The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2024-28860 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key recovery, replay attacks by a man-in-the-middle attacker. These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks. This vulnerability is fixed in 1.13.13, 1.14.9, and 1.15.3. | -- | Mar 28, 2024 | n/a |
CVE-2024-28861 | Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue. | -- | Mar 22, 2024 | n/a |
CVE-2024-28862 | The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation. | -- | Mar 17, 2024 | n/a |
CVE-2024-28863 | node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders. | -- | Mar 21, 2024 | n/a |
CVE-2024-28864 | SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with `NullEncoder` and passed to `TagAwareCipher`, and contains special characters such as `\\n`. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement `TagAwareCipher` with any base cipher that has `NullEncoder` (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default `Base64Encoder` with the base cipher decorated with `TagAwareCipher` to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since `TagAwareCipher` uses `NullEncoder` by default. | -- | Mar 19, 2024 | n/a |
CVE-2024-28865 | django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users. | -- | Mar 19, 2024 | n/a |
CVE-2024-28867 | Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies _un-sanitized string values into metric names or labels_, an attacker could make use of this and send a `?lang` query parameter containing newlines, `}` or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing bogus metrics. This vulnerability is fixed in2.0.0-alpha.2. | -- | Apr 1, 2024 | n/a |
CVE-2024-28868 | Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins. | -- | Mar 21, 2024 | n/a |
CVE-2024-28869 | Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the Content-length request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option. | -- | Apr 15, 2024 | n/a |
CVE-2024-28870 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4. | -- | Mar 25, 2024 | n/a |
CVE-2024-28871 | LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Version 0.5.46 may parse malformed request traffic, leading to excessive CPU usage. Version 0.5.47 contains a patch for the issue. No known workarounds are available. | -- | Mar 25, 2024 | n/a |
CVE-2024-28878 | IO-1020 Micro ELD downloads source code or an executable from an adjacent location and executes the code without sufficiently verifying the origin or integrity of the code. | -- | Apr 15, 2024 | n/a |
CVE-2024-28883 | An origin validation vulnerability exists in BIG-IP APM browser network access VPN client for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | -- | May 8, 2024 | n/a |
CVE-2024-28889 | When an SSL profile with alert timeout is configured with a non-default value on a virtual server, undisclosed traffic along with conditions beyond the attacker\'s control can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | -- | May 8, 2024 | n/a |
CVE-2024-28890 | Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition. | -- | Apr 23, 2024 | n/a |
CVE-2024-28891 | SQL injection vulnerability exists in the script Handler_CFG.ashx. | -- | Mar 21, 2024 | n/a |
CVE-2024-28893 | Certain HP software packages (SoftPaqs) are potentially vulnerable to arbitrary code execution when the SoftPaq configuration file has been modified after extraction. HP has released updated software packages (SoftPaqs). | -- | May 1, 2024 | n/a |
CVE-2024-28894 | Out-of-bounds read vulnerability caused by improper checking of the option length values in IPv6 headers exists in Cente middleware TCP/IP Network Series, which may allow an unauthenticated attacker to stop the device operations by sending a specially crafted packet. | -- | Apr 15, 2024 | n/a |
CVE-2024-28895 | \'Yahoo! JAPAN\' App for Android v2.3.1 to v3.161.1 and \'Yahoo! JAPAN\' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of \'Yahoo! JAPAN\' App via other app installed on the user\'s device. | -- | Apr 1, 2024 | n/a |
CVE-2024-28896 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28897 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28898 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28900 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28901 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28902 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28903 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28904 | Microsoft Brokering File System Elevation of Privilege Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28905 | Microsoft Brokering File System Elevation of Privilege Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28906 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28907 | Microsoft Brokering File System Elevation of Privilege Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28908 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28909 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28910 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28911 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28912 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28913 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28914 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28915 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28916 | Xbox Gaming Services Elevation of Privilege Vulnerability | -- | Mar 21, 2024 | n/a |
CVE-2024-28917 | Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28919 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28920 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28921 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28922 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28923 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28924 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28925 | Secure Boot Security Feature Bypass Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28926 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28927 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |
CVE-2024-28929 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | -- | Apr 9, 2024 | n/a |