Title: jj vulnerable to path traversal via crafted Git repositories
Published Date: Nov 07, 2024
Risk Index: 4.34 of 10 (Medium)
Summary: A critical vulnerability has been identified in the Git-compatible VCS component of Jujutsu (jj), which is written in Rust. This vulnerability involves a path traversal issue where specially crafted Git repositories are able to cause `jj` to write files outside the intended directory. This critical flaw has been addressed in version 0.23.0 of jj, and users are strongly advised to upgrade to this version. Those who cannot upgrade at the moment should exercise caution and avoid cloning repositories from unknown or untrusted sources.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive files or directories on the affected system. An attacker could potentially modify existing files, add malicious scripts, or delete essential system files, leading to disruption of service, loss of data integrity, or further compromise of system security. The risk index severity of this vulnerability, classified as Medium, implies considerable implications for affected systems, mainly if preventive actions are not employed promptly.
Title: D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection
Published Date: Nov 06, 2024
Risk Index: 4.96 of 10 (Medium)
Summary: A critical vulnerability has been identified in the D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L network-attached storage devices. This vulnerability, tracked as CVE-2024-10915, impacts the XML parser component within these products and has been rated with high severity due to its significant potential to be exploited.
If this vulnerability is successfully exploited, it could allow an attacker the opportunity to gain unauthorized access to the system, significantly impacting the confidentiality, integrity, and availability of data stored on the affected NAS devices. The attacker potentially could exploit this flaw to execute arbitrary code, manipulate stored files, or create new user accounts with administrator privileges, leading to full system compromise.
Title: Comments โ wpDiscuz <= 7.6.24 – Authentication Bypass
Published Date: Oct 25, 2024
Risk Index: 8.19 of 10 (High)
Summary: A critical vulnerability has been identified in the Social Login feature of the Comments โ wpDiscuz plugin for WordPress. This vulnerability, affecting versions up to and including 7.6.24, results from inadequate user verification during the social login process. This flaw permits potential attackers to bypass authentication and log in as any user, including administrators, under certain conditions.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to any user account, including those with administrative privilege, on affected WordPress sites. This access could lead to the alteration of website content, installation of malicious plugins, or compromise of sensitive user data, ultimately undermining the site’s integrity and posing substantial security risks to site owners and visitors.
Title: Unauthenticated Command Injection Vulnerability in the CLI Service Accessed by the PAPI Protocol
Published Date: Nov 05, 2024
Risk Index: 8.24 of 10 (High)
Summary: A critical vulnerability has been identified in the underlying Command Line Interface (CLI) service of Aruba Networks products. This vulnerability, tracked as CVE-2024-42509, enables unauthenticated remote code execution through command injection by sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port 8211. Successful exploitation allows an attacker to execute arbitrary code with high privileges on the compromised system.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or even execute arbitrary code as a privileged user on the affected system. It could lead to complete system compromise, unauthorized data manipulation, or denial of service across the network infrastructure employing vulnerable versions of Aruba products.
Title: PTZOptics NDI and SDI Cameras Command Injection via NTP Address Configuration
Published Date: Sep 17, 2024
Risk Index: 9.15 of 10 (Critical)
Summary: A critical vulnerability has been identified in the NTP address configuration mechanism of PTZOptics PT30X-SDI/NDI cameras, specifically in firmware versions prior to 6.3.40. This vulnerability allows for OS command injections, posing serious security risks if exploited in conjunction with other vulnerabilities such as CVE-2024-8956.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary commands, and potentially cause service disruption. Attackers could alter or tamper with device configurations, leading to information leakage or temporal financial loss for business entities relying on these cameras for essential operations.