ISHACK AI BOT

Microsoft Edge Chromium: CVE-2024-5841 Use after free in V8 Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/14/2024 Added 06/14/2024 Modified 01/28/2025 Description Use after free in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-5841 CVE - 2024-5841 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5841

Gentoo Linux: CVE-2024-5831: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/28/2025 Description Use after free in Dawn in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine References https://attackerkb.com/topics/cve-2024-5831 CVE - 2024-5831 202501-09

Gentoo Linux: CVE-2024-5699: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 08/08/2024 Added 08/07/2024 Modified 08/07/2024 Description In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. This could have resulted in the browser not correctly honoring the behaviors specified by the prefix. This vulnerability affects Firefox < 127. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-5699 CVE - 2024-5699 202408-02

Gentoo Linux: CVE-2024-5838: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/28/2025 Description Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine References https://attackerkb.com/topics/cve-2024-5838 CVE - 2024-5838 202501-09

Gentoo Linux: CVE-2024-5701: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 08/08/2024 Added 08/07/2024 Modified 08/07/2024 Description Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 127. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-5701 CVE - 2024-5701 202408-02

Gentoo Linux: CVE-2024-5847: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/28/2025 Description Use after free in PDFium in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine References https://attackerkb.com/topics/cve-2024-5847 CVE - 2024-5847 202501-09

OS X update for WebKit (CVE-2024-27838) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 06/11/2024 Created 06/12/2024 Added 06/11/2024 Modified 01/28/2025 Description The issue was addressed by adding additional logic. This issue is fixed in tvOS 17.5, iOS 16.7.8 and iPadOS 16.7.8, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. A maliciously crafted webpage may be able to fingerprint the user. Solution(s) apple-osx-upgrade-14_5 References https://attackerkb.com/topics/cve-2024-27838 CVE - 2024-27838 https://support.apple.com/en-us/120903

Rocky Linux: CVE-2024-5702: thunderbird (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 07/03/2024 Added 07/03/2024 Modified 11/18/2024 Description Memory corruption in the networking stack could have led to a potentially exploitable crash. This vulnerability affects Firefox < 125, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-firefox-x11 rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2024-5702 CVE - 2024-5702 https://errata.rockylinux.org/RLSA-2024:3954 https://errata.rockylinux.org/RLSA-2024:3955 https://errata.rockylinux.org/RLSA-2024:4002 https://errata.rockylinux.org/RLSA-2024:4036

Gentoo Linux: CVE-2024-5696: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 08/08/2024 Added 08/07/2024 Modified 12/09/2024 Description By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) gentoo-linux-upgrade-dev-lang-spidermonkey gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-5696 CVE - 2024-5696 202408-02 202412-06 202412-13

Red Hat: CVE-2024-5690: Mozilla: External protocol handlers leaked by timing attack (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 06/11/2024 Created 06/19/2024 Added 06/18/2024 Modified 01/30/2025 Description By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2024-5690 RHSA-2024:3949 RHSA-2024:3950 RHSA-2024:3951 RHSA-2024:3954 RHSA-2024:3955 RHSA-2024:4002 RHSA-2024:4004 RHSA-2024:4016 RHSA-2024:4018 RHSA-2024:4036 View more

Amazon Linux AMI 2: CVE-2023-4727: Security patch for pki-core (ALAS-2024-2586) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 07/12/2024 Added 07/12/2024 Modified 07/12/2024 Description A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege. Solution(s) amazon-linux-ami-2-upgrade-pki-base amazon-linux-ami-2-upgrade-pki-base-java amazon-linux-ami-2-upgrade-pki-ca amazon-linux-ami-2-upgrade-pki-core-debuginfo amazon-linux-ami-2-upgrade-pki-javadoc amazon-linux-ami-2-upgrade-pki-kra amazon-linux-ami-2-upgrade-pki-server amazon-linux-ami-2-upgrade-pki-symkey amazon-linux-ami-2-upgrade-pki-tools References https://attackerkb.com/topics/cve-2023-4727 AL2/ALAS-2024-2586 CVE - 2023-4727

SUSE: CVE-2024-5835: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 07/20/2024 Added 07/19/2024 Modified 01/28/2025 Description Heap buffer overflow in Tab Groups in Google Chrome prior to 126.0.6478.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2024-5835 CVE - 2024-5835

SUSE: CVE-2024-5841: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 07/20/2024 Added 07/19/2024 Modified 01/28/2025 Description Use after free in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2024-5841 CVE - 2024-5841

SUSE: CVE-2024-5834: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 07/20/2024 Added 07/19/2024 Modified 01/28/2025 Description Inappropriate implementation in Dawn in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2024-5834 CVE - 2024-5834

SUSE: CVE-2024-5842: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 07/20/2024 Added 07/19/2024 Modified 01/28/2025 Description Use after free in Browser UI in Google Chrome prior to 126.0.6478.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2024-5842 CVE - 2024-5842

SUSE: CVE-2024-5833: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 07/20/2024 Added 07/19/2024 Modified 01/28/2025 Description Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2024-5833 CVE - 2024-5833

Microsoft Edge Chromium: CVE-2024-5843 Inappropriate implementation in Downloads Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 06/11/2024 Created 06/14/2024 Added 06/14/2024 Modified 01/28/2025 Description Inappropriate implementation in Downloads in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to obfuscate security UI via a malicious file. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-5843 CVE - 2024-5843 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5843

SUSE: CVE-2024-35235: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 06/14/2024 Added 06/13/2024 Modified 06/13/2024 Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue. Solution(s) suse-upgrade-cups suse-upgrade-cups-client suse-upgrade-cups-config suse-upgrade-cups-ddk suse-upgrade-cups-devel suse-upgrade-cups-devel-32bit suse-upgrade-cups-libs suse-upgrade-cups-libs-32bit suse-upgrade-libcups2 suse-upgrade-libcups2-32bit suse-upgrade-libcupscgi1 suse-upgrade-libcupscgi1-32bit suse-upgrade-libcupsimage2 suse-upgrade-libcupsimage2-32bit suse-upgrade-libcupsmime1 suse-upgrade-libcupsmime1-32bit suse-upgrade-libcupsppdc1 suse-upgrade-libcupsppdc1-32bit References https://attackerkb.com/topics/cve-2024-35235 CVE - 2024-35235

Microsoft Edge Chromium: CVE-2024-5837 Type Confusion in V8 Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/14/2024 Added 06/14/2024 Modified 01/28/2025 Description Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-5837 CVE - 2024-5837 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5837

OS X update for CoreMedia (CVE-2024-27817) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/12/2024 Added 06/11/2024 Modified 01/28/2025 Description The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.7, macOS Monterey 12.7.5, iOS 16.7.8 and iPadOS 16.7.8, tvOS 17.5, visionOS 1.2, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges. Solution(s) apple-osx-upgrade-12_7_5 apple-osx-upgrade-13_6_7 apple-osx-upgrade-14_5 References https://attackerkb.com/topics/cve-2024-27817 CVE - 2024-27817 https://support.apple.com/en-us/120899 https://support.apple.com/en-us/120900 https://support.apple.com/en-us/120903

Microsoft Edge Chromium: CVE-2024-5835 Heap buffer overflow in Tab Groups Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/14/2024 Added 06/14/2024 Modified 01/28/2025 Description Heap buffer overflow in Tab Groups in Google Chrome prior to 126.0.6478.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-5835 CVE - 2024-5835 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5835

OS X update for Core Data (CVE-2024-27805) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 06/11/2024 Created 06/12/2024 Added 06/11/2024 Modified 01/28/2025 Description An issue was addressed with improved validation of environment variables. This issue is fixed in macOS Ventura 13.6.7, macOS Monterey 12.7.5, iOS 16.7.8 and iPadOS 16.7.8, tvOS 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to access sensitive user data. Solution(s) apple-osx-upgrade-12_7_5 apple-osx-upgrade-13_6_7 apple-osx-upgrade-14_5 References https://attackerkb.com/topics/cve-2024-27805 CVE - 2024-27805 https://support.apple.com/en-us/120899 https://support.apple.com/en-us/120900 https://support.apple.com/en-us/120903

Google Chrome Vulnerability: CVE-2024-5500 Inappropriate Implementation in Sign-In Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 06/11/2024 Created 06/11/2024 Added 06/11/2024 Modified 01/28/2025 Description Inappropriate implementation in Sign-In in Google Chrome prior to 1.3.36.351 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-5500 CVE - 2024-5500

MFSA2024-25 Firefox: Security Vulnerabilities fixed in Firefox 127 (CVE-2024-5696) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 06/13/2024 Added 06/12/2024 Modified 06/17/2024 Description By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) mozilla-firefox-upgrade-127_0 References https://attackerkb.com/topics/cve-2024-5696 CVE - 2024-5696 http://www.mozilla.org/security/announce/2024/mfsa2024-25.html

CentOS Linux: CVE-2024-5696: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 06/19/2024 Added 06/18/2024 Modified 06/21/2024 Description By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2024-5696