Platform

Featured Integrations

Reduce risk and mitigate cyber attacks, no matter your IT & security stack, maturity journey, or industry

See our Threat Intelligence Solutions in Action

Solutions

Threat Intelligence solves pervasive challenges

Reduce operational risk through timely, precise, and actionable intelligence.

See Recorded Future’s Intelligence in Action

Products

Services

Research

Minimize operational risks with our timely, precise, and actionable intelligence.

See Recorded Future in Action

Resource Center

Additional Resources

Additional Topics

Resources

Why Recorded Future

About Us

Partner With Us

Join Us

Company

brand-logo-long-black.svg

Rectangular Logo - Digital (RGB).svg

Home

Blog

Careers at Recorded Future

Contact Us

CVE-2024-7106 is a vulnerability found in Spina CMS 2.18.0 that allows for cross-site request forgery. The specific functionality affected by this vulnerability is the /admin/media_folders file. This vulnerability can be exploited remotely and has been disclosed to the public, increasing the risk of potential attacks. The vendor was notified but did not respond. It is important for organizations using Spina CMS 2.18.0 to take immediate steps to remediate this vulnerability to prevent any potential unauthorized actions through cross-site request forgery attacks.

CVE-2024-7106

A critical vulnerability (CVE-2024-7105) has been discovered in ForIP Tecnologia Administração PABX 1.x, affecting an unknown function in the /detalheIdUra file of the Lista Ura Page component. This vulnerability allows for remote SQL injection attacks through manipulation of the id argument. The exploit has been publicly disclosed and is considered highly dangerous to organizations. Remediation steps have not been specified, and the vendor has not responded to the disclosure. The vulnerability has a base severity rating of MEDIUM and an exploitability score of 2.8 out of 10.

CVE-2024-7105

CVE-2024-41809 is a cross-site scripting vulnerability found in the open-source observability platform called OpenObserve. The vulnerability exists in version 0.4.4 and prior to version 0.10.0, specifically in line 32 of the `MemberSubscription.vue` file. The incoming HTML is not properly sanitized, allowing an attacker to inject malicious scripts into web pages viewed by users. To remediate this vulnerability, it is recommended to update OpenObserve to version 0.10.0 or later, which includes the necessary sanitization measures. This vulnerability poses a high danger to organizations as it can lead to unauthorized access, data theft, and potential compromise of sensitive information.

CVE-2024-41809

CVE-2024-41808 is a cyber vulnerability that affects all versions of the OpenObserve open-source observability platform up to 0.9.1. The vulnerability arises from a lack of user input sanitization in the filter selection menu, potentially resulting in complete account takeover. While the front-end employs measures such as `DOMPurify` or Vue templating to mitigate cross-site scripting (XSS), certain areas lack this protection. Exploiting this vulnerability, combined with insecure authentication handling, could allow malicious users to take control of any victim's account. At present, there is no available patch for this issue.

CVE-2024-41808

CVE-2024-41801 is a vulnerability that affects OpenProject, an open-source project management software. It allows an attacker to redirect users to a remote host to initiate a phishing attack by using a forged HOST header in the default configuration of packaged installations and enabling the "Login required" setting. This vulnerability affects default packaged installations of OpenProject without additional configuration or modules on Apache. However, it may also impact other installations that have not addressed the HOST/X-Forwarded-Host headers. To remediate this vulnerability, users are advised to upgrade to version 14.3.0, which includes stronger protections for the hostname and ensures that all generated links use the correct hostname. This vulnerability poses a medium danger to organizations as it can lead to phishing attacks compromising user accounts and potentially exposing sensitive information.

CVE-2024-41801

CVE-2024-41800 is a vulnerability in Craft CMS 5, a content management system. The vulnerability allows an attacker to reuse TOTP (Time-Based One-Time Password) tokens multiple times within their validity period, enabling them to establish an authenticated session by submitting a valid TOTP token. However, the attacker must have knowledge of the victim's credentials. This vulnerability has been addressed in Craft CMS version 5.2.3, which includes a patch to fix the issue. The impact of this vulnerability is rated as medium severity, with low privileges required and network-based attack vector. It has a high integrity impact but does not affect confidentiality. Organizations using affected versions of Craft CMS should update to version 5.2.3 to remediate this vulnerability and prevent unauthorized access to authenticated sessions.

CVE-2024-41800

A critical vulnerability, CVE-2024-7101, has been discovered in ForIP Tecnologia Administração PABX 1.x. The vulnerability allows for remote SQL injection when manipulating the argument "usuario" in the /login component of the Authentication Form. The exploit has been publicly disclosed and can pose a high risk to organizations using this product. It is recommended to apply necessary patches or updates provided by the vendor to remediate this vulnerability.

CVE-2024-7101

CVE-2024-41806 is a vulnerability that affects the Open edX Platform, a learning management platform. It allows for csv files containing learner information to be uploaded and create cohorts in the instructor dashboard. However, when certain storage backends are used, these uploads can become publicly available. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. To remediate this vulnerability, deployers should apply the patch and ensure that existing cohorts uploads have a private ACL or take other precautions to prevent public access. The potential danger of this vulnerability lies in the exposure of learner information which could lead to privacy breaches and unauthorized access to sensitive data.

CVE-2024-41806

CVE-2024-41707 is a vulnerability that affects Archer Platform 6 before version 2024.06. It allows authenticated users to achieve HTML content injection, enabling a remote malicious user to store malicious HTML code in a trusted application data store. When other users access the data store through their browsers, the injected code gets executed within the vulnerable application's context. The vulnerability has a base severity rating of MEDIUM and a base score of 4.8 according to CVSS:3.1 standards. The potential danger lies in the confidentiality impact, which is rated as HIGH, as it could lead to unauthorized access and compromise of sensitive information. To remediate this vulnerability, organizations should update their Archer Platform to version 2024.06 or newer, which includes fixes for multiple vulnerabilities.

CVE-2024-41707

CVE-2024-41706 is a stored XSS vulnerability found in Archer Platform 6 before version 2024.06, affecting products such as xOoaYd, xOoSk9, xOoaYc, xOoaYb, xOodzF, xOodzE, nxfl6t, xOodzG, and xOoSlB. An authenticated malicious user in Archer could exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When users access the data store through their browsers, the code gets executed within the vulnerable application's context. To remediate this issue, organizations should update to version 2024.06 or apply the fixed release 6.14 P4 (6.14.0.4). This vulnerability has a high severity rating with a base score of 7.3 and poses risks to confidentiality and integrity of data.

CVE-2024-41706

Refine your search

We could not find any results for your search, so why not start with the articles listed below?

Vulnerability Database

A comprehensive vulnerability resource that includes a curated collection of the latest software vulnerabilities publicly available for sec teams.

Top 9 Trending CVEs

Newly Added CVEs

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Frequently Asked Questions

What is a vulnerability database?

Is there more than one vulnerability db?

What is a CVE identifier? (CVE ids)

What is the difference between CVE DB and CVE?

Does every vulnerability have a CVE?

How does a vulnerability become a CVE?

What's the difference between CVE and CVSS?

How does a CVE database help vulnerability management?

What are the most popular CVEs?