CVE-2024-1256
published 2024-02-06CVE-2024-1256: A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. This issue affects some unknown processing of the file /ext/collect/filter_text.do…
PriorityP422medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.55%
41.9th percentile
A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. This issue affects some unknown processing of the file /ext/collect/filter_text.do. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252995.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| pytorch | torchserve | >= 0.3.0 < 0.11.0 | 0.11.0 |
| ujcms | jspxcms | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vendor_redhat9.8CRITICAL
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TorchServe gRPC Port Exposure
ghsa·2024-07-18
CVE-2024-35199 [HIGH] CWE-1256 TorchServe gRPC Port Exposure
TorchServe gRPC Port Exposure
### Impact
The two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.
### Patches
This issue in TorchServe has been fixed in [#3083](https://github.com/pytorch/serve/pull/3083).
TorchServe release 0.11.0 includes the fix to address this vulnerability.
### References
* [#3083](https://github.com/pytorch/serve/pull/3083)
* [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0)
Thank Kroll Cyber Risk for for responsibly disclosing this issue.
If you have any questions or comments about this advisory,
GHSA
GHSA-2c82-fg6w-rjhp: A vulnerability was found in Jspxcms 10
ghsa_unreviewed·2024-02-06
CVE-2024-1256 [MEDIUM] CWE-79 GHSA-2c82-fg6w-rjhp: A vulnerability was found in Jspxcms 10
A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. This issue affects some unknown processing of the file /ext/collect/filter_text.do. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252995.
Red Hat
microcode_ctl: Improper restriction of software interfaces to hardware features
vendor_redhat·2025-05-13·CVSS 5.6
CVE-2024-48869 [MEDIUM] CWE-1256 microcode_ctl: Improper restriction of software interfaces to hardware features
microcode_ctl: Improper restriction of software interfaces to hardware features
Improper restriction of software interfaces to hardware features for some Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX) may allow a privileged user to potentially enable escalation of privilege via local access.
Package: microcode_ctl (Red Hat Enterprise Linux 10) - Fix deferred
Package: microcode_ctl (Red Hat Enterprise Linux 6) - Fix deferred
Package: microcode_ctl (Red Hat Enterprise Linux 7) - Fix deferred
Package: microcode_ctl (Red Hat Enterprise Linux 8) - Fix deferred
Package: microcode_ctl (Red Hat Enterprise Linux 9) - Fix deferred
Microsoft
Fault Injection of RSA encryption in WolfCrypt
vendor_msrc·2024-08-13·CVSS 5.9
CVE-2024-1545 [MEDIUM] CWE-1256 Fault Injection of RSA encryption in WolfCrypt
Fault Injection of RSA encryption in WolfCrypt
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
wolfSSL: wolfSSL
Customer Action Required: Yes
Red Hat
kernel: f2fs: compress: don't allow unaligned truncation on released compress inode
vendor_redhat·2024-06-24·CVSS 5.5
CVE-2024-33847 [MEDIUM] CWE-841 kernel: f2fs: compress: don't allow unaligned truncation on released compress inode
kernel: f2fs: compress: don't allow unaligned truncation on released compress inode
In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: don't allow unaligned truncation on released compress inode
f2fs image may be corrupted after below testcase:
- mkfs.f2fs -O extra_attr,compression -f /dev/vdb
- mount /dev/vdb /mnt/f2fs
- touch /mnt/f2fs/file
- f2fs_io setflags compression /mnt/f2fs/file
- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4
- f2fs_io release_cblocks /mnt/f2fs/file
- truncate -s 8192 /mnt/f2fs/file
- umount /mnt/f2fs
- fsck.f2fs /dev/vdb
[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks
[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]
[FSCK] other corrupted bugs [Fail]
The reason is: partial
Red Hat
liboqs: leakable Secret Key of ML-DSA via Rowhammer
vendor_redhat·2024-05-24·CVSS 9.8
CVE-2024-31510 [CRITICAL] CWE-1256 liboqs: leakable Secret Key of ML-DSA via Rowhammer
liboqs: leakable Secret Key of ML-DSA via Rowhammer
An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker to escalate privileges via the crypto_sign_signature parameter in the /pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c component.
A Rowhammer vulnerability was found in liboqs. This flaw allows a remote attacker to escalate privileges via the crypto_sign_signature parameter.
Package: liboqs (Red Hat Enterprise Linux 10) - Will not fix
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-02-06
Published