CVE-2024-8695

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Sep 12, 2024 / Updated: 2mo ago

This page contains information about the new features, improvements, known issues, and bug fixes in Docker Desktop releases. For frequently asked questions about Docker Desktop releases, see FAQs . Docker Desktop versions older than 6 months from the latest release are not available for download. Take a look at the Docker Public Roadmap to see what's coming next. 2024-09-12 Download Docker Desktop Windows ( checksum ) Windows ARM Beta ( checksum ) Mac with Apple chip ( checksum ) Mac with Intel chip ( checksum ) Debian - RPM - Arch ( checksum ) Fixed a bug where docker compose up would become unresponsive while in Resource Saver mode. Fixed CVE-2024-8695 which allows RCE via crafted extension description/changelog which could be abused by a malicious extension.

High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Siemens–Industrial Edge Management Pro A vulnerability has been identified in Industrial Edge Management Pro (All versions 2024-09-10 10 CVE-2024-45032 productcert@siemens.com SAML-Toolkits–ruby-saml The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in 2024-09-10 10 CVE-2024-45409 security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com Baxter–Connex Health Portal In Connex health portal released before8/30/2024, SQL injection vulnerabilities were found that could have allowed an unauthenticated attacker to gain unauthorized access to Connex portal’s database. An attacker could have submitted a crafted payload to Connex portal that could have resulted in modification and disclosure of database content and/or perform administrative operations including shutting down the database. 2024-09-09 10 CVE-2024-6795 productsecurity@baxter.com nik00726–video carousel slider with lightbox The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-09-11 9.1 CVE-2019-25212 security@wordfence.com security@wordfence.com security@wordfence.com n/a–n/a Loftware Spectrum before 4.6 HF14 has Missing Authentication for a Critical Function. 2024-09-10 9.8 CVE-2023-37226 cve@mitre.org cve@mitre.org cve@mitre.org n/a–n/a Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. 2024-09-10 9.8 CVE-2023-37227 cve@mitre.org cve@mitre.org cve@mitre.org n/a–n/a Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password. 2024-09-10 9.8 CVE-2023-37231 cve@mitre.org cve@mitre.org cve@mitre.org Simple Online Planning–SO Planning A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system.

Update Thu Oct 10 22:28:19 UTC 2024

Third-Party Software Update Catalog Release History – September 2024 In September 2024, our third-party software update catalog for Microsoft SCCM contained 1047 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for September 2024. 1047 Total Updates 234 Security Updates 161 of the 234 security updates include CVE-IDs 92 New Products New Products: 365 Pro Toolkit 1.1.7.0 (MSI-x64) 3DF Zephyr Free 7.531.0.0 (EXE-x64) 4K Video Downloader+ 1.9.0.0128 (MSI-x64) 4K Video Downloader+ 1.9.0.0128 (MSI-x86) AD Pro Toolkit 2.0.6.0 (MSI-x64) ALLPlayer 9.2.0.0 (EXE-x64) Amazon CloudWatch Agent 1.4.37900.0 (MSI-x64) Arixcel Explorer 8.8.9014.39368 (MSI-x64) Benthic Software Golden 8.0.0.801 (EXE-x64) Benthic Software Golden 8.0.0.801 (EXE-x86) Bitfocus Companion 3.4.0 (EXE-x64) Bitfocus Companion Satellite 1.9.1.0 (EXE-x64) Boardmaker Editor 7.2.6 (MSI-x64) Chez Scheme 10.0.0.0 (EXE-x64) Cisco Jabber 15 15.0.0.59289 (MSI-x86) Cisco JVDI Agent 12 12.9.3.55062 (MSI-x86) Cisco JVDI Agent 14 14.3.1.58744 (MSI-x86) Cisco JVDI Agent 15 15.0.0.59289 (MSI-x86) Cisco Webex Device Connector 1.1.439.0 (MSI-x64) Clip2net 3.3.2.409 (EXE-x86) ClockAssist 1.1.9001.20858 (MSI-x64) Cold Turkey Blocker 4.5.0.0 (EXE-x64) CoScreen 7.10.144.0 (User-x64) Cricut Design Space 8.45.55.0 (User-x64) Cryptainer LE Latest 17.5.1.0(EXE-x86) Cryptainer LE v17 17.5.1.0(EXE-x86) CrystalDiskInfo 9.4.2.0 (EXE-x64) DATEV Sicherheitspaket compact 7.8.104.24242 (EXE-x86) DATEV SmartVerify 1.3.101.23207 (EXE-x86) DATEV-SmartIT Connect 3.9.100.2 (EXE-x86) DisplayNote App 2.35.2.36474 (EXE-x86) DisplayNote App 2.35.2.36474 (MSI-x86) e-Design 1.14.0.0002 (EXE-x86) EdrawMind 11.1.9.838 (EXE-x86) emotachDirect 9.2.0.0 (EXE-x86) Evoluent Mouse Manager 6.0.9.3 (MSI-x86) ExamDiff 1.9.4.0 (EXE-x86) ExpertGPS 8.66.0.0 (EXE-x86) Exr-IO 2.06.0 (EXE) Extensis Connect Fonts 25.1.3.11739 (EXE-x64) f.lux 4.134.0 (User-x64) FastPictureViewer Professional 1.95.400.0 (MSI-x64) FxSound 1.1.26.0 (EXE-x64) GeoGebra CAS Calculator 6.0.853.0 (User-x64) GeoGebra Classic v5 5.2.853.0 (MSI-x86) GeoGebra Classic v6 6.0.853.0 (MSI-x86) GeoGebra Graphing Calculator 6.0.853.0 (User-x64) Grunt 24.0.4087.0 (MSI-x64) Grunt 24.0.4087.0 (MSI-x86) HP Prime Virtual Calculator 2.1.14730.79 (EXE-x64) ideaMaker 5.1.0.8435 (EXE-x64) Identity Enterprise 0.78.3.281 (MSI-x64) IPEVO Annotator 4.6.151.0 (MSI-x86) IPEVO CamControl 1.7.0.2 (MSI-x86) IPEVO EyeStage 1.6.3.0 (MSI-x86) IPEVO SnapCapture OCR 2.3.3.3 (MSI-x64) IPEVO Visualizer 3.6.6.0 (MSI-x86) IPEVO Visualizer LTSE 1.2.73.0 (MSI-x86) Jet Screenshot 3.1.0.0 (EXE-x86) KeySignConnector 3.7.9.0 (MSI-x64) KeySignConnector 3.7.9.0 (MSI-x86) Kinovea 2023.1.2 (EXE-x64) Lifesize 3.0.17.0 (User-x64) Microsoft Report Builder 15.0.20283.0 (MSI-x86) Minikube 1.34.0.0 (EXE-x64) MiTeam Meetings 1.7.0.0 (User-x64) Mozilla Firefox 130.0.1.0 (x64 ja) Mozilla Firefox 130.0.1.0 (x86 ja) MySQL Connector NET 9.0 (MSI-x86) MySQL Connector ODBC 9.0.0 (MSI-x64) NETIO Discover 1.0.13.0 (EXE-x86) PowerShell 7.4 LTS 7.4.5.0 (MSI-x64) PowerShell 7.4 LTS 7.4.5.0 (MSI-x86) Remote Utilities Host 7.5.1 (MSI-x86) Remote Utilities Viewer 7.5.1 (EXE-x86) SecureCRT 9.5.2.0 (EXE-x86) SecureFX 9.5.2.0 (EXE-x64) SecureFX 9.5.2.0 (EXE-x86) Shutter Encoder 18.5.0 (EXE-x64) Snowflake ODBC Driver 3.4.1 (MSI-x64) Snowflake ODBC Driver 3.4.1 (MSI-x86) Snowflake SnowSQL 1.3.2 (MSI-x64) Studio 3T 2024.3.1.0 (EXE-x64) VideoScribe 3.14.1 (MSI-x64) WatchGuard Mobile VPN with SSL 12.10.4.0 (EXE-x86) WeCom 4.1.28.6019 (EXE-x86) Weka 3.8.6 (EXE) Zivver Office Plugin 6.4.0.0 (MSI-x86) Zulip 5.11.1.0 (EXE-x64) Zulip 5.11.1.0 (MSI-x64) Zulip 5.11.1.0 (MSI-x86) Zulip 5.11.1.0 (User-x64) Updates Added: (Oldest to Newest) AOVPN Dynamic Profile Configurator 4.4.0 (MSI-x64) Release Notes for AOVPN Dynamic Profile Configurator 4.4.0 (MSI-x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/66 VirusTotal Latest Scan Results (MSI-x64) Bandicam 7.1.4.2458 (x64) Release Notes for Bandicam 7.1.4.2458 (x64) Release Type: ⬤ Scan Detection Ratio 0/70 VirusTotal Latest Scan Results (x64) Canva 1.94.0 (User-x64) Release Notes for Canva 1.94.0 (User-x64) Release Type:

Docker security advisory: Docker Desktop release notes 4.34.2 CVE-2024-8695 (9.0 critical) RCE via crafted extension description/changelog CVE-2024-8696 (8.9 high) RCE via crafted extension publisher-url/additional-urls Disclosed 12 September 2024, I figure someone would be worried about it. No mention of exploitation. # docker # vulnerability # CVE

An update has been released to address vulnerabilities in Docker Desktop. If you are using an affected version, Please follow the instructions on the referenced Sites to update to the latest Vulnerability Patches version.