IT Business Management

In Ansible version 2 a medium severity vulnerability CVE-2024-10033 was detected. This vulnerability allows attackers to inject malicious scripts, redirect users, or steal sessions and data by exploiting the “?next=” parameter in a URL. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-10033.

In Foreman versions 6.13, 6.14 and 6.15 a critical severity vulnerability CVE-2024-7012 was detected. This vulnerability allows unauthorized users to gain admin access due to improper header handling by Apache’s mod_proxy. To fix this problem, users should upgrade to versions 6.13.7.2, 6.14.4.2, or 6.15.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7012.

In Foreman versions before 3.11.1 a medium severity vulnerability CVE-2024-7700 was detected. This vulnerability allows attackers to exploit user actions to execute malicious code. To fix this issue, users should upgrade Foreman to version 3.11.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7700.

In version ansible-core 2.14.13-1 a medium severity vulnerability CVE-2024-0690 was detected.
Sometimes ANSIBLE_NO_LOG isn’t followed properly, so tasks like looping through items can still expose sensitive data in the output, like decrypted secret values. The issue is fixed in version 2.16.5-1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-0690/.

In iTop a high severity vulnerability CVE-2023-47622 was detected. Refreshing dashlets could allow attackers to inject harmful code into the webpage if the system doesn’t properly clean up user-entered data. The issue is resolved in versions 3.0.4 and 3.1.1. For more information, visit https://avd.aquasec.com/nvd/2023/cve-2023-47622/.

In iTop a high severity vulnerability CVE-2023-48709 was detected. Users need to be careful when opening CSV or Excel files from the back office or portal as they may contain dangerous formulas that can lead to malicious code being executed on your computer, especially in Excel 2016. The issue is resolved in iTop 2.7.9, 3.0.4, 3.1.1, and 3.2.0 versions. For more information, visit https://avd.aquasec.com/nvd/2023/cve-2023-48709/.

In iTop a critical severity vulnerability CVE-2023-48710 was detected. Due to this vulnerability files from the env-production folder, which should be restricted, were accessible, potentially exposing sensitive data from third-party modules. To address this, updates have been made to the Pages/exec.php script to allow only PHP files to be executed, preventing access and disclosure of other file types. This fix is available in versions 2.7.10, 3.0.4, 3.1.1 and 3.2.0. For more information, visit https://avd.aquasec.com/nvd/2023/cve-2023-48710/.

In Ansible versions v3.0.0-v3.10.6 a critical security vulnerability, CVE-2024-29202 was detected. This vulnerability allows attackers to steal sensitive data. To address this issue, users are advised to upgrade to v3.10.7. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-29202.