{"vulnerability": "cve-2024-4975", "sightings": [{"uuid": "00931788-7991-473d-a545-1838f1e2ec89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49759", "type": "seen", "source": "https://t.me/cvedetector/11107", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-49759 - LibreNMS Stored Cross-Site Scripting (XSS) Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-49759 \nPublished : Nov. 15, 2024, 4:15 p.m. | 44\u00a0minutes ago \nDescription : LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \"Manage User Access\" page allows authenticated users to inject arbitrary JavaScript through the \"bill_name\" parameter when creating a new bill. This vulnerability can lead to the execution of malicious code when visiting the \"Bill Access\" dropdown in the user's \"Manage Access\" page, potentially compromising user sessions and allowing unauthorized actions. This vulnerability is fixed in 24.10.0. \nSeverity: 4.8 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"15 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-15T18:17:26.000000Z"}, {"uuid": "000095fd-5d7d-4c6d-a227-a6d7e3b86b1e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49756", "type": "seen", "source": "https://t.me/cvedetector/8723", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-49756 - AshPostgres Policy Skipping Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-49756 \nPublished : Oct. 23, 2024, 5:15 p.m. | 33\u00a0minutes ago \nDescription : AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on \"empty\" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.  \n  \nTo be vulnerable, an affected user must have an update action that is on a resource with no attributes containing an \"update default\" (updated_at timestamp, for example); can be performed atomically; does not have `require_atomic? false`; has at least one authorizer (typically `Ash.Policy.Authorizer`); and has at least one `change` (on the resource's `changes` block or in the action itself). This is where the side-effects would be performed when they should not have been.  \n  \nThis problem has been patched in `2.4.10` of `ash_postgres`. Several workarounds are available. Potentially affected users may determine that none of their actions are vulnerable using a script the maintainers provide in the GitHub Security Advisory, add `require_atomic? false` to any potentially affected update action, replace any usage of `Ash.update` with `Ash.bulk_update` for an affected action, and/or add an update timestamp to their action. \nSeverity: 5.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"23 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-23T19:54:20.000000Z"}, {"uuid": "7c086994-8a93-45c8-bb54-2f903b5d24b7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49751", "type": "seen", "source": "https://t.me/cvedetector/8707", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-49751 - Frappe Press HTML Injection Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-49751 \nPublished : Oct. 23, 2024, 4:15 p.m. | 43\u00a0minutes ago \nDescription : Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe HTML code would only affect themselves and would not affect other users. Commit 5d118a902872d7941f099ad1fb918e2421e79ccd patches this bug. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"23 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-23T19:03:49.000000Z"}, {"uuid": "8ff367cc-7441-4ef2-8e65-d9321b0720b3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49755", "type": "seen", "source": "https://t.me/cvedetector/9175", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-49755 - Duende IdentityServer DPoP Claim Validation Bypass\", \n  \"Content\": \"CVE ID : CVE-2024-49755 \nPublished : Oct. 28, 2024, 8:15 p.m. | 42\u00a0minutes ago \nDescription : Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs. \nSeverity: 3.1 | LOW \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"28 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-28T22:01:30.000000Z"}, {"uuid": "07a95221-039b-42fd-b8d7-89d945a8d058", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49757", "type": "seen", "source": "https://t.me/cvedetector/8949", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-49757 - Zitadel Unauthenticated User Registration\", \n  \"Content\": \"CVE ID : CVE-2024-49757 \nPublished : Oct. 25, 2024, 3:15 p.m. | 29\u00a0minutes ago \nDescription : The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the \"User Registration allowed\" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-25T17:55:12.000000Z"}, {"uuid": "1199d5c7-a912-4ff8-8668-328c1a733dfb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49753", "type": "seen", "source": "https://t.me/cvedetector/8947", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-49753 - Zitadel DNS Bypass Localhost Escalation\", \n  \"Content\": \"CVE ID : CVE-2024-49753 \nPublished : Oct. 25, 2024, 2:15 p.m. | 39\u00a0minutes ago \nDescription : Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available. \nSeverity: 5.9 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-25T17:05:04.000000Z"}, {"uuid": "cee05914-1296-4697-8736-f9cefeae0847", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49754", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113487688865692955", "content": "", "creation_timestamp": "2024-11-15T15:31:46.100782Z"}, {"uuid": "33ba1681-c5e8-4dbc-ba19-b47984e08657", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-4975", "type": "seen", "source": "Telegram/dlrHbeAw02Iy9vSmxCOKyzMWhuUjmkFqpL-TNe4GuvlQ18WV", "content": "", "creation_timestamp": "2025-02-18T21:11:32.000000Z"}, {"uuid": "df95d2c6-0db4-4355-8a0e-4caa2f36b3de", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-49750", "type": "seen", "source": "https://t.me/cvedetector/8870", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-49750 - Snowflake Connector for Python: Information Disclosure\", \n  \"Content\": \"CVE ID : CVE-2024-49750 \nPublished : Oct. 24, 2024, 10:15 p.m. | 36\u00a0minutes ago \nDescription : The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcodes (when specified via the `passcode` parameter) and Azure SAS tokens. Additionally, the SecretDetector logging formatter, if enabled, contained bugs which caused it to not fully redact JWT tokens and certain private key formats. Snowflake released version 3.12.3 of the Snowflake Connector for Python, which fixes the issue. In addition to upgrading, users should review their logs for any potentially sensitive information that may have been captured. \nSeverity: 5.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-25T01:11:56.000000Z"}]}