CVE-2024-6238
published 2024-06-25CVE-2024-6238: pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.25%
15.7th percentile
pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 5.0.0-beta.1 < 5.2.3 | 5.2.3 |
| pgadmin.org | pgadmin_4 | < 8.9 | 8.9 |
| pgadmin | pgadmin_4 | < 8.9 | 8.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS Allows TOTP Token To Stay Valid After Use
ghsa·2024-07-25
CVE-2024-41800 [MEDIUM] CWE-287 Craft CMS Allows TOTP Token To Stay Valid After Use
Craft CMS Allows TOTP Token To Stay Valid After Use
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.
### Impact
An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials.
A TOTP token can be used multiple times to establish an authenticated session.
[RFC 6238](https://www.rfc-editor.org/rfc/rfc6238) insists that an OTP must not be used more than once.
> The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
The OWASP Application Security Verification Standard v4.0.3 (ASVS) [reiterates
this property with requirement 2.8.4](https://git
GHSA
GHSA-783m-7jjf-pmgr: pgAdmin <= 8
ghsa_unreviewed·2024-06-25
CVE-2024-6238 [HIGH] CWE-276 GHSA-783m-7jjf-pmgr: pgAdmin <= 8
pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-25
Published