US-CERT Vulnerability Summary for the Week of September 18, 2023
Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
High Vulnerabilities
Primary Vendor — Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
acronis — cyber_protect_home_office | Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713. | 2023-09-20 | 7.5 | CVE-2023-5042 MISC |
apple — multiple_products | The issue was addressed with improved checks. This issue is fixed in Safari 17, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | 2023-09-21 | 9.8 | CVE-2023-41993 MISC MISC MISC MISC |
apple — multiple_products | The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7, macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | 2023-09-21 | 7.8 | CVE-2023-41992 MISC MISC MISC |
artifex — ghostscript | In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). | 2023-09-18 | 9.8 | CVE-2023-43115 MISC MISC MISC |
atlassian — bitbucket_server | This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions. See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). This vulnerability was discovered by a private user and reported via our Bug Bounty program | 2023-09-19 | 8.8 | CVE-2023-22513 MISC MISC |
automataci — automataci | AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the `PROJECT_PATH_RELEASE` (e.g. `releases/`) directory is manually and actually `git cloned` properly, making it a different git repostiory from the root git repository. | 2023-09-22 | 9.1 | CVE-2023-42798 MISC MISC |
blamer — blamer | Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (–) to communicate the end of options. | 2023-09-19 | 9.1 | CVE-2023-26143 MISC MISC MISC |
cesanta — mjs | Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input. | 2023-09-23 | 9.8 | CVE-2023-43338 MISC |
cimg — cimg | An issue in cimg.eu Cimg Library v2.9.3 allows an attacker to obtain sensitive information via a crafted JPEG file. | 2023-09-20 | 8.1 | CVE-2023-41484 MISC |
composer — composer | Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected. | 2023-09-21 | 8.8 | CVE-2015-8371 MISC MISC MISC MISC |
contribsys — faktory | Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. The vulnerability is related to how the backend reads the `days` URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. Version 1.8.0 fixes this issue. | 2023-09-20 | 7.5 | CVE-2023-37279 MISC |
corecode — macupdater | An XPC misconfiguration vulnerability in CoreCode MacUpdater before 2.3.8, and 3.x before 3.1.2, allows attackers to escalate privileges by crafting malicious .pkg files. | 2023-09-20 | 7.8 | CVE-2023-41902 MISC MISC MISC |
croc — croc | An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file. | 2023-09-20 | 7.8 | CVE-2023-43619 MISC MISC MLIST |
croc — croc | An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver. | 2023-09-20 | 7.8 | CVE-2023-43620 MISC MISC MLIST |
curl — curl | When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. | 2023-09-15 | 7.5 | CVE-2023-38039 MISC MISC MISC MISC |
d-link — d-view_8 | Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28 | 2023-09-20 | 9.8 | CVE-2023-5074 MISC |
d-link — di-7200g_firmware | D-Link DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the zn_jb parameter in the arp_sys.asp function. | 2023-09-20 | 9.8 | CVE-2023-43196 MISC |
d-link — di-7200g_firmware | D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the fn parameter in the tgfile.asp function. | 2023-09-20 | 9.8 | CVE-2023-43197 MISC |
d-link — di-7200g_firmware | D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the popupId parameter in the H5/hi_block.asp function. | 2023-09-20 | 9.8 | CVE-2023-43198 MISC |
d-link — di-7200g_firmware | D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the prev parameter in the H5/login.cgi function. | 2023-09-20 | 9.8 | CVE-2023-43199 MISC |
d-link — di-7200g_firmware | D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the id parameter in the yyxz.data function. | 2023-09-20 | 9.8 | CVE-2023-43200 MISC |
d-link — di-7200g_firmware | D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the hi_up parameter in the qos_ext.asp function. | 2023-09-20 | 9.8 | CVE-2023-43201 MISC MISC |
d-link — dir-806_firmware | D-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of HTTP_ST parameters. | 2023-09-21 | 9.8 | CVE-2023-43128 MISC MISC |
d-link — dir-806_firmware | D-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of REMOTE_PORT parameters. | 2023-09-22 | 9.8 | CVE-2023-43129 MISC MISC |
d-link — dir-806_firmware | D-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection. | 2023-09-22 | 9.8 | CVE-2023-43130 MISC MISC |
d-link — dir-816_a2_firmware | D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter statuscheckpppoeuser in dir_setWanWifi. | 2023-09-21 | 9.8 | CVE-2023-43236 MISC MISC |
d-link — dir-816_a2_firmware | D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter macCloneMac in setMAC. | 2023-09-21 | 9.8 | CVE-2023-43237 MISC MISC |
d-link — dir-816_a2_firmware | D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter nvmacaddr in form2Dhcpip.cgi. | 2023-09-21 | 9.8 | CVE-2023-43238 MISC MISC |
d-link — dir-816_a2_firmware | D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter flag_5G in showMACfilterMAC. | 2023-09-21 | 9.8 | CVE-2023-43239 MISC MISC |
d-link — dir-816_a2_firmware | D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter sip_address in ipportFilter. | 2023-09-21 | 9.8 | CVE-2023-43240 MISC MISC |
d-link — dir-816a2_firmware | D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter removeRuleList in form2IPQoSTcDel. | 2023-09-21 | 9.8 | CVE-2023-43242 MISC MISC |
d-link — dir-823g_firmware | D-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter StartTime and EndTime in SetWifiDownSettings. | 2023-09-21 | 9.8 | CVE-2023-43235 MISC MISC |
d-link — dir-823g_firmware | D-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter TXPower and GuardInt in SetWLanRadioSecurity. | 2023-09-21 | 9.8 | CVE-2023-43241 MISC MISC |
d-link — dwl-6610ap_firmware | D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function pcap_download_handler. This vulnerability allows attackers to execute arbitrary commands via the update.device.packet-capture.tftp-file-name parameter. | 2023-09-20 | 9.8 | CVE-2023-43202 MISC |
d-link — dwl-6610ap_firmware | D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a stack overflow vulnerability in the function update_users. | 2023-09-20 | 9.8 | CVE-2023-43203 MISC |
d-link — dwl-6610ap_firmware | D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function sub_2EF50. This vulnerability allows attackers to execute arbitrary commands via the manual-time-string parameter. | 2023-09-20 | 9.8 | CVE-2023-43204 MISC |
d-link — dwl-6610ap_firmware | D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function web_cert_download_handler. This vulnerability allows attackers to execute arbitrary commands via the certDownload parameter. | 2023-09-20 | 9.8 | CVE-2023-43206 MISC |
d-link — dwl-6610ap_firmware | D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function config_upload_handler. This vulnerability allows attackers to execute arbitrary commands via the configRestore parameter. | 2023-09-20 | 9.8 | CVE-2023-43207 MISC |
delta_electronics — diascreen | Delta Electronics DIAScreen may write past the end of an allocated buffer while parsing a specially crafted input file. This could allow an attacker to execute code in the context of the current process. | 2023-09-21 | 7.8 | CVE-2023-5068 MISC MISC |
digitaldruid — hoteldruid | Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php. | 2023-09-20 | 9.8 | CVE-2023-43371 MISC |
digitaldruid — hoteldruid | Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php. | 2023-09-20 | 9.8 | CVE-2023-43373 MISC |
digitaldruid — hoteldruid | Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php. | 2023-09-20 | 9.8 | CVE-2023-43374 MISC |
digitaldruid — hoteldruid | Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters. | 2023-09-20 | 9.8 | CVE-2023-43375 MISC |
dolibarr — dolibarr_erp\/crm | File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. | 2023-09-20 | 8.8 | CVE-2023-38887 MISC MISC |
dolibarr — dolibarr_erp_crm | Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. | 2023-09-20 | 9.6 | CVE-2023-38888 MISC MISC |
dolibarr — dolibarr_erp_crm | An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. | 2023-09-20 | 7.2 | CVE-2023-38886 MISC MISC |
dreamer_cms — dreamer_cms | Dreamer CMS 4.1.3 is vulnerable to SQL Injection. | 2023-09-21 | 9.8 | CVE-2023-42279 MISC |
dst-admin — dst-admin | dst-admin v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the userId parameter at /home/playerOperate. | 2023-09-22 | 9.8 | CVE-2023-43270 MISC |
eclipse — remote_application_platform | In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept. For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed. | 2023-09-21 | 9.8 | CVE-2023-4760 MISC MISC |
elitecms — elite_cms | A file upload vulnerability in EliteCMS 1.01 allows a remote attacker to execute arbitrary code via the manage_uploads.php component. | 2023-09-20 | 8.8 | CVE-2023-42331 MISC MISC |
f-secure — client_security | Certain WithSecure products allow Denial of Service via a fuzzed PE32 file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-22 | 7.5 | CVE-2023-43760 MISC MISC |
f-secure — linux_protection | Certain WithSecure products allow Local privilege escalation via the lhz archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-22 | 7.8 | CVE-2023-43766 MISC MISC |
f-secure — linux_protection | Certain WithSecure products allow Denial of Service (infinite loop). This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-22 | 7.5 | CVE-2023-43761 MISC MISC |
f-secure — linux_protection | Certain WithSecure products allow Denial of Service in the aeelf component. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-22 | 7.5 | CVE-2023-43765 MISC MISC |
f-secure — linux_protection | Certain WithSecure products allow Denial of Service via the aepack archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-22 | 7.5 | CVE-2023-43767 MISC MISC |
falktx — cadence | Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/cadence-wineasio.reg Temporary File. The filename is used even if it has been created by a local adversary before Cadence started. The adversary can leverage this to create or overwrite files via a symlink attack. In some kernel configurations, code injection into the Wine registry is possible. | 2023-09-22 | 7.5 | CVE-2023-43783 MISC MISC |
fit2cloud — cloudexplorer_lite | An issue in CloudExplorer Lite 1.3.1 allows an attacker to obtain sensitive information via the login key component. | 2023-09-20 | 7.5 | CVE-2023-42147 MISC |
fl3xx — crew | Unrestricted File Upload vulnerability in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to execute arbitrary code via the add attachment function in the New Expense component. | 2023-09-20 | 8.8 | CVE-2023-42335 MISC |
foreman — foreman | An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system. | 2023-09-20 | 9.1 | CVE-2023-0118 MISC MISC MISC |
foreman — foreman | An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload. | 2023-09-20 | 9.1 | CVE-2023-0462 MISC MISC |
fuxa — fuxa | FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin. | 2023-09-22 | 9.8 | CVE-2023-31719 MISC MISC MISC |
frappe_lms — frappe_lms | Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won’t face this issue if they are using the latest main branch of the app. | 2023-09-21 | 9.8 | CVE-2023-42807 MISC |
frauscher_sensortechnik_gmbh — fadc/fadci | Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface without authentication. This could lead to a full compromise of the FDS101 device. | 2023-09-21 | 9.8 | CVE-2023-4291 MISC |
frauscher_sensortechnik_gmbh — fadc/fadci | Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a path traversal vulnerability of the web interface by a crafted URL without authentication. This enables a remote attacker to read all files on the filesystem of the FDS101 device. | 2023-09-21 | 7.5 | CVE-2023-4152 MISC |
freeswitch — freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue. | 2023-09-15 | 7.5 | CVE-2023-40018 MISC MISC |
fujitsu — arconte_aurea | SQL injection vulnerability in Arconte Áurea, in its 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to read sensitive data from the database, modify data (insert/update/delete), perform database administration operations and, in some cases, execute commands on the operating system. | 2023-09-19 | 9.8 | CVE-2023-4092 MISC |
fujitsu — arconte_aurea | ARCONTE Aurea’s authentication system, in its 1.5.0.0 version, could allow an attacker to make incorrect access requests in order to block each legitimate account and cause a denial of service. In addition, a resource has been identified that could allow circumventing the attempt limit set in the login form. | 2023-09-19 | 8.2 | CVE-2023-4094 MISC |
fujitsu — arconte_aurea | Weak password recovery mechanism vulnerability in Fujitsu Arconte Áurea version 1.5.0.0, which exploitation could allow an attacker to perform a brute force attack on the emailed PIN number in order to change the password of a legitimate user. | 2023-09-19 | 8.2 | CVE-2023-4096 MISC |
fuxa — fuxa | FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log | 2023-09-22 | 7.5 | CVE-2023-31716 MISC MISC |
fuxa — fuxa | A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database. | 2023-09-22 | 7.5 | CVE-2023-31717 MISC MISC MISC |
fuxa — fuxa | FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. | 2023-09-22 | 7.5 | CVE-2023-31718 MISC MISC MISC |
gitlab — gitlab | An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact. | 2023-09-19 | 9.8 | CVE-2023-5009 MISC MISC |
gomarkdown — markdown | The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `0.0.0-20230922105210-14b16010c2ee`, which corresponds with commit `14b16010c2ee7ff33a940a541d993bd043a88940`, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have `parser.Mmark` extension set. The panic occurs inside the `citation.go` file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit `14b16010c2ee7ff33a940a541d993bd043a88940`/pseudoversion `0.0.0-20230922105210-14b16010c2ee` contains a patch for this issue. | 2023-09-22 | 7.5 | CVE-2023-42821 MISC MISC MISC |
ibm — person_communications | IBM Personal Communications 14.05, 14.06, and 15.0.0 could allow a local user to escalate their privileges to the SYSTEM user due to overly permissive access controls. IBM X-Force ID: 260138. | 2023-09-20 | 7.8 | CVE-2023-37410 MISC MISC |
icmsdev — icms | Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information. | 2023-09-20 | 9.8 | CVE-2023-42322 MISC MISC |
icmsdev — icms | Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files. | 2023-09-20 | 8.8 | CVE-2023-42321 MISC MISC |
insyde — insydeh2o | An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set. | 2023-09-18 | 7.8 | CVE-2023-34195 MISC MISC |
isc — bind | The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel’s configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. | 2023-09-20 | 7.5 | CVE-2023-3341 MISC MISC MISC MISC |
isc — bind | A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1. | 2023-09-20 | 7.5 | CVE-2023-4236 MISC MISC MISC MISC |
ivanti — endpoint_manager | An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery. | 2023-09-21 | 7.5 | CVE-2023-38343 MISC MISC |
jeecg — jeecg-boot | SQL injection vulnerbility in jeecgboot jeecg-boot v 3.0, 3.5.3 that allows a remote attacker to execute arbitrary code via a crafted request to the report/jeecgboot/jmreport/queryFieldBySql component. | 2023-09-22 | 9.8 | CVE-2023-40989 MISC |
jenkins — jenkins | Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution. | 2023-09-20 | 8.8 | CVE-2023-43496 MISC MISC |
jenkins — jenkins | A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | 2023-09-20 | 8.8 | CVE-2023-43500 MISC MISC |
jenkins — jenkins | In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | 2023-09-20 | 8.1 | CVE-2023-43497 MISC MISC |
jenkins — jenkins | In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | 2023-09-20 | 8.1 | CVE-2023-43498 MISC MISC |
jerryscript — jerryscript | Buffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c. | 2023-09-20 | 9.8 | CVE-2023-36109 MISC MISC |
jetbrains — teamcity | In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | 2023-09-19 | 9.8 | CVE-2023-42793 MISC MISC |
jtekt — kostac_plc | Double free issue exists in Kostac PLC Programming Software Version 1.6.11.0 and earlier. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files. The vendor states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later. | 2023-09-20 | 7.8 | CVE-2023-41374 MISC MISC |
jtekt — kostac_plc | Use after free vulnerability exists in Kostac PLC Programming Software Version 1.6.11.0. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files. The vendor states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later. | 2023-09-20 | 7.8 | CVE-2023-41375 MISC MISC |
juplink — rx4-1500_firmware | Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the ‘user’ user. | 2023-09-18 | 9.8 | CVE-2023-41030 MISC |
juplink — rx4-1500_firmware | Credential disclosure in the ‘/webs/userpasswd.htm’ endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.4 and V1.0.5 allows an authenticated attacker to leak the password for the administrative account via requests to the vulnerable endpoint. | 2023-09-22 | 8.8 | CVE-2023-41027 MISC |
juplink — rx4-1500_firmware | Command injection vulnerability in the homemng.htm endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.2, V1.0.3, V1.0.4, and V1.0.5 allows authenticated remote attackers to execute commands as root via specially crafted HTTP requests to the vulnerable endpoint. | 2023-09-22 | 8.8 | CVE-2023-41029 MISC |
juplink — rx4-1500_firmware | Command injection in homemng.htm in Juplink RX4-1500 versions V1.0.2, V1.0.3, V1.0.4, and V1.0.5 allows remote authenticated attackers to execute commands via specially crafted requests to the vulnerable endpoint. | 2023-09-22 | 8.8 | CVE-2023-41031 MISC |
lf-edge_zededa — eve_os | When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault” | 2023-09-21 | 8.8 | CVE-2023-43634 MISC |
lf-edge_zededa — eve_os | Due to the implementation of “deriveVaultKey”, prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be “arfoobarfoobarfo”. This issue happens because “deriveVaultKey” calls “retrieveCloudKey” (which will always return “foobarfoobarfoobarfoobarfoobarfo” as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see “mergeKeys”). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage. | 2023-09-21 | 7.8 | CVE-2023-43637 MISC |
lf-edge_zededa — eve_os | On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions. This could be used to unlock the ssh with custom “authorized_keys” via the “debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before. Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb” key, allowing VNC access via the “app.allow.vnc” key, and more. An attacker could easily enable these debug functionalities without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thereby not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. | 2023-09-21 | 8.8 | CVE-2023-43633 MISC |
linux — kernel | Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. | 2023-09-20 | 8.8 | CVE-2023-2163 MISC |
linux_foundation — edge_virtualization_engine | As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this server is done using protobuf, and the data is comprised of 2 parts: 1. Header 2. Data When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come. Then, in the function “handleRequest” this size is then used in order to allocate a payload on the stack for the incoming data. As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data. * An attacker can crash the system. * An attacker can gain control over the system, specifically on the “vtpm_server” process which has very high privileges. | 2023-09-21 | 9.9 | CVE-2023-43632 MISC |
linux_foundation — edge_virtualization_engine | PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of SHA256. This issue was somewhat mitigated due to all of the PCR extend functions updating both the values of SHA256 and SHA1 for a given PCR ID. However, due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault” key, changes to the config partition would still not be measured. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault” | 2023-09-20 | 8.8 | CVE-2023-43630 MISC |
linux_foundation — edge_virtualization_engine | On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could easily add their own keys and gain full control over the system without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thus not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. | 2023-09-21 | 8.8 | CVE-2023-43631 MISC |
linux_foundation — edge_virtualization_engine | Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to seal/unseal a key from the TPM which is used to encrypt/decrypt the “vault” directory. This “vault” directory is the most sensitive point in the system and as such, its content should be protected. This mechanism is noted in Zededa’s documentation as the “measured boot” mechanism, designed to protect said “vault”. The code that’s responsible for generating and fetching the key from the TPM assumes that SHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being checked. The issue here is that the key is not sealed using SHA256 PCRs; it uses SHA1 PCRs. This leads to several issues: • Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well as not sealing their keys at all, meaning the “vault” is not protected from an attacker. • SHA1 is considered insecure and reduces the complexity level required to unseal the key in machines which have their SHA1 PCRs enabled. An attacker can very easily retrieve the contents of the “vault”, which will effectively render the “measured boot” mechanism meaningless. | 2023-09-20 | 8.8 | CVE-2023-43635 MISC |
linux_foundation — edge_virtualization_engine | In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the “measured boot” design, the PCR values calculated at different stages of the boot process will change if any of their respective parts are changed. This includes, among other things, the configuration of the bios, grub, the kernel cmdline, initrd, and more. However, this mechanism does not validate the entire rootfs, so an attacker can edit the filesystem and gain control over the system. As the default filesystem used by EVE OS is squashfs, this is somewhat harder than an ext4, which is easily changeable. This will not stop an attacker, as an attacker can repackage the squashfs with their changes in it and replace the partition altogether. This can also be done directly on the device, as the “003-storage-init” container contains the “mksquashfs” and “unsquashfs” binaries (with the corresponding libs). An attacker can gain full control over the device without changing the PCR values, thus not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. | 2023-09-20 | 8.8 | CVE-2023-43636 MISC |
mastodon — mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue. | 2023-09-19 | 7.5 | CVE-2023-42450 MISC MISC |
mastodon — mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue. | 2023-09-19 | 7.5 | CVE-2023-42451 MISC MISC |
memorysafety — sudo-rs | Sudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while, in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user). An issue was discovered in versions prior to 0.2.1 where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username `../../../../bin/cp`. When logged in as a user with that name, that user could run `sudo -K` to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of `/bin/cp`. The code then clears that file, resulting in the `cp` binary effectively being removed from the system. An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames. The issue is patched in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values. The `sudo -K` and `sudo -k` commands can run, even if a user has no sudo access. As a workaround, make sure that one’s system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on the system, one should not be able to exploit this issue. | 2023-09-21 | 8.1 | CVE-2023-42456 MISC MISC |
microsoft — edge_chromium | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | 2023-09-15 | 7.1 | CVE-2023-36562 MISC |
mimsoftware — assistant | Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software’s internal security team. We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3. | 2023-09-19 | 7.4 | CVE-2023-3892 MISC |
minitool — movie_maker | MiniTool Shadow Maker version 4.1 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack. | 2023-09-19 | 8.1 | CVE-2023-38354 MISC |
minitool — movie_maker | MiniTool Movie Maker 6.1.0 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack. | 2023-09-19 | 8.1 | CVE-2023-38355 MISC |
minitool — partition_wizard | MiniTool Partition Wizard 12.8 contains an insecure installation mechanism that allows attackers to achieve remote code execution through a man in the middle attack. | 2023-09-19 | 8.1 | CVE-2023-38351 MISC |
minitool — partition_wizard | MiniTool Partition Wizard 12.8 contains an insecure update mechanism that allows attackers to achieve remote code execution through a man in the middle attack. | 2023-09-19 | 8.1 | CVE-2023-38352 MISC |
minitool — power_data_recovery | MiniTool Power Data Recovery 11.6 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack. | 2023-09-19 | 8.1 | CVE-2023-38356 MISC |
mitsubishi_electric — gx_works3 | Incorrect Default Permissions vulnerability due to incomplete fix to address CVE-2020-14496 in Mitsubishi Electric Corporation FA engineering software products allows a malicious local attacker to execute a malicious code, which could result in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition. However, if the mitigated version described in the advisory for CVE-2020-14496 is used and installed in the default installation folder, this vulnerability does not affect the products. | 2023-09-20 | 7.8 | CVE-2023-4088 MISC MISC MISC |
nagios — nagios_xi | A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function. | 2023-09-19 | 8.8 | CVE-2023-40933 MISC MISC MISC |
nagios — nagios_xi | A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings. | 2023-09-19 | 7.2 | CVE-2023-40934 MISC MISC MISC |
netatalk — netatalk | A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967. | 2023-09-20 | 9.8 | CVE-2023-42464 CONFIRM MISC MISC DEBIAN MLIST |
netis-systems — 360r_firmware | There is an unauthorized access vulnerability in Netis 360RAC1200 v1.3.4517, which allows attackers to obtain sensitive information of the device without authentication, obtain user tokens, and ultimately log in to the device backend management. | 2023-09-20 | 9.8 | CVE-2023-43134 MISC |
node.js — node.js | systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiConnections()`, `wifiNetworks()` (string only). | 2023-09-21 | 9.8 | CVE-2023-42810 MISC MISC MISC |
nozomi_networks — cmc | A Denial of Service (Dos) vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, allows an unauthenticated attacker to crash the IDS module by sending specially crafted malformed network packets. During the (limited) time window before the IDS module is automatically restarted, network traffic may not be analyzed. | 2023-09-19 | 7.5 | CVE-2023-32649 MISC |
nozomi_networks — cmc | A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, may allow an unauthenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application by sending specially crafted malicious network packets. Malicious users with extensive knowledge on the underlying system may be able to extract arbitrary information from the DBMS in an uncontrolled way, or to alter its structure and data. | 2023-09-19 | 7.4 | CVE-2023-29245 MISC |
nvidia — cumulus_linux | NVIDIA Cumulus Linux contains a vulnerability in forwarding where a VxLAN-encapsulated IPv6 packet received on an SVI interface with DMAC/DIPv6 set to the link-local address of the SVI interface may be incorrectly forwarded. A successful exploit may lead to information disclosure. | 2023-09-20 | 7.5 | CVE-2023-25525 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 baseboard management controller (BMC) contains a vulnerability in a web server plugin, where an unauthenticated attacker may cause a stack overflow by sending a specially crafted network packet. A successful exploit of this vulnerability may lead to arbitrary code execution, denial of service, information disclosure, and data tampering. | 2023-09-20 | 9.8 | CVE-2023-25528 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the KVM service, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, and information disclosure. | 2023-09-20 | 9.8 | CVE-2023-25530 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause insufficient protection of credentials. A successful exploit of this vulnerability may lead to code execution, denial of service, information disclosure, and escalation of privileges. | 2023-09-20 | 9.8 | CVE-2023-25531 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the web UI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to information disclosure, code execution, and escalation of privileges. | 2023-09-20 | 9.8 | CVE-2023-25533 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 2023-09-20 | 9.8 | CVE-2023-25534 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the REST service, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, and information disclosure. | 2023-09-20 | 9.8 | CVE-2023-31009 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges, information disclosure, and denial of service. | 2023-09-20 | 8.8 | CVE-2023-31010 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the REST service where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure. | 2023-09-20 | 8.8 | CVE-2023-31011 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the REST service where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure. | 2023-09-20 | 8.8 | CVE-2023-31012 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the REST service, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure. | 2023-09-20 | 8.8 | CVE-2023-31013 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the host KVM daemon, where an unauthenticated attacker may cause a leak of another user’s session token by observing timing discrepancies between server responses. A successful exploit of this vulnerability may lead to information disclosure, escalation of privileges, and data tampering. | 2023-09-20 | 8.1 | CVE-2023-25529 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the host KVM daemon, where an authenticated local attacker may cause corruption of kernel memory. A successful exploit of this vulnerability may lead to arbitrary kernel code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 2023-09-20 | 7.8 | CVE-2023-25527 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of services, escalation of privileges, and information disclosure. | 2023-09-20 | 7.8 | CVE-2023-31008 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in the REST service where a host user may cause as improper authentication issue. A successful exploit of this vulnerability may lead to escalation of privileges, information disclosure, code execution, and denial of service. | 2023-09-20 | 7.8 | CVE-2023-31015 MISC |
nvidia — dgx_h100_firmware | NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause insufficient protection of credentials. A successful exploit of this vulnerability may lead to information disclosure. | 2023-09-20 | 7.5 | CVE-2023-25532 MISC |
open_upload_stable — open_upload_stable | File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file. | 2023-09-20 | 8.8 | CVE-2023-36319 MISC MISC |
openprinting — cups | Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023. | 2023-09-21 | 7.8 | CVE-2023-4504 MISC MISC MISC MISC MISC MISC MISC MISC |
opensuse — leap | A Improper Link Resolution Before File Access (‘Link Following’) vulnerability in SUSE SUSE Linux Enterprise Desktop 15 SP5 postfix, SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 postfix, SUSE openSUSE Leap 15.5 postfix.This issue affects SUSE Linux Enterprise Desktop 15 SP5: before 3.7.3-150500.3.5.1; SUSE Linux Enterprise High Performance Computing 15 SP5: before 3.7.3-150500.3.5.1; openSUSE Leap 15.5 : before 3.7.3-150500.3.5.1. | 2023-09-19 | 7.8 | CVE-2023-32182 MISC |
opensuse — welcome | A Insecure Storage of Sensitive Information vulnerability in openSUSE opensuse-welcome allows local attackers to execute code as the user that runs opensuse-welcome if a custom layout is chosen This issue affects opensuse-welcome: from 0.1 before 0.1.9+git.35.4b9444a. | 2023-09-19 | 7.8 | CVE-2023-32184 MISC |
patreon — flutter_downloader | A SQL injection in the flutter_downloader component through 1.11.1 for iOS allows remote attackers to steal session tokens and overwrite arbitrary files inside the app’s container. The internal database of the framework is exposed to the local user if an app uses UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace properties. As a result, local users can obtain the same attack primitives as remote attackers by tampering with the internal database of the framework on the device. | 2023-09-19 | 9.1 | CVE-2023-41387 MISC MISC |
peppermint — peppermint | An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie. | 2023-09-18 | 8.8 | CVE-2023-42328 MISC MISC MISC |
pgadmin — pgadmin | A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server. | 2023-09-22 | 8.8 | CVE-2023-5002 MISC MISC |
phpjabbers — php_shopping_cart | Phpjabbers PHP Shopping Cart 4.2 is vulnerable to SQL Injection via the id parameter. | 2023-09-21 | 7.5 | CVE-2023-43274 MISC |
phppgadmin — phppgadmin | phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP ‘unserialize()’ function in multiple places. An example is the functionality to manage tables in ‘tables.php’ where the ‘ma[]’ POST parameter is deserialized. | 2023-09-20 | 9.8 | CVE-2023-40619 MISC |
plesk — plesk | Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. A malicious subscription owner (either a customer or an additional user), can fully compromise the server if an administrator visits a certain page in Plesk related to the malicious subscription. | 2023-09-20 | 9 | CVE-2023-0829 MISC |
plone — rest | plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one’s frontend web server (nginx, Apache). | 2023-09-21 | 7.5 | CVE-2023-42457 MISC MISC MISC MISC |
prestashop — prestashop | SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods. | 2023-09-20 | 9.8 | CVE-2023-34575 MISC |
prestashop — prestashop | SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector. | 2023-09-21 | 9.8 | CVE-2023-34576 MISC |
prestashop — prestashop | SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method. | 2023-09-21 | 9.8 | CVE-2023-34577 MISC |
prestashop — prestashop | SimpleImportProduct Prestashop Module v6.2.9 was discovered to contain a SQL injection vulnerability via the key parameter at send.php. | 2023-09-20 | 9.8 | CVE-2023-39675 MISC MISC |
prestashop — prestashop | MyPrestaModules Prestashop Module v6.2.9 and UpdateProducts Prestashop Module v3.6.9 were discovered to contain a PHPInfo information disclosure vulnerability via send.php. | 2023-09-20 | 7.5 | CVE-2023-39677 MISC MISC MISC |
progress — moveit_transfer | In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content. | 2023-09-20 | 8.8 | CVE-2023-42660 MISC MISC |
progress — moveit_transfer | In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content. | 2023-09-20 | 7.2 | CVE-2023-40043 MISC MISC |
projectworlds — asset_management_system_project_in_php | Projectworldsl Assets-management-system-in-php 1.0 is vulnerable to SQL Injection via the “id” parameter in delete.php. | 2023-09-22 | 9.8 | CVE-2023-43144 MISC |
qnap — multimedia_console | A buffer copy without checking size of input vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote users to execute code via unspecified vectors. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.1 ( 2023/03/29 ) and later Multimedia Console 1.4.7 ( 2023/03/20 ) and later | 2023-09-22 | 9.8 | CVE-2023-23364 MISC |
qnap — qts | A buffer copy without checking size of input vulnerability has been reported to affect QNAP operating system. If exploited, the vulnerability possibly allows remote users to execute code via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2441 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later | 2023-09-22 | 9.8 | CVE-2023-23363 MISC |
qnap — qutscloud | An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote authenticated users to execute commands via susceptible QNAP devices. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later | 2023-09-22 | 8.8 | CVE-2023-23362 MISC |
quarkus — quarkus | A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. | 2023-09-20 | 8.1 | CVE-2023-4853 MISC MISC MISC MISC MISC MISC |
quinn — quinn | quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases. | 2023-09-21 | 7.5 | CVE-2023-42805 MISC MISC MISC MISC |
openstack_platform — openstack_platform | An information leak was found in OpenStack’s undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials. | 2023-09-20 | 7.5 | CVE-2022-3596 MISC MISC MISC |
foreman — foreman | A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system. | 2023-09-22 | 9.1 | CVE-2022-3874 MISC MISC |
openshift — openshift | A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration. | 2023-09-22 | 9.8 | CVE-2022-4039 MISC MISC MISC |
reportlab — reportlab | paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with ‘<unichar code=”‘ followed by arbitrary Python code, a similar issue to CVE-2019-17626. | 2023-09-20 | 9.8 | CVE-2019-19450 MISC MISC |
rockwell_automation — 1756-en2t_series_a_firmware | A buffer overflow vulnerability exists in the Rockwell Automation select 1756-EN* communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device. | 2023-09-20 | 9.8 | CVE-2023-2262 MISC |
samsung — exynos_2200_firmware | Samsung Mobile Processor Exynos 2200 allows a GPU Use After Free. | 2023-09-21 | 7.5 | CVE-2023-42482 MISC |
samsung — memory_card_&_ufd_authentication | A DLL hijacking vulnerability in Samsung Memory Card & UFD Authentication Utility PC Software before 1.0.1 could allow a local attacker to escalate privileges. (An attacker must already have user privileges on Windows to exploit this vulnerability.) | 2023-09-18 | 7.3 | CVE-2023-41929 MISC |
simplesamlphp — saml2 | Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible. | 2023-09-19 | 7.5 | CVE-2023-41890 MISC MISC MISC |
snapview — tungstenite | The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes). | 2023-09-21 | 7.5 | CVE-2023-43669 MISC MISC MISC CONFIRM MISC MISC MISC MISC MISC FEDORA |
sourcecodester — online_voting_system | SQL injection vulnerability in janobe Online Voting System v.1.0 allows a remote attacker to execute arbitrary code via the checklogin.php component. | 2023-09-23 | 9.8 | CVE-2023-43470 MISC MISC MISC |
sourcecodester — online_job_portal | SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via the login.php component. | 2023-09-23 | 9.8 | CVE-2023-43468 MISC MISC MISC |
sourcecodester — online_job_portal | SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via the ForPass.php component. | 2023-09-23 | 9.8 | CVE-2023-43469 MISC MISC MISC |
spider-flow — spider-flow | A vulnerability was found in spider-flow up to 0.5.0. It has been declared as critical. Affected by this vulnerability is the function DriverManager.getConnection of the file src/main/java/org/spiderflow/controller/DataSourceController.java of the component API. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239857 was assigned to this vulnerability. | 2023-09-17 | 9.8 | CVE-2023-5016 MISC MISC MISC MISC |
springernature — mee-admin | mee-admin 1.5 is vulnerable to Directory Traversal. The download method in the CommonFileController.java file does not verify the incoming data, resulting in arbitrary file reading. | 2023-09-21 | 7.5 | CVE-2023-42280 MISC |
strapi — strapi | Strapi is an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi’s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue. | 2023-09-15 | 9.8 | CVE-2023-38507 MISC MISC MISC |
suse — rancher_rke2 | An Allocation of Resources Without Limits or Throttling vulnerability in SUSE RKE2 allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects RKE2: from 1.24.0 before 1.24.17+rke2r1, from v1.25.0 before v1.25.13+rke2r1, from v1.26.0 before v1.26.8+rke2r1, from v1.27.0 before v1.27.5+rke2r1, from v1.28.0 before v1.28.1+rke2r1. | 2023-09-19 | 7.5 | CVE-2023-32186 MISC MISC |
suse — k3s | An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers’ apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1. | 2023-09-18 | 7.5 | CVE-2023-32187 MISC MISC |
tdsql_chitu — tdsql_chitu | An issue in TDSQL Chitu management platform v.10.3.19.5.0 allows a remote attacker to obtain sensitive information via get_db_info function in install.php. | 2023-09-18 | 7.5 | CVE-2023-42387 MISC MISC |
technicolor — tg670_firmware | Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords. One account has administrative privileges, allowing for unrestricted access over the WAN interface if Remote Administration is enabled. | 2023-09-19 | 7.2 | CVE-2023-31808 MISC |
telstra — arcadyan_lh1000_firmware | fake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, allows unauthenticated attackers to upload firmware images and configuration backups, which could allow them to alter the firmware or the configuration on the device, ultimately leading to code execution as root. | 2023-09-20 | 9.8 | CVE-2023-43478 MISC |
telstra — arcadyan_lh1000_firmware | The ping_from parameter of ping_tracerte.cgi in the web UI of Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, was not properly sanitized before being used in a system call, which could allow an authenticated attacker to achieve command injection as root on the device. | 2023-09-20 | 8.8 | CVE-2023-43477 MISC |
tenda — ac10_firmware | Buffer Overflow vulnerability in Tenda AC10V4 v.US_AC10V4.0si_V16.03.10.13_cn_TDC01 allows a remote attacker to cause a denial of service via the mac parameter in the GetParentControlInfo function. | 2023-09-18 | 9.8 | CVE-2023-42320 MISC |
tp-link — tl-er5120g_firmware | There is an unauthorized access vulnerability in TP-LINK ER5120G 4.0 2.0.0 Build 210817 Rel.80868n, which allows attackers to obtain sensitive information of the device without authentication, obtain user tokens, and ultimately log in to the device backend management. | 2023-09-20 | 9.8 | CVE-2023-43135 MISC |
tp-link — tl-er5120g_firmware | TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds ACL rules after authentication, and the rule name parameter has injection points. | 2023-09-20 | 8.8 | CVE-2023-43137 MISC |
tp-link — tl-er5120g_firmware | TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds NAPT rules after authentication, and the rule name has an injection point. | 2023-09-20 | 8.8 | CVE-2023-43138 MISC |
trendmicro — apex_one | A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation. Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability. | 2023-09-19 | 7.2 | CVE-2023-41179 MISC MISC MISC |
uniview — ipc322lb-sf28-a_firmware | The vulnerability exists in Uniview IP Camera due to identification and authentication failure at its web-based management interface. A remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable device. Successful exploitation of this vulnerability could allow the attacker to gain complete control of the targeted device. | 2023-09-19 | 9.8 | CVE-2023-0773 MISC MISC |
vyperlang — vyper | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer of the call can be corrupted, leading to incorrect `calldata` in the sub-context. For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode. Each builtin has conditions that must be fulfilled for the corruption to happen. For `raw_call`, the `data` argument of the builtin must be `msg.data` and the `value` or `gas` passed to the builtin must be some complex expression that results in writing to the memory. For `create_copy_of`, the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory. For `create_from_blueprint`, either no constructor parameters should be passed to the builtin or `raw_args` should be set to True, and the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory. As of time of publication, no patched version exists. The issue is still being investigated, and there might be other cases where the corruption might happen. When the builtin is being called from an `internal` function `F`, the issue is not present provided that the function calling `F` wrote to memory before calling `F`. As a workaround, the complex expressions that are being passed as kwargs to the builtin should be cached in memory prior to the call to the builtin. | 2023-09-18 | 8.1 | CVE-2023-42443 MISC MISC |
whisperfish — blurhash-rs | blurhash-rs is a pure Rust implementation of blurhash, software for encoding images into ASCII strings that can be turned into a gradient of colors representing the original image. In version 0.1.1, the blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input. In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include UTF-8 compliant strings containing multi-byte UTF-8 characters. A patch is available in version 0.2.0, which requires user intervention because of slight API churn. No known workarounds are available. | 2023-09-19 | 7.5 | CVE-2023-42447 MISC |
whisperfish — phonenumber | phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds. | 2023-09-19 | 7.5 | CVE-2023-42444 MISC MISC MISC |
windriver — vxworks | An issue was discovered in Wind River VxWorks 6.9 and 7. The function “tarExtract“ implements TAR file extraction and thereby also processes files within an archive that have relative or absolute file paths. A developer using the “tarExtract” function may expect that the function will strip leading slashes from absolute paths or stop processing when encountering relative paths that are outside of the extraction path, unless otherwise forced. This could lead to unexpected and undocumented behavior, which in general could result in a directory traversal, and associated unexpected behavior. | 2023-09-22 | 8.8 | CVE-2023-38346 MISC MISC MISC |
withsecure — client_security | Certain WithSecure products allow a remote crash of a scanning engine via unpacking of crafted data files. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-18 | 7.5 | CVE-2023-42520 MISC |
withsecure — client_security | Certain WithSecure products allow a remote crash of a scanning engine via processing of a compressed file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-18 | 7.5 | CVE-2023-42521 MISC |
withsecure — client_security | Certain WithSecure products allow a remote crash of a scanning engine via processing of an import struct in a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-18 | 7.5 | CVE-2023-42522 MISC |
withsecure — client_security | Certain WithSecure products allow a remote crash of a scanning engine via unpacking of a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-18 | 7.5 | CVE-2023-42523 MISC |
withsecure — client_security | Certain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-18 | 7.5 | CVE-2023-42524 MISC |
withsecure — client_security | Certain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-18 | 7.5 | CVE-2023-42525 MISC |
withsecure — client_security | Certain WithSecure products allow a remote crash of a scanning engine via decompression of crafted data files. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1. | 2023-09-18 | 7.5 | CVE-2023-42526 MISC |
withsecure — f-secure_policy_manager | Certain WithSecure products allow Unauthenticated Remote Code Execution via the web server (backend), issue 1 of 2. This affects WithSecure Policy Manager 15 and Policy Manager Proxy 15. | 2023-09-22 | 9.8 | CVE-2023-43762 MISC MISC |
withsecure — f-secure_policy_manager | Certain WithSecure products allow Unauthenticated Remote Code Execution via the web server (backend), issue 2 of 2. This affects WithSecure Policy Manager 15 on Windows and Linux. | 2023-09-22 | 9.8 | CVE-2023-43764 MISC MISC |
xen — xen | The fix for XSA-423 added logic to Linux’s netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately, the logic introduced there didn’t account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that’s specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver. | 2023-09-22 | 7.8 | CVE-2023-34319 MISC |
xui-xray — xui-xray | An issue in xui-xray v1.8.3 allows attackers to obtain sensitive information via default password. | 2023-09-18 | 7.5 | CVE-2023-41595 MISC MISC MISC |
yii — yii | web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameter. | 2023-09-21 | 9.8 | CVE-2015-5467 MISC MISC |
Medium Vulnerabilities
Primary Vendor — Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
aes-gcm — aes-gcm | aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the `aes-gcm` crate’s `decrypt_in_place*` APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue. | 2023-09-22 | 5.5 | CVE-2023-42811 MISC MISC |
ajino-shiretoko — ajino-shiretoko | An information leak in ajino-Shiretoko Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | 2023-09-20 | 6.5 | CVE-2023-39044 MISC |
amd — epyc_7003_firmware | Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access. | 2023-09-20 | 4.4 | CVE-2023-20594 MISC |
amd — ryzen_3_3100_firmware | Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access. | 2023-09-20 | 5.5 | CVE-2023-20597 MISC |
apple — multiple_products | A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | 2023-09-21 | 5.5 | CVE-2023-41991 MISC MISC |
bytecodealliance — wasmtime | Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result. This issue is not an escape from the WebAssembly sandbox. Execution of WebAssembly guest programs will still behave correctly with respect to memory sandboxing and isolation from the host. Wasmtime considers non-spec-compliant behavior as a security issue nonetheless. This issue was discovered through fuzzing of Wasmtime’s code generator Cranelift. Wasmtime versions 10.0.2, 11.0.2, and 12.0.2 are all patched to no longer have this miscompilation. This issue only affects x86_64 hosts and the only workaround is to either scan for this pattern in wasm modules which is nontrivial or to disable the SIMD proposal for WebAssembly. Users prior to 10.0.0 are unaffected by this vulnerability. | 2023-09-15 | 5.3 | CVE-2023-41880 MISC MISC MISC MISC MISC |
cadence — cadence | Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/.cadence-aloop-daemon.x Temporary File. The file is used even if it has been created by a local adversary before Cadence started. The adversary can then delete the file, disrupting Cadence. | 2023-09-22 | 5.5 | CVE-2023-43782 MISC MISC |
cisco — jabber | A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected application. This vulnerability is due to the improper handling of nested XMPP messages within requests that are sent to the Cisco Jabber client software. An attacker could exploit this vulnerability by connecting to an XMPP messaging server and sending crafted XMPP messages to an affected Jabber client. A successful exploit could allow the attacker to manipulate the content of XMPP messages, possibly allowing the attacker to cause the Jabber client application to perform unsafe actions. | 2023-09-15 | 4.3 | CVE-2022-20917 MISC |
contao — contao | Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension. | 2023-09-21 | 6.1 | CVE-2018-5478 MISC MISC |
croc — croc | An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction. | 2023-09-20 | 5.5 | CVE-2023-43616 MISC MISC MLIST |
croc — croc | An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name. | 2023-09-20 | 5.3 | CVE-2023-43617 MISC MISC MLIST |
croc — croc | An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message. | 2023-09-20 | 5.3 | CVE-2023-43618 MISC MISC MLIST |
croc — croc | An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments. | 2023-09-20 | 4.7 | CVE-2023-43621 MISC MISC MLIST |
dataease — dataease | DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds. | 2023-09-21 | 5.3 | CVE-2023-40183 MISC MISC MISC |
dell — secure_connect_gateway_policy_manager | Dell SCG Policy Manager 5.16.00.14 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information. | 2023-09-21 | 5.9 | CVE-2023-39252 MISC |
digitaldruid — hoteldruid | A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter. | 2023-09-20 | 5.4 | CVE-2023-43376 MISC |
digitaldruid — hoteldruid | A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter. | 2023-09-20 | 5.4 | CVE-2023-43377 MISC |
discourse — discourse | Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of service for other users. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds. | 2023-09-15 | 6.5 | CVE-2023-40588 MISC |
discourse — discourse | Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, importing a remote theme loads their assets into memory without enforcing limits for file size or number of files. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds. | 2023-09-15 | 6.5 | CVE-2023-41042 MISC |
discourse — discourse | Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. This is only a concern for multisite installations. No action is required when the admins are trusted. | 2023-09-15 | 6.5 | CVE-2023-41043 MISC |
earthgarden_waiting — earthgarden_waiting | An information leak in Earthgarden_waiting 13.6.1 allows attackers to obtain the channel access token and send crafted messages. | 2023-09-20 | 6.5 | CVE-2023-39052 MISC |
fl3xx_dispatch/fl3xx_crew — fl3xx_dispatch/fl3xx_crew | An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter. | 2023-09-20 | 6.5 | CVE-2023-42334 MISC |
frauscher_sensortechnik_gmbh — fadc/fadci | Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a SQL injection vulnerability via manipulated parameters of the web interface without authentication. The database contains limited, non-critical log information. | 2023-09-21 | 5.3 | CVE-2023-4292 MISC |
freeswitch — freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue. | 2023-09-15 | 6.5 | CVE-2023-40019 MISC MISC |
fujitsu — arconte_aurea | Reflected and persistent XSS vulnerability in Arconte Áurea, in its 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to inject malicious JavaScript code, compromise the victim’s browser and take control of it, redirect the user to malicious domains or access information being viewed by the legitimate user. | 2023-09-19 | 6.1 | CVE-2023-4093 MISC |
fujitsu — arconte_aurea | User enumeration vulnerability in Arconte Áurea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform. | 2023-09-19 | 5.3 | CVE-2023-4095 MISC |
galaxy — galaxy | Galaxy is an open-source platform for FAIR data analysis. Prior to version 22.05, Galaxy is vulnerable to server-side request forgery, which allows a malicious to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses. Version 22.05 contains a patch for this issue. | 2023-09-22 | 4.3 | CVE-2023-42812 MISC MISC |
github — enterprise_server | An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported via the GitHub Bug Bounty program. | 2023-09-22 | 6.5 | CVE-2023-23766 MISC MISC MISC MISC MISC |
gnome — gnome-shell | A vulnerability was found in GNOME Shell. GNOME Shell’s lock screen allows an unauthenticated local user to view windows of the locked desktop session by using keyboard shortcuts to unlock the restricted functionality of the screenshot tool. | 2023-09-22 | 5.5 | CVE-2023-43090 MISC MISC MISC MISC |
gnu — glibc | A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data and may cause a crash. | 2023-09-18 | 6.5 | CVE-2023-4527 MISC MISC MISC |
gnu — glibc | A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags. | 2023-09-18 | 5.9 | CVE-2023-4806 MISC MISC |
graphql — graphql | Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process. | 2023-09-20 | 5.3 | CVE-2023-26144 MISC MISC MISC MISC MISC |
hestiacp — hestiacp | Cross-site Scripting (XSS) – Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8. | 2023-09-20 | 6.1 | CVE-2023-5084 MISC MISC |
hydra — hydra | Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying `$\mathsf{cid}$` allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (= denial of service; easy). A patch is planned for version 0.13.0. As a workaround, rotate keys between heads so not to re-use keys and not result in the same multi-signature participants. | 2023-09-21 | 6.5 | CVE-2023-42806 MISC MISC MISC MISC |
ibm — robotic_process_automation | IBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose sensitive information from access to RPA scripts, workflows and related data. IBM X-Force ID: 261606. | 2023-09-20 | 5.3 | CVE-2023-38718 MISC MISC |
ibm — storage_protect | IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456. | 2023-09-20 | 4.4 | CVE-2023-40368 MISC MISC |
iobit — malware_fighter | An issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS). | 2023-09-20 | 5.5 | CVE-2020-24089 MISC |
isl — arp-guard | A reflected cross-site scripting (XSS) vulnerability in the url_str URL parameter of ISL ARP Guard v4.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2023-09-20 | 5.4 | CVE-2023-39575 MISC |
ivanti — endpoint_manager | An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access. | 2023-09-21 | 6.5 | CVE-2023-38344 MISC MISC |
jenkins — jenkins | A missing permission check in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. | 2023-09-20 | 6.5 | CVE-2023-43501 MISC MISC |
jenkins — jenkins | Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the ‘caption’ constructor parameter of ‘ExpandableDetailsNote’, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. | 2023-09-20 | 5.4 | CVE-2023-43495 MISC MISC |
jenkins — jenkins | Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes. | 2023-09-20 | 5.4 | CVE-2023-43499 MISC MISC |
jenkins — jenkins | Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. | 2023-09-20 | 4.3 | CVE-2023-43494 MISC MISC |
jenkins — jenkins | A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes. | 2023-09-20 | 4.3 | CVE-2023-43502 MISC MISC |
jetbrains — teamcity | In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration | 2023-09-19 | 5.4 | CVE-2023-43566 MISC |
keycloak — keycloak | A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | 2023-09-20 | 4.8 | CVE-2022-1438 MISC MISC MISC MISC MISC MISC MISC |
kiali — kiali | A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed. | 2023-09-23 | 4.3 | CVE-2022-3962 MISC MISC MISC |
kokoroe_members_card_project — kokoroe_members_card | An information leak in kokoroe_members card Line 13.6.1 allows attackers to obtain the channel access token and send crafted messages. | 2023-09-20 | 6.5 | CVE-2023-39045 MISC |
kukurudeli_project — kukurudeli | An information leak in KUKURUDELI Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | 2023-09-20 | 6.5 | CVE-2023-39041 MISC |
linaro — op-tee | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, `shdr_verify_signature` can make a double free. `shdr_verify_signature` used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. The RSA key allocate function (`sw_crypto_acipher_alloc_rsa_public_key`) will try to allocate a memory (which is optee’s heap memory). RSA key consists of exponent and modulus (represent as variable `e`, `n`) and its allocation is not atomic way, so it may succeed in `e` but fail in `n`. In this case sw_crypto_acipher_alloc_rsa_public_key` will free on `e` and return as it is failed but variable ‘e’ is remained as already freed memory address. `shdr_verify_signature` will free again that memory (which is `e`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available. | 2023-09-15 | 6.7 | CVE-2023-41325 MISC MISC |
mastodon — mastodon | Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon’s strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue. | 2023-09-19 | 5.4 | CVE-2023-42452 MISC MISC |
minitool — power_data_recovery | MiniTool Power Data Recovery version 11.6 and before contains an insecure in-app payment system that allows attackers to steal highly sensitive information through a man in the middle attack. | 2023-09-19 | 5.9 | CVE-2023-38353 MISC |
php-login-system — php-login-system | A reflected cross-site scripting (XSS) vulnerability in msaad1999’s PHP-Login-System 2.0.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the ‘validator’ parameter in ‘/reset-password’. | 2023-09-20 | 6.1 | CVE-2023-38875 MISC |
php-login-system — php-login-system | A reflected cross-site scripting (XSS) vulnerability in msaad1999’s PHP-Login-System 2.0.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the ‘selector’ parameter in ‘/reset-password’. | 2023-09-20 | 6.1 | CVE-2023-38876 MISC |
nagios — nagios_xi | A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php | 2023-09-19 | 6.5 | CVE-2023-40931 MISC MISC MISC |
nagios — nagios_xi | A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar including the login page which means the attacker is able to to steal plaintext credentials. | 2023-09-19 | 5.4 | CVE-2023-40932 MISC MISC MISC |
netbox — netbox | Cross Site Scripting (XSS) vulnerability in Netbox 3.5.1, allows attackers to execute arbitrary code via Name field in device-roles/add function. | 2023-09-20 | 5.4 | CVE-2023-36234 MISC |
nocodb — nocodb | Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0. | 2023-09-21 | 6.5 | CVE-2023-5104 MISC MISC |
nozomi_networks — cmc | A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain parameters used in the Query functionality, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application. Authenticated users can extract arbitrary information from the DBMS in an uncontrolled way. | 2023-09-19 | 6.5 | CVE-2023-2567 MISC |
nqptp — nqptp | In nqptp-message-handlers.c in nqptp before 1.2.3, crafted packets received on the control port could crash the program. | 2023-09-22 | 5.5 | CVE-2023-43771 MISC MISC MISC |
nvidia — cumulus_linux | NVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service. | 2023-09-20 | 6.5 | CVE-2023-25526 MISC |
nvidia — geforce_now | NVIDIA GeForce Now for Android contains a vulnerability in the game launcher component, where a malicious application on the same device can process the implicit intent meant for the streamer component. A successful exploit of this vulnerability may lead to limited information disclosure, denial of service, and code execution. | 2023-09-20 | 4.8 | CVE-2023-31014 MISC |
openharmony — openharmony | OpenHarmony v3.2.1 and prior version has a liteos-a kernel may crash caused by mqueue undetected entries vulnerability. Local attackers can crash liteos-a kernel by the error input | 2023-09-21 | 5.5 | CVE-2023-4753 MISC |
openknowledgemaps — head_start | A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeMaps Head Start versions 4, 5, 6, 7 as well as Visual Project Explorer 1.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the ‘service’ parameter in ‘headstart_snapshot.php’. | 2023-09-20 | 6.1 | CVE-2023-40618 MISC |
oracle — apache_flink_stateful_functions | Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user’s browser. Users should upgrade to Apache Flink Stateful Functions version 3.3.0. | 2023-09-19 | 6.1 | CVE-2023-41834 MISC MISC |
oracle — oracle_linux/oracle_vm | In the Unbreakable Enterprise Kernel (UEK), the RDS module in UEK has two setsockopt(2) options, RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. A malicious local user with CAP_NET_ADMIN can use this to crash the kernel. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2023-09-20 | 5.5 | CVE-2023-22024 MISC |
papercut — mobility_print_server | The `PaperCutNG Mobility Print` version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the “configure printer discovery” section). This is possible because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc. | 2023-09-20 | 6.5 | CVE-2023-2508 MISC MISC |
plone — plone | plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in versions 5.6.1 (for Plone 5.2), 6.0.3 (for Plone 6.0.0-6.0.4), 6.1.3 (for Plone 6.0.5-6.0.6), and 6.2.1 (for Plone 6.0.7). There are no known workarounds. | 2023-09-21 | 5.4 | CVE-2023-41048 MISC MISC MISC MISC MISC MISC MISC |
pow — pow | Pow is an authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session’s remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated. | 2023-09-18 | 6.5 | CVE-2023-42446 MISC MISC |
prestashop — prestashop | M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists. | 2023-09-20 | 6.5 | CVE-2022-45447 MISC |
prestashop — prestashop | M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter. | 2023-09-20 | 6.1 | CVE-2022-45448 MISC |
progress — moveit_transfer | In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer’s web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. | 2023-09-20 | 6.1 | CVE-2023-42656 MISC MISC |
qt — qt | An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. | 2023-09-18 | 5.5 | CVE-2023-43114 MISC |
quboworld — smart_plug_10a_firmware | An issue was discovered in Qubo Smart Plug10A version HSP02_01_01_14_SYSTEM-10 A, allows local attackers to gain sensitive information and other unspecified impact via UART console. | 2023-09-16 | 5.5 | CVE-2023-36160 MISC |
keycloak — keycloak | A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | 2023-09-20 | 6.8 | CVE-2022-3916 MISC MISC MISC MISC MISC MISC MISC MISC MISC MISC MISC MISC |
roundcube — webmail | Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | 2023-09-22 | 6.1 | CVE-2023-43770 MISC MISC MLIST |
skyworth — skyworth_os | Skyworth 3.0 OS is vulnerable to Directory Traversal. | 2023-09-20 | 6.8 | CVE-2023-40930 MISC |
speciesfilegroup — taxonworks | TaxonWorks is a web-based workbench designed for taxonomists and biodiversity scientists. Prior to version 0.34.0, a SQL injection vulnerability was found in TaxonWorks that allows authenticated attackers to extract arbitrary data from the TaxonWorks database (including the users table). This issue may lead to information disclosure. Version 0.34.0 contains a fix for the issue. | 2023-09-22 | 6.5 | CVE-2023-43640 MISC MISC |
spring — spring | A batch loader function in Spring for GraphQL versions 1.1.0 – 1.1.5 and 1.2.0 – 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry. | 2023-09-20 | 4.3 | CVE-2023-34047 MISC |
strapi — strapi | Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can’t be selected. This issue is fixed in version 4.11.7. | 2023-09-15 | 5.7 | CVE-2023-36472 MISC MISC |
student_management_system — student_management_system | A reflected cross-site scripting (XSS) vulnerability in the Search Student function of Student Management System v1.2.3 and before allows attackers to execute arbitrary Javascript in the context of a victim user’s browser via a crafted payload. | 2023-09-21 | 4.8 | CVE-2023-41616 MISC |
summernote — rich_text_editor | Cross Site Scripting vulnerability in Summernote Rich Text Editor v.0.8.18 and before allows a remote attacker to execute arbitrary code via a crafted script to the insert link function in the editor component. | 2023-09-18 | 5.4 | CVE-2023-42371 MISC MISC |
suse — manager_server | An Innsertion of Sensitive Information into Log File vulnerability in SUSE SUSE Manager Server Module 4.2 spacewalk-java, SUSE SUSE Manager Server Module 4.3 spacewalk-java causes sensitive information to be logged. This issue affects SUSE Manager Server Module 4.2: before 4.2.50-150300.3.66.5; SUSE Manager Server Module 4.3: before 4.3.58-150400.3.46.4. | 2023-09-20 | 5.5 | CVE-2023-22644 MISC |
symantec — identity_portal | An authenticated user can see and modify the value for ‘next’ query parameter in Symantec Identity Portal 14.4 | 2023-09-19 | 5.4 | CVE-2023-23957 MISC |
the_b_members_card — the_b_members_card | An information leak in THE_B_members card v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | 2023-09-18 | 6.5 | CVE-2023-39058 MISC MISC |
vyperlang — vyper | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant(“”)` or `@nonreentrant(”)` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string. | 2023-09-18 | 5.3 | CVE-2023-42441 MISC MISC MISC |
webmin — webmin | There is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, which allows attackers to run malicious scripts by injecting a specially crafted payload. | 2023-09-21 | 4.8 | CVE-2023-43309 MISC |
withsecure — f-secure_policy_manager | Certain WithSecure products allow XSS via an unvalidated parameter in the endpoint. This affects WithSecure Policy Manager 15 on Windows and Linux. | 2023-09-22 | 6.1 | CVE-2023-43763 MISC MISC |
wordpress — wordpress | The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.2. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site’s server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer. | 2023-09-19 | 5.8 | CVE-2023-5054 MISC MISC |
wordpress — wordpress | The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mla_gallery’ shortcode in versions up to, and including, 3.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2023-09-22 | 5.4 | CVE-2023-4716 MISC MISC MISC MISC MISC MISC |
wordpress — wordpress | The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp-piwik’ shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2023-09-22 | 5.4 | CVE-2023-4774 MISC MISC MISC |
wordpress — wordpress | The Contact Form by FormGet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ‘formget’ shortcode in versions up to, and including, 5.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2023-09-23 | 5.4 | CVE-2023-5125 MISC MISC |
wordpress — wordpress | The Leyka WordPress plugin through 3.30.3 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2023-09-19 | 4.8 | CVE-2023-2995 MISC |
wordpress — wordpress | The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 2023-09-19 | 4.8 | CVE-2023-4376 MISC |
wordpress — wordpress | The Easy Registration Forms for WordPress is vulnerable to Information Disclosure via the ‘erforms_user_meta’ shortcode in versions up to, and including, 2.1.1 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with subscriber-level capabilities or above, to retrieve arbitrary sensitive user meta. | 2023-09-23 | 4.3 | CVE-2023-5134 MISC MISC |
xdsoft — jodit_editor | Cross Site Scripting vulnerability in xdsoft.net Jodit Editor v.4.0.0-beta.86 allows a remote attacker to obtain sensitive information via the rich text editor component. | 2023-09-19 | 6.1 | CVE-2023-42399 MISC MISC MISC |
ykc — tokushima_awayokocho | An information leak in YKC Tokushima_awayokocho Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | 2023-09-18 | 6.5 | CVE-2023-39043 MISC MISC MISC |
zoo_management_system — zoo_management_system | A stored cross-site scripting (XSS) vulnerability in the Add Animal Details function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description of Animal parameter. | 2023-09-21 | 4.8 | CVE-2023-41614 MISC |
zope — zope | Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the “Add Documents, Images, and Files” permission is only assigned to trusted roles. By default, only the Manager has this permission. | 2023-09-21 | 5.4 | CVE-2023-42458 MISC MISC MISC MISC |
Low Vulnerabilities
Primary Vendor — Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
There were no low vulnerabilities recorded this week. |
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.