pgAdmin to version 8.5 or later. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3116/.

In Openshift a medium severity vulnerability CVE-2024-0406 was detected. An issue has been identified where certain files, when unpacked from a tar file, could potentially grant unauthorized access or modify files with the user’s permission, so be cautious when extracting files from unknown sources. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-0406/.

In Moodle version 4.3.3 a medium severity vulnerability CVE-2024-28593 was detected. The Chat activity allows students to insert a potentially unwanted HTML A element, IMG element, or HTML content that leads to performance degradation. The vendor’s Using_Chat page says “If you know some HTML code, you can use it in your text to do things like insert images, play sounds, or create different colored and sized text.”  To fix this issue, users should upgrade Moodle to versions 4.3.4 or later. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-28593/.