Publish Advisories

GHSA-fjcc-r94c-wxr8
GHSA-3m64-79r5-56f2
GHSA-522h-49x4-xq7r
GHSA-7236-ccfq-8664
GHSA-8c78-wf5j-v7jx
GHSA-cppr-hw26-jmwp
GHSA-ffrw-8p66-394j
GHSA-gwhh-pw54-jgx4
GHSA-gwm3-gp4w-96g7
GHSA-gx4q-m69p-mf52
GHSA-j34c-54rj-94x3
GHSA-jc5h-x77p-hhq6
GHSA-pr37-gvg2-qr9v
GHSA-qj3w-6895-r5mf
GHSA-qxp5-vjrm-298x
GHSA-rc9f-q3jv-fx7r

advisories/unreviewed/2024/07/GHSA-fjcc-r94c-wxr8/GHSA-fjcc-r94c-wxr8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fjcc-r94c-wxr8",
-  "modified": "2024-07-12T15:31:25Z",
+  "modified": "2024-11-18T09:31:12Z",
   "published": "2024-07-01T21:31:14Z",
   "aliases": [
     "CVE-2024-38472"

advisories/unreviewed/2024/11/GHSA-3m64-79r5-56f2/GHSA-3m64-79r5-56f2.json

@@ -0,0 +1,39 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3m64-79r5-56f2",
+  "modified": "2024-11-18T09:31:14Z",
+  "published": "2024-11-18T09:31:14Z",
+  "aliases": [
+    "CVE-2024-45791"
+  ],
+  "details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.\n\nThis issue affects Apache HertzBeat: before 1.6.1.\n\nUsers are recommended to upgrade to version 1.6.1, which fixes the issue.",
+  "severity": [
+
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45791"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/jmbsfjsvrfnvosh1ftrm3ry4j3sb7doz"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/lvsczrp8kdynppmzyxtkh4ord4gpw1ph"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T09:15:05Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-522h-49x4-xq7r/GHSA-522h-49x4-xq7r.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-522h-49x4-xq7r",
+  "modified": "2024-11-18T09:31:13Z",
+  "published": "2024-11-18T09:31:13Z",
+  "aliases": [
+    "CVE-2024-41969"
+  ],
+  "details": "A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41969"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.vde.com/en/advisories/VDE-2024-047"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T09:15:05Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-7236-ccfq-8664/GHSA-7236-ccfq-8664.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7236-ccfq-8664",
+  "modified": "2024-11-18T09:31:13Z",
+  "published": "2024-11-18T09:31:13Z",
+  "aliases": [
+    "CVE-2024-41968"
+  ],
+  "details": "A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41968"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.vde.com/en/advisories/VDE-2024-047"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T09:15:05Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-8c78-wf5j-v7jx/GHSA-8c78-wf5j-v7jx.json

@@ -0,0 +1,39 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8c78-wf5j-v7jx",
+  "modified": "2024-11-18T09:31:14Z",
+  "published": "2024-11-18T09:31:14Z",
+  "aliases": [
+    "CVE-2024-45505"
+  ],
+  "details": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating).\n\nThis vulnerability can only be exploited by authorized attackers.\nThis issue affects Apache HertzBeat (incubating): before 1.6.1.\n\nUsers are recommended to upgrade to version 1.6.1, which fixes the issue.",
+  "severity": [
+
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45505"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/gvbc68krhqhht7mkkkx7k13k6k6fdhy0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/h8k14o1bfyod66p113pkgnt1s52p6p19"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T09:15:05Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-cppr-hw26-jmwp/GHSA-cppr-hw26-jmwp.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cppr-hw26-jmwp",
+  "modified": "2024-11-18T09:31:13Z",
+  "published": "2024-11-18T09:31:13Z",
+  "aliases": [
+    "CVE-2024-22067"
+  ],
+  "details": "ZTE NH8091 product has an improper permission control vulnerability. Due to improper permission control of the Web module interface, an authenticated attacker may exploit the vulnerability to execute arbitrary commands.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22067"
+    },
+    {
+      "type": "WEB",
+      "url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6179526095692935173"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T07:15:17Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-ffrw-8p66-394j/GHSA-ffrw-8p66-394j.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ffrw-8p66-394j",
+  "modified": "2024-11-18T09:31:14Z",
+  "published": "2024-11-18T09:31:14Z",
+  "aliases": [
+    "CVE-2024-48962"
+  ],
+  "details": "Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48962"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.apache.org/jira/browse/OFBIZ-13162"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ofbiz.apache.org/download.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ofbiz.apache.org/security.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1336"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T09:15:06Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-gwhh-pw54-jgx4/GHSA-gwhh-pw54-jgx4.json

@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gwhh-pw54-jgx4",
+  "modified": "2024-11-18T09:31:12Z",
+  "published": "2024-11-18T09:31:12Z",
+  "aliases": [
+    "CVE-2024-11312"
+  ],
+  "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11312"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-8249-65252-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-8248-8dac9-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T07:15:14Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-gwm3-gp4w-96g7/GHSA-gwm3-gp4w-96g7.json

@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gwm3-gp4w-96g7",
+  "modified": "2024-11-18T09:31:12Z",
+  "published": "2024-11-18T09:31:12Z",
+  "aliases": [
+    "CVE-2024-11313"
+  ],
+  "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11313"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-8251-3455e-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-8250-1837b-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T07:15:15Z"
+  }
+}

advisories/unreviewed/2024/11/GHSA-gx4q-m69p-mf52/GHSA-gx4q-m69p-mf52.json

@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gx4q-m69p-mf52",
+  "modified": "2024-11-18T09:31:12Z",
+  "published": "2024-11-18T09:31:12Z",
+  "aliases": [
+    "CVE-2024-11314"
+  ],
+  "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11314"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-8253-bc363-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-8252-91d6a-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-11-18T07:15:15Z"
+  }
+}