Our news and updates

In Mautic versions up to 4.4.9 a medium severity vulnerability CVE-2024-2730 was detected. Unpublished landing pages can be accessed through public preview URLs, even by people who aren’t logged in. This could potentially leak sensitive information. There’s no fix available for this issue at the moment. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2730/.

In Mautic a medium severity vulnerability CVE-2024-2731 was detected. Users with low privileges, having all permissions deselected, can access pages revealing sensitive data such as company names, users’ names and surnames, stage names, monitoring campaigns, and their descriptions. Additionally, unprivileged users can view and modify tag descriptions. At the time of publication of the CVE no patch is available. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2731/.

In Mautic a medium severity vulnerability CVE-2024-3448 was detected. This vulnerability allows users with low privileges to improperly perform certain AJAX actions, resulting in a Server-Side Request Forgery. Attackers can exploit this vulnerability to analyze error messages and conduct a port scan in the back-end. At the time of publication of the CVE no patch is available. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3448/.

In Apache HTTP Server versions through 2.4.58 a medium severity vulnerability CVE-2024-24795 was detected. This issue allows attackers to add bad response headers to backend apps, causing something called an HTTP desynchronization attack. This vulnerability is fixed in Apache HTTP Server 2.4.59. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-24795/.

In Apache HTTP Server versions apache2/2.4.56-1~deb11u2, apache2/2.4.58-1, apache2/2.4.57-2 a high severity vulnerability CVE-2024-27316 was detected. If someone sends too much information, nghttp2 tries to handle it temporarily to respond correctly. But if they keep sending too much, it can overload nghttp2’s memory and make things stop working. The issue is fixed in version 2.4.59. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-27316/.

In Kubernetes all versions before 1.20.5 and version 1.20.2-1 a low severity vulnerability CVE-2024-3177 was detected. When using Kubernetes, there is a security issue where users might bypass restrictions and access unauthorized secrets if containers, including init and ephemeral types, use the ‘envFrom’ field, despite policies meant to prevent this. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3177/.

In Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, and 8.1.x before 8.1.11 a medium severity vulnerability CVE-2024-28949 was detected. Failure to limit user preferences allows attackers to send a large volume, potentially causing denial of service by controlling a limited resource and exhausting available resources. To fix this issue, users should upgrade Mattermost to versions 8.1.11, 9.3.3, 9.4.4, 9.5.2 or 9.6.0. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-28949/.

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, and 8.1.x before 8.1.11 a medium severity vulnerability CVE-2024-29221 was detected. The issue allows unauthorized users to access sensitive information and perform actions they shouldn’t be able to. This vulnerability is resolved in Mattermost Server versions 8.1.11, 9.3.3, 9.4.4, or 9.5.2 or later. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-29221/.

In Kimai all versions before 2.13.0 a medium severity vulnerability CVE-2024-29200 was detected. Setting the “view_other_timesheet” permission to true allows users to see only their team’s timesheet entries in the Kimai UI, but when using the API, it returns all timesheet entries, regardless of team memberships. This vulnerability is resolved in version 2.13.0. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-29200/.