5.3
CVE-2024-47128 - Insertion of Sensitive Information Into Sent Data in goTenna Pro
The goTenna Pro App encryption key name is always sent unencrypted when the key is shared over RF through a broadcast message. It is advised to share the encryption key via local QR for higher security operations.
6
CVE-2024-43108 - goTenna Pro ATAK Plugin Missing Support for Integrity Check
The goTenna Pro ATAK Plugin uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is advised to continue to use encryption in the plugin and update to the curβ¦
5.9
CVE-2024-47174 - Credential leak when credentials are used with `<nix/fetchurl.nix>`
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-β¦
6
CVE-2024-47127 - Weak Authentication in goTenna Pro
In the goTenna Pro App there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing goTenna mesh networks. This vulnerability can be exploited if the device is being used in an unencrypted environment or if theβ¦
7.1
CVE-2024-47126 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in goTenna Pro
The goTenna Pro App does not use SecureRandom when generating passwords for sharing cryptographic keys. The random function in use makes it easier for attackers to brute force this password if the broadcasted encryption key is captured over RF. This only applies to the optional broadcast of an β¦
5.1
CVE-2024-43694 - goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information
In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the deviβ¦
7.6
CVE-2024-47125 - Improper Restriction of Communication Channel to Intended Endpoints in goTenna Pro
The goTenna Pro App does not authenticate public keys which allows an unauthenticated attacker to manipulate messages. It is advised to update your app to the current release for enhanced encryption protocols.
4.3
CVE-2024-47171 - Agnai vulnerable to Relative Path Traversal in Image Upload
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directorβ¦
2.3
CVE-2024-47124 - Cleartext Transmission of Sensitive Information in goTenna Pro
The goTenna Pro App does not encrypt callsigns in messages. It is recommended to not use sensitive information in callsigns when using this and previous versions of the app and update your app to the current app version which uses AES-256 encryption for callsigns in encrypted operation.
6
CVE-2024-47123 - Missing Support for Integrity Check in goTenna Pro
The goTenna Pro App uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is recommended to continue to use encryption in the app and update to the current reβ¦