CVE News Feed
Updates on the latest vulnerabilities detected.
-
CVE-2024-42207 - HCL iAutomate Session Fixation Vulnerability
CVE ID :CVE-2024-42207
Published : Feb. 5, 2025, 4:15 p.m. | 52 minutes ago
Description :HCL iAutomate is affected by a session fixation vulnerability. An attacker could hijack a victim's session ID from their authenticated session.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-39564 - Juniper Junos OS/ Junos OS Evolved Double-Free Vulnerability
CVE ID :CVE-2024-39564
Published : Feb. 5, 2025, 4:15 p.m. | 52 minutes ago
Description :This is a similar, but different vulnerability than the issue reported as CVE-2024-39549. A double-free vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker to send a malformed BGP Path attribute update which allocates memory used to log the bad path attribute. This double free of memory is causing an rpd crash, leading to a Denial of Service (DoS). This issue affects: Junos OS: * from 22.4 before 22.4R3-S4. Junos OS Evolved: * from 22.4 before 22.4R3-S4-EVO.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-0858 - Poly Edge E Path Traversal Information Disclosure Vulnerability
CVE ID :CVE-2025-0858
Published : Feb. 5, 2025, 3:15 p.m. | 1 hour, 52 minutes ago
Description :A vulnerability was discovered in the firmware builds up to 8.2.1.0820 in Poly Edge E devices. The firmware flaw does not properly prevent path traversal and could lead to information disclosure.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-21117 - Dell Avamar Local Privilege Escalation Arbitrary Token Reuse
CVE ID :CVE-2025-21117
Published : Feb. 5, 2025, 2:15 p.m. | 2 hours, 52 minutes ago
Description :Dell Avamar, version 19.4 or later, contains an access token reuse vulnerability in the AUI. A low privileged local attacker could potentially exploit this vulnerability, leading to fully impersonating the user.
Severity: 6.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-9097 - ManageEngine Endpoint Central IDOR (Username Chaining)
CVE ID :CVE-2024-9097
Published : Feb. 5, 2025, 1:15 p.m. | 3 hours, 52 minutes ago
Description :ManageEngine Endpoint Central versions before 11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-2878 - GitLab Branch Name Search Denial of Service Vulnerability
CVE ID :CVE-2024-2878
Published : Feb. 5, 2025, 1:15 p.m. | 3 hours, 52 minutes ago
Description :An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms for branch names.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-52365 - IBM Cloud Pak for Business Automation Stored Cross-Site Scripting Vulnerability
CVE ID :CVE-2024-52365
Published : Feb. 5, 2025, 12:15 p.m. | 4 hours, 52 minutes ago
Description :IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-52364 - IBM Cloud Pak for Business Automation Cross-Site Scripting
CVE ID :CVE-2024-52364
Published : Feb. 5, 2025, 12:15 p.m. | 4 hours, 52 minutes ago
Description :IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-49348 - IBM Cloud Pak for Business Automation Comment Reassignment Privilege Escalation Vulnerability
CVE ID :CVE-2024-49348
Published : Feb. 5, 2025, 12:15 p.m. | 4 hours, 52 minutes ago
Description :IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly grants access to user queries in an unexpected context.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-3976 - GitLab Information Disclosure (Confidential Issue)
CVE ID :CVE-2024-3976
Published : Feb. 5, 2025, 12:15 p.m. | 4 hours, 52 minutes ago
Description :An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-9631 - GitLab CE/EE Slow Diff View Vulnerability
CVE ID :CVE-2024-9631
Published : Feb. 5, 2025, 11:15 a.m. | 5 hours, 52 minutes ago
Description :An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-5528 - GitLab Pages Subdomain Takeover Remote Code Execution Vulnerability
CVE ID :CVE-2024-5528
Published : Feb. 5, 2025, 11:15 a.m. | 5 hours, 52 minutes ago
Description :An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-49352 - IBM Cognos Analytics XXE Injection Vulnerability
CVE ID :CVE-2024-49352
Published : Feb. 5, 2025, 11:15 a.m. | 5 hours, 52 minutes ago
Description :IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-0725 - Apache libcurl integer overflow vulnerability boils down to buffer overflow
CVE ID :CVE-2025-0725
Published : Feb. 5, 2025, 10:15 a.m. | 6 hours, 52 minutes ago
Description :When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-0665 - libcurl Eventfd File Descriptor Double Close
CVE ID :CVE-2025-0665
Published : Feb. 5, 2025, 10:15 a.m. | 6 hours, 52 minutes ago
Description :libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-0167 - Apache Curl HTTP Redirects Password Leak in Netrc File
CVE ID :CVE-2025-0167
Published : Feb. 5, 2025, 10:15 a.m. | 6 hours, 52 minutes ago
Description :When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-6356 - GitLab Security Policy Bot Cross-Project Access
CVE ID :CVE-2024-6356
Published : Feb. 5, 2025, 10:15 a.m. | 6 hours, 52 minutes ago
Description :An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-1539 - GitLab EE Information Disclosure Vulnerability
CVE ID :CVE-2024-1539
Published : Feb. 5, 2025, 10:15 a.m. | 6 hours, 52 minutes ago
Description :An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2023-6386 - GitLab Denial of Service
CVE ID :CVE-2023-6386
Published : Feb. 5, 2025, 10:15 a.m. | 6 hours, 52 minutes ago
Description :A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2023-52925 - Apache Linux Kernel Nf_tables Expired Entry Vulnerability
CVE ID :CVE-2023-52925
Published : Feb. 5, 2025, 10:15 a.m. | 6 hours, 52 minutes ago
Description :In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...