Red Hat Security Advisory 2024-9637-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9637.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: webkit2gtk3 security updateAdvisory ID:        RHSA-2024:9637-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9637Issue date:         2024-11-15Revision:           03CVE Names:          CVE-2024-44185====================================================================Summary: An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.Security Fix(es):* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44185)* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44244)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-44185References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2323263https://bugzilla.redhat.com/show_bug.cgi?id=2323278

Red Hat Security Advisory 2024-9637-03

Red Hat Security Advisory 2024-9627-03 - Red Hat OpenShift Service Mesh Containers for 2.6.3. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9627.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat OpenShift Service Mesh Containers for 2.6.3Advisory ID:        RHSA-2024:9627-03Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9627Issue date:         2024-11-15Revision:           03CVE Names:          CVE-2024-21536====================================================================Summary: Red Hat OpenShift Service Mesh Containers for 2.6.3This update has a security impact of Moderate. A Common Vulnerability ScoringSystem (CVSS) base score, which gives a detailed severity rating, is availablefor each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.Security Fix(es):* kiali-ossmc-container: Denial of Service [ossm-2.6] (CVE-2024-21536) (OSSM-8280)* openshift-istio-kiali-rhel8-container: Denial of Service [ossm-2.6] (CVE-2024-21536) (OSSM-8281)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21536References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2319884

Red Hat Security Advisory 2024-9627-03

Red Hat Security Advisory 2024-9624-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9624.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid:4 security updateAdvisory ID:        RHSA-2024:9624-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9624Issue date:         2024-11-15Revision:           03CVE Names:          CVE-2024-45802====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service processing ESI response content (CVE-2024-45802)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-45802References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2322154

Red Hat Security Advisory 2024-9624-03

Companies that recognize current market opportunities — from the need to safely implement revolutionary technology like AI to the vast proliferation of cyber threats — have remarkable growth prospects.

Source" Brian Jackson via Alamy Stock Photo

Companies have never faced a wider and more dynamic array of cyber threats than they do right now. From rapidly rising costs associated with data breaches and other cyberattacks to the exploitation of artificial intelligence (AI) to make attacks more effective than ever, the cyber-threat landscape is constantly evolving. This has led to a drastic increase in cybersecurity spending, as well as a wave of innovation in the sector.

As cyberattacks become more targeted and sophisticated, there is a vast and growing market for solutions that help companies address their most vulnerable attack vectors. For example, cybercriminals often steal account names, passwords, and other credentials to launch attacks, which is why identity and access management have become key priorities for companies across many industries. Cybercriminals are also using AI resources such as LLMs to target employees with advanced social engineering attacks that allow them to infiltrate secure networks and steal information.

Cybercriminals and other bad actors such as hostile foreign governments are more motivated than ever to develop powerful cyber capabilities that enable them to hijack data, disrupt operations, and bypass existing cybersecurity protocols. This trend will only gain momentum, and revolutionary technology like AI will function as a force multiplier that makes cyberattacks more destructive and difficult to detect. This is why the cybersecurity industry will continue to see unprecedented demand and investment in the coming years.

**A New Era of Cyberattacks**

Companies are investing heavily in cybersecurity — according to a PwC survey, 77% of companies plan to increase their cyber budgets, while Gartner has projected that information security spending will spike by 15% in 2025. However, these investments haven't yet turned the tide against the onslaught of cyberattacks that are inflicting increasingly severe financial, reputational, and operational costs on companies. A 2024 IBM report found that the average cost of a data breach hit $4.88 million globally this year, a record high and a 10% increase from 2023.

The 2024 Allianz Risk Barometer found that cyber incidents are the top global business risk for the "first time and by a clear margin" — a finding that applies to companies of all sizes. AI is a key driver of this trend, as it has lowered the barriers to entry for cybercriminals around the world. For example, large language models (LLMs) allow cybercriminals to launch advanced phishing attacks regardless of their language skills or technical ability. Hostile foreign governments are using AI to launch cyberattacks as well — Microsoft reported that Russia, North Korea, and China are all using AI for surveillance, scripting, and social engineering.

As cyber threats become more dangerous and dynamic, the market for robust solutions will continue to expand. Companies in the sector will have to leverage emerging technology like AI and develop cybersecurity solutions that address specific vulnerabilities more effectively than their competitors.

**Opportunities in the Cybersecurity Market**

The cybersecurity industry has seen significant fragmentation in recent years as the demand for specialized solutions increases. Particular categories of cyberattacks, such as phishing, call for targeted solutions capable of countering the latest cybercriminal tactics. IBM reported that phishing is one of the most common and financially destructive initial attack vectors, which means cybercriminals are using it to gain access and launch broader cyberattacks. A major goal of phishing attacks is credential theft, which is why stolen or compromised credentials are involved in initial attacks more often than any other individual factor.

Companies like Strata help customers resist phishing attacks and other forms of credential theft with holistic identity and access management solutions. The reliance on legacy systems is one of the most urgent cybersecurity challenges many companies face — a challenge that has become all the more daunting due to the growing risk posed by third-party vendors and other partners. Supply chain cyberattacks are becoming increasingly common — Verizon found that there was a 68% increase in "supply chain interconnection" involved in breaches between 2023 and 2024.

Integrated cybersecurity solutions are critical, as cybercriminals and other bad actors need only  a single access point to infiltrate an organization. Solutions that help customers modernize their cybersecurity infrastructure for the evolving cyber-threat landscape are becoming more vital. Chief information security officers (CISOs) and other cybersecurity leaders need access to simplified solutions that break down silos between IT and security teams, meet increasingly stringent compliance demands, and help them evaluate and address vulnerabilities.

**Maximizing the Impact of Emerging Technology**

While AI is propelling a new wave of cyberattacks, it can also be harnessed to keep companies safer. Companies can use AI to simulate cyberattacks, detect malicious activity, prioritize cyber threats and potential vulnerabilities, and protect data across many different environments. However, AI still faces significant trust issues, due to problems like hallucinations (when LLMs present false information as accurate) and the existence of "black box" machine learning algorithms that don't provide any transparency into their decision-making processes.

According to a recent survey of 6,000 knowledge workers, 54% of AI users don't trust the data used to train AI systems — and more than two-thirds of these workers say they're hesitant to adopt AI. Meanwhile, laws and regulations around AI are becoming stricter all the time. For example, the EU AI Act requires companies to mitigate systemic risks, report cyber incidents, and focus on cybersecurity in their AI implementations.

While the AI trust gap is hindering adoption of the technology and regulations are becoming tougher, this opens a market for companies that provide end-to-end AI governance. At a time when AI adoption is skyrocketing, companies need the infrastructure necessary to ensure compliance and monitor AI systems for potential cyber threats. IBM found that 82% of executives believe "secure and trustworthy AI is essential to the success of their business," but less than a quarter of generative AI projects are being secured.

From the need to safely implement technology like AI to the vast proliferation of cyber threats (many of which are being powered by that very same technology), the cybersecurity industry has reached an inflection point. The companies that recognize these market opportunities have remarkable growth prospects in the coming years.

**About the Author**

General Partner, Titanium Ventures

Marcus Bartram is General Partner at Titanium Ventures (former Telstra Ventures), a San Francisco-based VC firm that differentiates by generating revenue for its portfolio with strategic channel partners and customer relationships as well as by using data science to drive its investment process. Marcus is on the founding team and has led investments in cybersecurity companies like CrowdStrike, Auth0, Anomali, Cequence, CloudKnox, Cofense, CyberGRX, Elastica, vArmour, and Zimperium.

Why the Demand for Cybersecurity Innovation Is Surging

Another day, another hack at T-Mobile! This time, Chinese state-sponsored group Salt Typhoon hacked T-Mobile, targeting US telecoms…

Another day, another hack at T-Mobile! This time, Chinese state-sponsored group Salt Typhoon hacked T-Mobile, targeting US telecoms in a breach spree. The attack exposes vulnerabilities in telecom infrastructure and security.

T-Mobile has become the latest major telecommunications company to fall victim to a large-scale cyberespionage campaign linked to Chinese state-sponsored hackers. The group responsible for the hacking is identified as Salt Typhoon.

This was revealed on 15 November 2024, just a day after the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) **issued a joint advisory** detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that has successfully infiltrated US telecommunications networks.

The advisory confirmed that Chinese state-sponsored actors had compromised the networks of multiple telecommunications providers to steal customer data and intercept private communications.   

****T-Mobile Breach****

According to the Wall Street Journal **report**, hackers were able to breach T-Mobile’s systems and gain access to valuable intelligence, including the cellphone communications of high-value targets,

The group used advanced techniques to infiltrate American telecom infrastructure, including Cisco Systems routers, artificial intelligence or machine learning for their espionage activities and likely obtained call logs, unencrypted texts, and audio from targets, possibly posing national security risks.

While T-Mobile has maintained that no sensitive customer data has been compromised, the possible implications of this breach are hard to ignore. The hackers may have gained access to sensitive information about law enforcement surveillance requests, call records of specific customers, and even private communications of targeted individuals.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a company spokeswoman told Hackread.com. “We will continue to monitor this closely, working with industry peers and the relevant authorities.”

****Salt Typhoon****

Hackread.com has been following Salt Typhoon’s activities and has observed that this group has been particularly interested in the wiretap systems that telecom companies are legally obligated to maintain for law enforcement purposes.

In October 2024, it was reported that **Salt Typhoon hacked AT&T and Verizon** to access wiretap data. This data, essential for government-mandated surveillance, is a prime target for cybercrime groups seeking to exploit vulnerabilities and gain access to sensitive information.

****T-Mobile Keeps Getting Breached****

It’s important to note that T-Mobile’s cybersecurity practices have received massive **criticism lately** given the frequency of data breaches it has been experiencing. The company settled a $31.5 million FCC settlement for prior breaches, half of which was for security infrastructure improvement.

T-Mobile, owned by Deutsche Telekom, has faced particularly challenging years due to repeatedly being targeted by data breaches. **Back in August 2021**, the company lost data of 49 million T-Mobile account holders, whereas the hackers claimed they stole data of 100 million users.

T-Mobile has also experienced at least six reported data breaches (**1, 2, 3, 4, 5**, **6**) between 2015 and 2023, making it safe to say that a cybersecurity year without a T-Mobile security incident is a rare occurrence.

Nevertheless, the latest T-Mobile breach shows that the company needs to rethink its entire approach to cybersecurity. Telecom companies should focus on stronger security, invest in better threat detection systems, and use reliable encryption to handle cyber threats effectively.

1.  8220 Gang Targets Telecom in Cryptojacking Attack
2.  IoT Botnet DDoS Attacks Threaten Telecom Networks, Nokia
3.  Hackers Breach TPG Telecoms’ Email Host to Steal Client Data
4.  Minor arrest over A1 Telecom data breach and ransom demand
5.  Telecom giant behind routing SMS discloses 5-year-long breach

Chinese Salt Typhoon Hacked T-Mobile in US Telecom Breach Spree

The voluntary recommendations from the Department of Homeland Security cover how artificial intelligence should be used in the power grid, water system, air travel network, healthcare, and other pieces of critical infrastructure.

Source: GK Images via Alamy Stock Photo

The US Department of Homeland Security (DHS) has released recommendations that outline how to securely develop and deploy artificial intelligence (AI) in critical infrastructure. The recommendations apply to all players in the AI supply chain, starting with cloud and compute infrastructure providers, to AI developers, and all the way to critical infrastructure owners and operators. Recommendations for civil society and public-sector organizations are also provided.

The voluntary recommendations in "Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure" look at each of the roles across five key areas: securing environments, driving responsible model and system design, implementing data governance, ensuring safe and secure deployment, and monitoring performance and impact. There are also technical and process recommendations to enhance the safety, security, and trustworthiness of AI systems.

AI is already being used for resilience and risk mitigation across sectors, DHS said in a release, such as AI applications for earthquake detection, stabilizing power grids, and sorting mail.

The framework looks at each role's responsibilities:

*   Cloud and compute infrastructure providers need to vet their hardware and software supply chain, implement strong access management, and protect the physical security of data centers powering AI systems. The framework also has recommendations on supporting downstream customers and processes by monitoring for anomalous activity and establishing clear processes for reporting suspicious and harmful activities.
    
*   AI developers should adopt a secure by design approach, evaluate dangerous capabilities of AI models, and "ensure model alignment with human-centric values." The framework further encourages AI developers to implement strong privacy practices; conduct evaluations that test for possible biases, failure modes, and vulnerabilities; and support independent assessments for models that present heightened risks to critical infrastructure systems and their consumers.
    
*   Critical infrastructure owners and operators should deploy AI systems securely, including maintaining strong cybersecurity practices that account for AI-related risks, protecting customer data when fine-tuning AI products, and providing meaningful transparency regarding their use of AI to provide goods, services, or benefits to the public.
    
*   Civil society, including universities, research institutions, and consumer advocates engaged on issues of AI safety and security, should continue working on standards development alongside government and industry, as well as research on AI evaluations that considers critical infrastructure use cases.
    
*   Public sector entities, including federal, state, local, tribal, and territorial governments, should advance standards of practice for AI safety and security through statutory and regulatory action.
    

"The framework, if widely adopted, will go a long way to better ensure the safety and security of critical services that deliver clean water, consistent power, Internet access, and more," said DHS secretary Alejandro N. Mayorkas, in a statement.

The DHS framework proposes a model of shared and separate responsibilities for the safe and secure use of AI in critical infrastructure. It also relies on existing risk frameworks to enable entities to evaluate whether using AI for certain systems or applications carries severe risks that could cause harm.

"We intend the framework to be, frankly, a living document and to change as developments in the industry change as well," Mayorkas said during a media call.

DHS Releases Secure AI Framework for Critical Infrastructure

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-gv5h-5655-h4mv: django CMS Cross-Site Scripting (XSS)

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.

This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-52317

**Apache Tomcat Request and/or response mix-up**

Moderate severity GitHub Reviewed Published Nov 18, 2024 to the GitHub Advisory Database • Updated Nov 18, 2024

**Package**

maven org.apache.tomcat.embed:tomcat-embed-core (Maven)

**Affected versions**

\>= 9.0.92, < 9.0.96

\>= 10.1.27, < 10.1.31

\>= 11.0.0-M23, < 11.0.0

**Patched versions**

9.0.96

10.1.31

11.0.0

maven org.apache.tomcat:tomcat-coyote (Maven)

\>= 9.0.92, < 9.0.96

\>= 10.1.27, < 10.1.31

\>= 11.0.0-M23, < 11.0.0

**Description**

Published to the GitHub Advisory Database

Nov 18, 2024

Last updated

Nov 18, 2024

GHSA-qvf5-hvjx-wm27: Apache Tomcat Request and/or response mix-up

A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-48901

**moodle: IDOR when fetching report schedules**

Moderate severity GitHub Reviewed Published Nov 18, 2024 to the GitHub Advisory Database • Updated Nov 18, 2024

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.14

\>= 4.2.0, < 4.2.11

\>= 4.3.0, < 4.3.8

\>= 4.4.0, < 4.4.4

**Patched versions**

4.1.14

4.2.11

4.3.8

4.4.4

**Description**

Published to the GitHub Advisory Database

Nov 18, 2024

Last updated

Nov 18, 2024

GHSA-mg54-p2wj-5ph7: moodle: IDOR when fetching report schedules

A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.

Tag

#vulnerability