Kibana 8.15.1 Amazon Bedrock YAML 反序列化漏洞（CVE-2024-37288）

Kibana 是开源的数据分析和可视化平台，Amazon Bedrock 是用于生成 AI 应用程序的服务，Kibana 中的 Amazon Bedrock connector 是用于将 Kibana 与 Amazon Bedrock 集成的连接器插件。2024年9月，官方披露 CVE\-2024\-37288 Kibana 8.15.1 Amazon Bedrock YAML 反序列化漏洞。当 Kibana 启用 Integration Assistant 功能并配置了 Amazon Bedrock 连接器时，解析攻击者构造的恶意 YAML 文档会触发反序列化漏洞，攻击者可利用该漏洞远程执行任意代码。

Kingsoft WPS Office Path Traversal Vulnerability

Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.

Draytek VigorConnect Path Traversal Vulnerability

Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Draytek VigorConnect Path Traversal Vulnerability

Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

SparkShop存在任意文件上传漏洞（CVE-2024-6730）

南京星宇图科技SparkShop在版本1.1.6中发现了一个严重漏洞。该漏洞影响文件/api/Common/uploadFile的某些未知处理过程。由于参数文件操作不当，导致上传不受限制。攻击可能远程发起。该漏洞已被公开披露并可被利用。该漏洞的关联标识符为VDB\-271403。