Title: HarfBuzz heap-buffer-overflow on hb_cairo_glyphs_from_buffer
Published Date: Dec 27, 2024
Risk Index: 3.49 of 10 (Low)
Summary: A critical vulnerability has been identified in the text shaping engine HarfBuzz. This vulnerability, designated as CVE-2024-56732, is a heap-based buffer overflow located in the hb_cairo_glyphs_from_buffer function. Affected versions range from 8.5.0 to 10.0.1.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system, potentially leading to a full system compromise, data leakage, and disruption of services.
Title: Incorrect handling of SameSite cookies
Published Date: Jul 09, 2024
Risk Index: 8.48 of 10 (High)
Summary: A critical vulnerability has been identified in the SameSite cookie handling within the nested iframe component of Firefox and Thunderbird. This flaw, if exploited, could compromise the cookie policy meant to secure cross-site requests by improperly handling SameSite=Strict or Lax cookies during cross-site navigation.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or interact with a user’s session inappropriately. Potential consequences include user impersonation, unauthorized operations performed on behalf of the user, and exposure of user data meant to be protected by SameSite cookie policies.
Title: Apache HTTP Server weakness with encoded question marks in backreferences
Published Date: Apr 01, 2024
Risk Index: 8.48 of 10 (High)
Summary: A critical vulnerability has been identified in the mod_rewrite module of the Apache HTTP Server. This vulnerability, tracked as CVE-2024-38474, could allow an attacker to execute unauthorized scripts in directories permitted by the server’s configuration that are not directly reachable by any URL or could lead to the exposure of source code meant only to be executed as CGI scripts.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system.ย
Specifically, attackers might execute scripts in directories that are permitted by the configuration but not directly accessible via any URL, or they could expose the source code of scripts meant to be executed exclusively as CGI, risking the theft of intellectual property or confidential information.
Title: ASUS Router – Improper Authentication
Published Date: Jun 14, 2024
Risk Index: 9.43 of 10 (Critical)
Summary: A critical vulnerability has been identified in certain ASUS router models, which involves an authentication bypass issue. This vulnerability allows unauthenticated remote attackers to log into the device.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system, leading to potential data breaches, network disruptions, and further exploitation of connected devices.
Title:ย PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
Published Date:ย Nov 08, 2024
Risk Index:ย 9.28 of 10 (Critical)
Summary:ย A critical privilege escalation vulnerability has been identified in the web management interface of Palo Alto Networks PAN-OS software. This vulnerability allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Notably, the Cloud NGFW and Prisma Access products are not impacted by this vulnerability.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. An attacker could execute commands with root privileges, compromising the integrity and security of the network infrastructure.