CVE-2024-1258
published 2024-02-06CVE-2024-1258: A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of…
PriorityP336medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.61%
44.6th percentile
A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juanpao | jpshop | <= 1.5.02 | — |
| juanpao | jpshop | — | — |
| msrc | cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.01.8LOWAV:A/AC:H/Au:N/C:P/I:N/A:N
vendor_msrc8.1HIGH
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8pj9-c2gq-jhw8: A vulnerability was found in Juanpao JPShop up to 1
ghsa_unreviewed·2024-02-06
CVE-2024-1258 [LOW] CWE-321 GHSA-8pj9-c2gq-jhw8: A vulnerability was found in Juanpao JPShop up to 1
A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key
. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.
Red Hat
ansible-automation-platform: EDA server exposes websocket jwt when running rulebook activations in debug mode
vendor_redhat·2025-07-16·CVSS 5.3
CVE-2024-6234 [MEDIUM] CWE-1258 ansible-automation-platform: EDA server exposes websocket jwt when running rulebook activations in debug mode
ansible-automation-platform: EDA server exposes websocket jwt when running rulebook activations in debug mode
A flaw was found in the Ansible Automation Platform. The Event-Driven Ansible server exposes the WebSocket JSON web token (JWT) when running Rulebook activations in debug mode, which, if obtained by an attacker, can be used to connect to the socket and issue commands that return Playbook content or other sensitive data.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: event_driven (Red Hat Ansible Automation Platform 2) - Affected
Microsoft
Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails
vendor_msrc·2024-05-14·CVSS 8.1
CVE-2024-36913 [HIGH] CWE-1258 Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails
Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Microsoft
Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl
vendor_msrc·2024-05-14·CVSS 8.1
CVE-2024-36912 [HIGH] CWE-1258 Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl
Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-02-06
Published