5.9
CVE-2024-47885 - astro's client-side router has DOM Clobbering Gadget that leads to XSS
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframeβ¦
5.9
CVE-2024-47831 - Next.js image optimization has Denial of Service condition
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither tβ¦
3.5
CVE-2024-47826 - eLabFTW vulnerable to HTML Injection in extended search error message
eLabFTW is an open source electronic lab notebook for research labs. A vulnerability in versions prior to 5.1.5 allows an attacker to inject arbitrary HTML tags in the pages: "experiments.php" (show mode), "database.php" (show mode) or "search.php". It works by providing HTML code in the extended sβ¦
4.3
CVE-2024-47767 - Tuleap lists trackers in the quick add actions of the backlog without any permissions check
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, users might see tracker names they should not have access to. Tuleap Community Edition 15.13β¦
4.9
CVE-2024-47766 - Permissions are incorrectly verified for project administrators in the cross tracker search widget
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, administrators of a project can access the content of trackers with permissions restrictionsβ¦
4.8
CVE-2024-46988 - Tuleap does not properly check permissions for email notifications in trackers
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.40, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6, users might receive email notification with information they should not have access to. Tuleaβ¦
4.8
CVE-2024-46980 - Tuleap vulnerable to XSS in the HTML mail content of the cross reference field
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.37, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6, a site administrator could create an artifact link type with a forward label allowing them toβ¦
4.9
CVE-2024-45739 - Sensitive information disclosure in AdminManager logging channel
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes plaintext passwords for local native authentication Splunk users. This exposure could happen when you configure the Splunk Enterprise AdminManager log channel at the DEBUG logging level.
4.9
CVE-2024-45738 - Sensitive information disclosure in REST_Calls logging channel
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensitive HTTP parameters to the `_internal` index. This exposure could happen if you configure the Splunk Enterprise `REST_Calls` log channel at the DEBUG logging level.
4.3
CVE-2024-45737 - Maintenance mode state change of App Key Value Store (KVStore) through Cross-Site Request Forgery (β¦
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-β¦