Vulnerabilities

Missing Authorization vulnerability in Drupal Entity Delete Log allows Forceful Browsing.This issue affects Entity Delete Log: from 0.0.0 before 1.1.1.

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Migrate Tools allows Cross Site Request Forgery.This issue affects Migrate Tools: from 0.0.0 before 6.0.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor 4 LTS - WYSIWYG HTML editor allows Cross-Site Scripting (XSS).This issue affects CKEditor 4 LTS - WYSIWYG HTML editor: from 1.0.0 before 1.0.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0.

Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.

Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.

Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.

Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

An Improper Handling of Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a specific BGP update packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). <br /> <br /> Continuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br /> <br /> This issue affects iBGP and eBGP, and both IPv4 and IPv6 are affected by this vulnerability.<br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * from 21.4 before 21.4R3-S9, <br /> * from 22.2 before 22.2R3-S5, <br /> * from 22.3 before 22.3R3-S4,<br /> * from 22.4 before 22.4R3-S5, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S3, <br /> * from 24.2 before 24.2R1-S2, 24.2R2; <br /> <br /> <br /> This issue does not affect versions prior to 21.1R1.<br /> <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * from 21.4 before 21.4R3-S9-EVO, <br /> * from 22.2 before 22.2R3-S5-EVO, <br /> * from 22.3 before 22.3R3-S4-EVO,<br /> * from 22.4 before 22.4R3-S5-EVO, <br /> * from 23.2 before 23.2R2-S3-EVO, <br /> * from 23.4 before 23.4R2-S3-EVO, <br /> * from 24.2 before 24.2R1-S2-EVO, 24.2R2-EVO.<br /> <br /> <br /> This issue does not affect versions prior to 21.1R1-EVO

An Out-of-Bounds Read vulnerability in<br /> <br /> the routing protocol daemon (rpd) of <br /> <br /> Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br /> <br /> <br /> <br /> This issue only affects systems configured in<br /> either of two ways:<br /> <br /> <br /> <br /> * systems with BGP traceoptions enabled<br /> <br /> * systems with BGP family traffic-engineering (BGP-LS)<br /> configured<br /> <br /> <br /> and can be exploited from a directly connected and configured BGP peer. <br /> <br /> This issue affects iBGP and eBGP <br /> <br /> with <br /> <br /> any address family<br /> <br /> configured, and both IPv4 and IPv6 are affected by this vulnerability.<br /> <br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> <br /> * <br /> <br /> from 21.4 before 21.4R3-S9, <br /> * from 22.2 before 22.2R3-S5, <br /> * from 22.3 before 22.3R3-S4, <br /> * from 22.4 before 22.4R3-S5, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S3, <br /> * from 24.2 before 24.2R1-S2, 24.2R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * from 21.4-EVO before 21.4R3-S9-EVO, <br /> * from 22.2-EVO before 22.2R3-S5-EVO, <br /> * from 22.3-EVO before 22.3R3-S4-EVO, <br /> * from 22.4-EVO before 22.4R3-S5-EVO, <br /> * from 23.2-EVO before 23.2R2-S3-EVO, <br /> * from 23.4-EVO before 23.4R2-S2-EVO, <br /> * from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.<br /> <br /> <br /> This issue does not affect versions of Junos OS prior to 21.3R1.<br /> <br /> <br /> This issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO.<br /> <br /> <br /> <br /> This is a similar, but different vulnerability than the issue reported as CVE-2024-39516.