{"vulnerability": "CVE-2024-4776", "sightings": [{"uuid": "8a48d430-fa0b-48b0-8f5b-4a0cb11f1a90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47760", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113635262751522479", "content": "", "creation_timestamp": "2024-12-11T17:01:44.840035Z"}, {"uuid": "d623e614-0787-4fac-9df9-47fe535fa15f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47761", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113635295248950416", "content": "", "creation_timestamp": "2024-12-11T17:10:00.650418Z"}, {"uuid": "22c3b041-535b-4a34-b5b4-a0269846b25b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47764", "type": "seen", "source": "https://gist.github.com/ton77v/932a3f8b5d57d2625b31328796a3cf30", "content": "", "creation_timestamp": "2025-02-01T06:22:08.000000Z"}, {"uuid": "201d31b9-0ec0-44a4-8883-ab6297e91889", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47762", "type": "seen", "source": "https://t.me/cvedetector/6917", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47762 - Backstage APP_CONFIG Configuration Setting Insecure Secrets\", \n  \"Content\": \"CVE ID : CVE-2024-47762 \nPublished : Oct. 3, 2024, 6:15 p.m. | 27\u00a0minutes ago \nDescription : Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration. \nSeverity: 5.8 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"03 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-03T20:48:03.000000Z"}, {"uuid": "cbee95bf-a300-4d27-98fa-1c17dfb3929a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47764", "type": "seen", "source": "https://gist.github.com/animesh-1121/c5f18322202fe7ce4b456e08d21dc4d7", "content": "", "creation_timestamp": "2025-06-23T12:01:38.000000Z"}, {"uuid": "7c72d66f-6efb-4aed-a8fd-2162ac28aace", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47764", "type": "seen", "source": "https://gist.github.com/jrvssingh-cpu/5ca4be6b05f749c6962d84fae197cdc9", "content": "", "creation_timestamp": "2026-02-25T10:55:46.000000Z"}, {"uuid": "b8a670f5-31a2-43fe-abe8-c7408b633069", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47761", "type": "seen", "source": "https://t.me/cvedetector/12645", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47761 - GLPI Account Privilege Escalation Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47761 \nPublished : Dec. 11, 2024, 5:15 p.m. | 19\u00a0minutes ago \nDescription : GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-11T18:35:02.000000Z"}, {"uuid": "6f7b825b-4a10-4813-bd33-c8107890bffb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47760", "type": "seen", "source": "https://t.me/cvedetector/12644", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47760 - GLPI Privilege Escalation Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47760 \nPublished : Dec. 11, 2024, 5:15 p.m. | 19\u00a0minutes ago \nDescription : GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-11T18:35:01.000000Z"}, {"uuid": "b03a64f9-f30f-40f6-ab7d-104aab9cf58d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47767", "type": "seen", "source": "https://t.me/cvedetector/7853", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47767 - Tuleap Inadvertent Tracker Access Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47767 \nPublished : Oct. 14, 2024, 6:15 p.m. | 30\u00a0minutes ago \nDescription : Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, users might see tracker names they should not have access to. Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"14 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-14T20:51:52.000000Z"}, {"uuid": "25323914-9154-4330-982a-dfcce6e48252", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47766", "type": "seen", "source": "https://t.me/cvedetector/7852", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47766 - \"Tuleap Unrestricted Cross-Tracker Search Vulnerability\"\", \n  \"Content\": \"CVE ID : CVE-2024-47766 \nPublished : Oct. 14, 2024, 6:15 p.m. | 30\u00a0minutes ago \nDescription : Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, administrators of a project can access the content of trackers with permissions restrictions of project they are members of but not admin via the cross tracker search widget. Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue. \nSeverity: 4.9 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"14 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-14T20:51:51.000000Z"}, {"uuid": "92da4395-6e57-4ce5-b3d0-53a4290dadb6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47763", "type": "seen", "source": "https://t.me/cvedetector/7518", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47763 - Wasmtime WebAssembly Denial-of-Service Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47763 \nPublished : Oct. 9, 2024, 6:15 p.m. | 18\u00a0minutes ago \nDescription : Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations. The specific crash happens when an exported function in a WebAssembly module (or component) performs a `return_call` (or `return_call_indirect` or `return_call_ref`) to an imported host function which captures a stack trace (for example, the host function raises a trap). In this situation, the stack-walking code previously assumed there was always at least one WebAssembly frame on the stack but with tail calls that is no longer true. With the tail-call proposal it's possible to have an entry trampoline appear as if it directly called the exit trampoline. This situation triggers an internal assert in the stack-walking code which raises a Rust `panic!()`. When Wasmtime is compiled with Rust versions 1.80 and prior this means that an `extern \"C\"` function in Rust is raising a `panic!()`. This is technically undefined behavior and typically manifests as a process abort when the unwinder fails to unwind Cranelift-generated frames. When Wasmtime is compiled with Rust versions 1.81 and later this panic becomes a deterministic process abort. Overall the impact of this issue is that this is a denial-of-service vector where a malicious WebAssembly module or component can cause the host to crash. There is no other impact at this time other than availability of a service as the result of the crash is always a crash and no more. This issue was discovered by routine fuzzing performed by the Wasmtime project via Google's OSS-Fuzz infrastructure. We have no evidence that it has ever been exploited by an attacker in the wild. All versions of Wasmtime which have tail calls enabled by default have been patched: * 21.0.x - patched in 21.0.2 * 22.0.x - patched in 22.0.1 * 23.0.x - patched in 23.0.3  * 24.0.x - patched in 24.0.1 * 25.0.x - patched in 25.0.2. Wasmtime versions from 12.0.x (the first release with experimental tail call support) to 20.0.x (the last release with tail-calls off-by-default) have support for tail calls but the support is disabled by default. These versions are not affected in their default configurations, but users who explicitly enabled tail call support will need to either disable tail call support or upgrade to a patched version of Wasmtime. The main workaround for this issue is to disable tail support for tail calls in Wasmtime, for example with `Config::wasm_tail_call(false)`. Users are otherwise encouraged to upgrade to patched versions. \nSeverity: 5.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"09 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-09T20:40:38.000000Z"}, {"uuid": "c52520e8-ce8a-4085-b5ab-6342e9a8a609", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47769", "type": "seen", "source": "https://t.me/cvedetector/6992", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47769 - IDURAR LFI/VBS Directory Traversal\", \n  \"Content\": \"CVE ID : CVE-2024-47769 \nPublished : Oct. 4, 2024, 3:15 p.m. | 18\u00a0minutes ago \nDescription : IDURAR is open source ERP CRM accounting invoicing software. The vulnerability exists in the corePublicRouter.js file. Using the reference usage here, it is identified that the public endpoint is accessible to an unauthenticated user. The user's input is directly appended to the join statement without additional checks. This allows an attacker to send URL encoded malicious payload. The directory structure can be escaped to read system files by adding an encoded string (payload) at subpath location. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"04 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-04T17:42:43.000000Z"}, {"uuid": "b6f7c500-4b66-463d-a8f5-fa1ad2c50d9d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47765", "type": "seen", "source": "https://t.me/cvedetector/6991", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47765 - Minecraft MOTD Parser XSS Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47765 \nPublished : Oct. 4, 2024, 3:15 p.m. | 18\u00a0minutes ago \nDescription : Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"04 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-04T17:42:42.000000Z"}, {"uuid": "6aa1647d-6757-4197-9e8c-e64f5be32c50", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47768", "type": "seen", "source": "https://t.me/cvedetector/6990", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47768 - Lif Authentication Server Account Takeover Vulnerability (Authentication Bypass)\", \n  \"Content\": \"CVE ID : CVE-2024-47768 \nPublished : Oct. 4, 2024, 3:15 p.m. | 18\u00a0minutes ago \nDescription : Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"04 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-04T17:42:41.000000Z"}, {"uuid": "4bad80b8-9513-4035-8a5a-d9a4f096f100", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47764", "type": "seen", "source": "https://t.me/cvedetector/7021", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47764 - Cookie vulnerable to Unauthorized Field Modification\", \n  \"Content\": \"CVE ID : CVE-2024-47764 \nPublished : Oct. 4, 2024, 8:15 p.m. | 25\u00a0minutes ago \nDescription : cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"04 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-04T22:43:39.000000Z"}]}