{"vulnerability": "cve-2024-5413", "sightings": [{"uuid": "4682fd89-c11d-4af0-8d5a-4cdf19fa0470", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54138", "type": "seen", "source": "https://t.me/cvedetector/12285", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54138 - NuGet Gallery is a package repository that powers\", \n  \"Content\": \"CVE ID : CVE-2024-54138 \nPublished : Dec. 6, 2024, 10:15 p.m. | 42\u00a0minutes ago \nDescription : NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. This vulnerability is fixed in 2024.12.06. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"06 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-06T23:59:43.000000Z"}, {"uuid": "edabd61b-3e0a-4079-a4f0-b2a290158b97", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54133", "type": "seen", "source": "https://t.me/cvedetector/12611", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54133 - Rails Content-Security-Policy XSS Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-54133 \nPublished : Dec. 10, 2024, 11:15 p.m. | 39\u00a0minutes ago \nDescription : Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-11T01:01:34.000000Z"}, {"uuid": "37969ed2-0ac1-4fc0-bc40-ea5425145e8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54134", "type": "seen", "source": "https://t.me/cvedetector/12013", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54134 - A publish-access account was compromised for `@sol\", \n  \"Content\": \"CVE ID : CVE-2024-54134 \nPublished : Dec. 4, 2024, 4:15 p.m. | 18\u00a0minutes ago \nDescription : A publish-access account was compromised for `@solana/web3.js`, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly. This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions. This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys and that updated within the window of 3:20pm UTC and 8:25pm UTC on Tuesday, December 3, 2024. These two unauthorized versions (1.95.6 and 1.95.7) were caught within hours and have since been unpublished. All Solana app developers should upgrade to version 1.95.8. Developers that suspect they might be compromised should rotate any suspect authority keys, including multisigs, program authorities, server keypairs, and so on. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"04 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-04T17:36:00.000000Z"}, {"uuid": "f461ecff-624e-4f35-8132-af390a6ef1b8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54137", "type": "seen", "source": "https://t.me/cvedetector/12239", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54137 - liboqs is a C-language cryptographic library that\", \n  \"Content\": \"CVE ID : CVE-2024-54137 \nPublished : Dec. 6, 2024, 4:15 p.m. | 44\u00a0minutes ago \nDescription : liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext. This vulnerability is fixed in 0.12.0. \nSeverity: 7.4 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"06 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-06T18:07:58.000000Z"}, {"uuid": "1b8e8e4c-2ffb-42df-9182-821db1872fb4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54136", "type": "seen", "source": "https://t.me/cvedetector/12238", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54136 - ClipBucket V5 provides open source video hosting w\", \n  \"Content\": \"CVE ID : CVE-2024-54136 \nPublished : Dec. 6, 2024, 4:15 p.m. | 44\u00a0minutes ago \nDescription : ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 5.5.1 Revision 199 and below is vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/upload.php where the user supplied input via collection get parameter is directly provided to unserialize function. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200. \nSeverity: 9.8 | CRITICAL \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"06 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-06T18:07:57.000000Z"}, {"uuid": "c8859e75-08b9-41b8-9635-b92cb9c9b35d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54135", "type": "seen", "source": "https://t.me/cvedetector/12237", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54135 - ClipBucket V5 provides open source video hosting w\", \n  \"Content\": \"CVE ID : CVE-2024-54135 \nPublished : Dec. 6, 2024, 4:15 p.m. | 44\u00a0minutes ago \nDescription : ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php  within the decode_key function. User inputs were supplied to this function without sanitization via collection GET parameter and photoIDS POST parameter respectively. The decode_key function invokes PHP unserialize function as defined in upload/includes/classes/photos.class.php. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200. \nSeverity: 9.8 | CRITICAL \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"06 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-06T18:07:57.000000Z"}, {"uuid": "8ae62032-00a9-4577-b335-8661f9979795", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54130", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113600895790799257", "content": "", "creation_timestamp": "2024-12-05T15:21:46.678342Z"}, {"uuid": "00f08909-5db4-4114-8510-09bacb87b6bb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54139", "type": "seen", "source": "https://t.me/cvedetector/12898", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54139 - Combodo iTop Cross-Site Scripting Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-54139 \nPublished : Dec. 13, 2024, 4:15 p.m. | 43\u00a0minutes ago \nDescription : Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue. \nSeverity: 7.9 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"13 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-13T18:17:17.000000Z"}, {"uuid": "036f4628-d338-4d2c-9e57-89a7b3c7e772", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54132", "type": "seen", "source": "https://t.me/cvedetector/12011", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54132 - The GitHub CLI is GitHub\u2019s official command line t\", \n  \"Content\": \"CVE ID : CVE-2024-54132 \nPublished : Dec. 4, 2024, 4:15 p.m. | 18\u00a0minutes ago \nDescription : The GitHub CLI is GitHub\u2019s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact\u2019s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"04 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-04T17:35:57.000000Z"}, {"uuid": "452ba488-a86e-4350-9a44-9e608273cee4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54131", "type": "seen", "source": "https://t.me/cvedetector/11913", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54131 - The Kolide Agent (aka: Launcher) is the lightweigh\", \n  \"Content\": \"CVE ID : CVE-2024-54131 \nPublished : Dec. 3, 2024, 9:15 p.m. | 39\u00a0minutes ago \nDescription : The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide's service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process's search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions >= 1.5.3 and the fix has been released in 1.12.3. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"03 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-03T23:11:17.000000Z"}, {"uuid": "0901ceb6-eae7-43aa-a680-5f35fe1ac4c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54132", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113595269131048543", "content": "", "creation_timestamp": "2024-12-04T15:30:50.714208Z"}, {"uuid": "d26f9bb0-2fef-435f-89eb-926b83d19789", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54134", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113595269145037059", "content": "", "creation_timestamp": "2024-12-04T15:30:51.051455Z"}, {"uuid": "c759d765-1728-49eb-ac77-9c63fb7355f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54133", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113630998131727296", "content": "", "creation_timestamp": "2024-12-10T22:57:11.941228Z"}, {"uuid": "0d3aa3d8-7488-4b81-8891-971146484b83", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54133", "type": "seen", "source": "https://bsky.app/profile/securitycipher.bsky.social/post/3lhijtv2tea2q", "content": "", "creation_timestamp": "2025-02-06T07:11:33.945421Z"}, {"uuid": "f826d268-3e70-4666-a8e0-3e4679085c4b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54133", "type": "seen", "source": "https://gist.github.com/omid-storyful/932f7b8d388ffa7dd9d6eb3103b1830b", "content": "", "creation_timestamp": "2025-10-29T13:47:42.000000Z"}, {"uuid": "094235a9-0cbe-456f-9f2c-d557f788c0bf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54130", "type": "seen", "source": "https://t.me/cvedetector/12111", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54130 - The NASA\u2019s Interplanetary Overlay Network (ION) is\", \n  \"Content\": \"CVE ID : CVE-2024-54130 \nPublished : Dec. 5, 2024, 4:15 p.m. | 35\u00a0minutes ago \nDescription : The NASA\u2019s Interplanetary Overlay Network (ION) is an implementation of Delay/Disruption Tolerant Networking (DTN). A segmentation fault occurs with ION-DTN BPv7 software version 4.1.3 when a bundle with a Destination Endpoint ID (EID) set to dtn:none is received. This causes the node to become unresponsive to incoming bundles, leading to a Denial of Service (DoS) condition. This vulnerability is fixed in 4.1.3s. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"05 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-05T17:52:09.000000Z"}, {"uuid": "dc1fdd6e-f401-4e76-af88-9e5b30e1b867", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54137", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113606727044472926", "content": "", "creation_timestamp": "2024-12-06T16:04:44.652135Z"}, {"uuid": "3810f4e3-572e-41a8-9b1e-d36c780a6a76", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54131", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113590786109034662", "content": "", "creation_timestamp": "2024-12-03T20:30:45.146533Z"}, {"uuid": "262fecbc-ee0f-4262-bff0-b5ebb288777b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-54133", "type": "seen", "source": "https://gist.github.com/omid-storyful/ad62fd00008868617d9703d12aa29478", "content": "", "creation_timestamp": "2025-10-29T13:31:08.000000Z"}]}