2.7
CVE-2024-40884 - Unauthorized disabling of invite URL
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
5
CVE-2024-43787 - Hono CSRF middleware can be bypassed using crafted Content-Type header
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware usi…
2.5
CVE-2024-43785 - gitoxide-core does not neutralize special characters for terminals
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a reposit…
5.9
CVE-2024-43398 - REXML denial of service vulnerability
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. …
7.5
CVE-2024-8768 - Vllm: a completions api request with an empty prompt will crash the vllm api server.
A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service.
5.3
CVE-2024-43331 - WordPress WP SMS plugin <= 6.9.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3.
5.9
CVE-2024-39745 - IBM Sterling Connect:Direct Web Services information disclosure
IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
4.3
CVE-2024-7848 - User Private Files <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Priva…
The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlled key. This makes it possible for authentica…
4.3
CVE-2024-39744 - IBM Sterling Connect:Direct Web Services cross-site request forgery
IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
5.9
CVE-2024-39746 - IBM Sterling Connect:Direct Web Services information disclosure
IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middl…