Vulnerability Summary for the Week of September 18, 2023

Released
Sep 29, 2023
Document ID
SB23-272

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


 

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
acronis -- cyber_protect_home_officeSensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713.2023-09-207.5CVE-2023-5042
MISC
apple -- multiple_productsThe issue was addressed with improved checks. This issue is fixed in Safari 17, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.2023-09-219.8CVE-2023-41993
MISC
MISC
MISC
MISC
apple -- multiple_productsThe issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7, macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.2023-09-217.8CVE-2023-41992
MISC
MISC
MISC
artifex -- ghostscriptIn Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).2023-09-189.8CVE-2023-43115
MISC
MISC
MISC
atlassian -- bitbucket_serverThis High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions. See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). This vulnerability was discovered by a private user and reported via our Bug Bounty program2023-09-198.8CVE-2023-22513
MISC
MISC
automataci -- automataciAutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the `PROJECT_PATH_RELEASE` (e.g. `releases/`) directory is manually and actually `git cloned` properly, making it a different git repostiory from the root git repository.2023-09-229.1CVE-2023-42798
MISC
MISC
blamer -- blamerVersions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.2023-09-199.1CVE-2023-26143
MISC
MISC
MISC
cesanta -- mjsCesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input.2023-09-239.8CVE-2023-43338
MISC
cimg -- cimgAn issue in cimg.eu Cimg Library v2.9.3 allows an attacker to obtain sensitive information via a crafted JPEG file.2023-09-208.1CVE-2023-41484
MISC
composer -- composerComposer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.2023-09-218.8CVE-2015-8371
MISC
MISC
MISC
MISC
contribsys -- faktoryFaktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. The vulnerability is related to how the backend reads the `days` URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. Version 1.8.0 fixes this issue.2023-09-207.5CVE-2023-37279
MISC
corecode -- macupdaterAn XPC misconfiguration vulnerability in CoreCode MacUpdater before 2.3.8, and 3.x before 3.1.2, allows attackers to escalate privileges by crafting malicious .pkg files.2023-09-207.8CVE-2023-41902
MISC
MISC
MISC
croc -- crocAn issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file.2023-09-207.8CVE-2023-43619
MISC
MISC
MLIST
croc -- crocAn issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.2023-09-207.8CVE-2023-43620
MISC
MISC
MLIST
curl -- curlWhen curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.2023-09-157.5CVE-2023-38039
MISC
MISC
MISC
MISC
d-link -- d-view_8Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.282023-09-209.8CVE-2023-5074
MISC
d-link -- di-7200g_firmwareD-Link DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the zn_jb parameter in the arp_sys.asp function.2023-09-209.8CVE-2023-43196
MISC
d-link -- di-7200g_firmwareD-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the fn parameter in the tgfile.asp function.2023-09-209.8CVE-2023-43197
MISC
d-link -- di-7200g_firmwareD-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the popupId parameter in the H5/hi_block.asp function.2023-09-209.8CVE-2023-43198
MISC
d-link -- di-7200g_firmwareD-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the prev parameter in the H5/login.cgi function.2023-09-209.8CVE-2023-43199
MISC
d-link -- di-7200g_firmwareD-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the id parameter in the yyxz.data function.2023-09-209.8CVE-2023-43200
MISC
d-link -- di-7200g_firmwareD-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack overflow via the hi_up parameter in the qos_ext.asp function.2023-09-209.8CVE-2023-43201
MISC
MISC
d-link -- dir-806_firmwareD-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of HTTP_ST parameters.2023-09-219.8CVE-2023-43128
MISC
MISC
d-link -- dir-806_firmwareD-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of REMOTE_PORT parameters.2023-09-229.8CVE-2023-43129
MISC
MISC
d-link -- dir-806_firmwareD-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection.2023-09-229.8CVE-2023-43130
MISC
MISC
d-link -- dir-816_a2_firmwareD-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter statuscheckpppoeuser in dir_setWanWifi.2023-09-219.8CVE-2023-43236
MISC
MISC
d-link -- dir-816_a2_firmwareD-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter macCloneMac in setMAC.2023-09-219.8CVE-2023-43237
MISC
MISC
d-link -- dir-816_a2_firmwareD-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter nvmacaddr in form2Dhcpip.cgi.2023-09-219.8CVE-2023-43238
MISC
MISC
d-link -- dir-816_a2_firmwareD-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter flag_5G in showMACfilterMAC.2023-09-219.8CVE-2023-43239
MISC
MISC
d-link -- dir-816_a2_firmwareD-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter sip_address in ipportFilter.2023-09-219.8CVE-2023-43240
MISC
MISC
d-link -- dir-816a2_firmwareD-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter removeRuleList in form2IPQoSTcDel.2023-09-219.8CVE-2023-43242
MISC
MISC
d-link -- dir-823g_firmwareD-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter StartTime and EndTime in SetWifiDownSettings.2023-09-219.8CVE-2023-43235
MISC
MISC
d-link -- dir-823g_firmwareD-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter TXPower and GuardInt in SetWLanRadioSecurity.2023-09-219.8CVE-2023-43241
MISC
MISC
d-link -- dwl-6610ap_firmwareD-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function pcap_download_handler. This vulnerability allows attackers to execute arbitrary commands via the update.device.packet-capture.tftp-file-name parameter.2023-09-209.8CVE-2023-43202
MISC
d-link -- dwl-6610ap_firmwareD-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a stack overflow vulnerability in the function update_users.2023-09-209.8CVE-2023-43203
MISC
d-link -- dwl-6610ap_firmwareD-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function sub_2EF50. This vulnerability allows attackers to execute arbitrary commands via the manual-time-string parameter.2023-09-209.8CVE-2023-43204
MISC
d-link -- dwl-6610ap_firmwareD-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function web_cert_download_handler. This vulnerability allows attackers to execute arbitrary commands via the certDownload parameter.2023-09-209.8CVE-2023-43206
MISC
d-link -- dwl-6610ap_firmwareD-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function config_upload_handler. This vulnerability allows attackers to execute arbitrary commands via the configRestore parameter.2023-09-209.8CVE-2023-43207
MISC
delta_electronics -- diascreenDelta Electronics DIAScreen may write past the end of an allocated buffer while parsing a specially crafted input file. This could allow an attacker to execute code in the context of the current process.2023-09-217.8CVE-2023-5068
MISC
MISC
digitaldruid -- hoteldruidHoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.2023-09-209.8CVE-2023-43371
MISC
digitaldruid -- hoteldruidHoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.2023-09-209.8CVE-2023-43373
MISC
digitaldruid -- hoteldruidHoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.2023-09-209.8CVE-2023-43374
MISC
digitaldruid -- hoteldruidHoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters.2023-09-209.8CVE-2023-43375
MISC
dolibarr -- dolibarr_erp\/crmFile Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.2023-09-208.8CVE-2023-38887
MISC
MISC
dolibarr -- dolibarr_erp_crmCross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.2023-09-209.6CVE-2023-38888
MISC
MISC
dolibarr -- dolibarr_erp_crmAn issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.2023-09-207.2CVE-2023-38886
MISC
MISC
dreamer_cms -- dreamer_cmsDreamer CMS 4.1.3 is vulnerable to SQL Injection.2023-09-219.8CVE-2023-42279
MISC
dst-admin -- dst-admindst-admin v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the userId parameter at /home/playerOperate.2023-09-229.8CVE-2023-43270
MISC
eclipse -- remote_application_platformIn Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept. For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.2023-09-219.8CVE-2023-4760
MISC
MISC
elitecms -- elite_cmsA file upload vulnerability in EliteCMS 1.01 allows a remote attacker to execute arbitrary code via the manage_uploads.php component.2023-09-208.8CVE-2023-42331
MISC
MISC
f-secure -- client_securityCertain WithSecure products allow Denial of Service via a fuzzed PE32 file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-227.5CVE-2023-43760
MISC
MISC
f-secure -- linux_protectionCertain WithSecure products allow Local privilege escalation via the lhz archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-227.8CVE-2023-43766
MISC
MISC
f-secure -- linux_protectionCertain WithSecure products allow Denial of Service (infinite loop). This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-227.5CVE-2023-43761
MISC
MISC
f-secure -- linux_protectionCertain WithSecure products allow Denial of Service in the aeelf component. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-227.5CVE-2023-43765
MISC
MISC
f-secure -- linux_protectionCertain WithSecure products allow Denial of Service via the aepack archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-227.5CVE-2023-43767
MISC
MISC
falktx -- cadenceCadence through 0.9.2 2023-08-21 uses an Insecure /tmp/cadence-wineasio.reg Temporary File. The filename is used even if it has been created by a local adversary before Cadence started. The adversary can leverage this to create or overwrite files via a symlink attack. In some kernel configurations, code injection into the Wine registry is possible.2023-09-227.5CVE-2023-43783
MISC
MISC
fit2cloud -- cloudexplorer_liteAn issue in CloudExplorer Lite 1.3.1 allows an attacker to obtain sensitive information via the login key component.2023-09-207.5CVE-2023-42147
MISC
fl3xx -- crewUnrestricted File Upload vulnerability in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to execute arbitrary code via the add attachment function in the New Expense component.2023-09-208.8CVE-2023-42335
MISC
foreman -- foremanAn arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system.2023-09-209.1CVE-2023-0118
MISC
MISC
MISC
foreman -- foremanAn arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload.2023-09-209.1CVE-2023-0462
MISC
MISC
fuxa -- fuxaFUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.2023-09-229.8CVE-2023-31719
MISC
MISC
MISC
frappe_lms -- frappe_lmsFrappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app.2023-09-219.8CVE-2023-42807
MISC
frauscher_sensortechnik_gmbh -- fadc/fadciFrauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface without authentication. This could lead to a full compromise of the FDS101 device.2023-09-219.8CVE-2023-4291
MISC
frauscher_sensortechnik_gmbh -- fadc/fadciFrauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a path traversal vulnerability of the web interface by a crafted URL without authentication. This enables a remote attacker to read all files on the filesystem of the FDS101 device.2023-09-217.5CVE-2023-4152
MISC
freeswitch -- freeswitchFreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.2023-09-157.5CVE-2023-40018
MISC
MISC
fujitsu -- arconte_aureaSQL injection vulnerability in Arconte Áurea, in its 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to read sensitive data from the database, modify data (insert/update/delete), perform database administration operations and, in some cases, execute commands on the operating system.2023-09-199.8CVE-2023-4092
MISC
fujitsu -- arconte_aureaARCONTE Aurea's authentication system, in its 1.5.0.0 version, could allow an attacker to make incorrect access requests in order to block each legitimate account and cause a denial of service. In addition, a resource has been identified that could allow circumventing the attempt limit set in the login form.2023-09-198.2CVE-2023-4094
MISC
fujitsu -- arconte_aureaWeak password recovery mechanism vulnerability in Fujitsu Arconte Áurea version 1.5.0.0, which exploitation could allow an attacker to perform a brute force attack on the emailed PIN number in order to change the password of a legitimate user.2023-09-198.2CVE-2023-4096
MISC
fuxa -- fuxaFUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log2023-09-227.5CVE-2023-31716
MISC
MISC
fuxa -- fuxaA SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.2023-09-227.5CVE-2023-31717
MISC
MISC
MISC
fuxa -- fuxaFUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.2023-09-227.5CVE-2023-31718
MISC
MISC
MISC
gitlab -- gitlabAn issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact.2023-09-199.8CVE-2023-5009
MISC
MISC
gomarkdown -- markdownThe package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `0.0.0-20230922105210-14b16010c2ee`, which corresponds with commit `14b16010c2ee7ff33a940a541d993bd043a88940`, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have `parser.Mmark` extension set. The panic occurs inside the `citation.go` file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit `14b16010c2ee7ff33a940a541d993bd043a88940`/pseudoversion `0.0.0-20230922105210-14b16010c2ee` contains a patch for this issue.2023-09-227.5CVE-2023-42821
MISC
MISC
MISC
ibm -- person_communicationsIBM Personal Communications 14.05, 14.06, and 15.0.0 could allow a local user to escalate their privileges to the SYSTEM user due to overly permissive access controls. IBM X-Force ID: 260138.2023-09-207.8CVE-2023-37410
MISC
MISC
icmsdev -- icmsInsecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information.2023-09-209.8CVE-2023-42322
MISC
MISC
icmsdev -- icmsCross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files.2023-09-208.8CVE-2023-42321
MISC
MISC
insyde -- insydeh2oAn issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set.2023-09-187.8CVE-2023-34195
MISC
MISC
isc -- bindThe code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.2023-09-207.5CVE-2023-3341
MISC
MISC
MISC
MISC
isc -- bindA flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.2023-09-207.5CVE-2023-4236
MISC
MISC
MISC
MISC
ivanti -- endpoint_managerAn XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.2023-09-217.5CVE-2023-38343
MISC
MISC
jeecg -- jeecg-bootSQL injection vulnerbility in jeecgboot jeecg-boot v 3.0, 3.5.3 that allows a remote attacker to execute arbitrary code via a crafted request to the report/jeecgboot/jmreport/queryFieldBySql component.2023-09-229.8CVE-2023-40989
MISC
jenkins -- jenkinsJenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.2023-09-208.8CVE-2023-43496
MISC
MISC
jenkins -- jenkinsA cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.2023-09-208.8CVE-2023-43500
MISC
MISC
jenkins -- jenkinsIn Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.2023-09-208.1CVE-2023-43497
MISC
MISC
jenkins -- jenkinsIn Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.2023-09-208.1CVE-2023-43498
MISC
MISC
jerryscript -- jerryscriptBuffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c.2023-09-209.8CVE-2023-36109
MISC
MISC
jetbrains -- teamcityIn JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible2023-09-199.8CVE-2023-42793
MISC
MISC
jtekt -- kostac_plcDouble free issue exists in Kostac PLC Programming Software Version 1.6.11.0 and earlier. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files. The vendor states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.2023-09-207.8CVE-2023-41374
MISC
MISC
jtekt -- kostac_plcUse after free vulnerability exists in Kostac PLC Programming Software Version 1.6.11.0. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files. The vendor states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.2023-09-207.8CVE-2023-41375
MISC
MISC
juplink -- rx4-1500_firmwareHard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user.2023-09-189.8CVE-2023-41030
MISC
juplink -- rx4-1500_firmwareCredential disclosure in the '/webs/userpasswd.htm' endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.4 and V1.0.5 allows an authenticated attacker to leak the password for the administrative account via requests to the vulnerable endpoint.2023-09-228.8CVE-2023-41027
MISC
juplink -- rx4-1500_firmwareCommand injection vulnerability in the homemng.htm endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.2, V1.0.3, V1.0.4, and V1.0.5 allows authenticated remote attackers to execute commands as root via specially crafted HTTP requests to the vulnerable endpoint.2023-09-228.8CVE-2023-41029
MISC
juplink -- rx4-1500_firmwareCommand injection in homemng.htm in Juplink RX4-1500 versions V1.0.2, V1.0.3, V1.0.4, and V1.0.5 allows remote authenticated attackers to execute commands via specially crafted requests to the vulnerable endpoint.2023-09-228.8CVE-2023-41031
MISC
lf-edge_zededa -- eve_osWhen sealing/unsealing the "vault" key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit "56e589749c6ff58ded862d39535d43253b249acf", the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted "vault"2023-09-218.8CVE-2023-43634
MISC
lf-edge_zededa -- eve_osDue to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage.2023-09-217.8CVE-2023-43637
MISC
lf-edge_zededa -- eve_osOn boot, the Pillar eve container checks for the existence and content of "/config/GlobalConfig/global.json". If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system's configuration, which also includes some debug functions. This could be used to unlock the ssh with custom "authorized_keys" via the "debug.enable.ssh" key, similar to the "authorized_keys" finding that was noted before. Other usages include unlocking the usb to enable the keyboard via the "debug.enable.usb" key, allowing VNC access via the "app.allow.vnc" key, and more. An attacker could easily enable these debug functionalities without triggering the "measured boot" mechanism implemented by EVE OS, and without marking the device as "UUD" ("Unknown Update Detected"). This is because the "/config" partition is not protected by "measured boot", it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thereby not triggering the "measured boot" mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.2023-09-218.8CVE-2023-43633
MISC
linux -- kernelIncorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape.2023-09-208.8CVE-2023-2163
MISC
linux_foundation -- edge_virtualization_engineAs noted in the "VTPM.md" file in the eve documentation, "VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options" The communication with this server is done using protobuf, and the data is comprised of 2 parts: 1. Header 2. Data When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come. Then, in the function "handleRequest" this size is then used in order to allocate a payload on the stack for the incoming data. As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data. * An attacker can crash the system. * An attacker can gain control over the system, specifically on the "vtpm_server" process which has very high privileges.2023-09-219.9CVE-2023-43632
MISC
linux_foundation -- edge_virtualization_enginePCR14 is not in the list of PCRs that seal/unseal the "vault" key, but due to the change that was implemented in commit "7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4", fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the "vault" key is sealed/unsealed with SHA1 PCRs instead of SHA256. This issue was somewhat mitigated due to all of the PCR extend functions updating both the values of SHA256 and SHA1 for a given PCR ID. However, due to the change that was implemented in commit "7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4", this is no longer the case for PCR14, as the code in "measurefs.go" explicitly updates only the SHA256 instance of PCR14, which means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the "vault" key, changes to the config partition would still not be measured. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted "vault"2023-09-208.8CVE-2023-43630
MISC
linux_foundation -- edge_virtualization_engineOn boot, the Pillar eve container checks for the existence and content of "/config/authorized_keys". If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could easily add their own keys and gain full control over the system without triggering the "measured boot" mechanism implemented by EVE OS, and without marking the device as "UUD" ("Unknown Update Detected"). This is because the "/config" partition is not protected by "measured boot", it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thus not triggering the "measured boot" mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.2023-09-218.8CVE-2023-43631
MISC
linux_foundation -- edge_virtualization_engineVault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to seal/unseal a key from the TPM which is used to encrypt/decrypt the "vault" directory. This "vault" directory is the most sensitive point in the system and as such, its content should be protected. This mechanism is noted in Zededa's documentation as the "measured boot" mechanism, designed to protect said "vault". The code that's responsible for generating and fetching the key from the TPM assumes that SHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being checked. The issue here is that the key is not sealed using SHA256 PCRs; it uses SHA1 PCRs. This leads to several issues: • Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well as not sealing their keys at all, meaning the "vault" is not protected from an attacker. • SHA1 is considered insecure and reduces the complexity level required to unseal the key in machines which have their SHA1 PCRs enabled. An attacker can very easily retrieve the contents of the "vault", which will effectively render the "measured boot" mechanism meaningless.2023-09-208.8CVE-2023-43635
MISC
linux_foundation -- edge_virtualization_engineIn EVE OS, the "measured boot" mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the "measured boot" design, the PCR values calculated at different stages of the boot process will change if any of their respective parts are changed. This includes, among other things, the configuration of the bios, grub, the kernel cmdline, initrd, and more. However, this mechanism does not validate the entire rootfs, so an attacker can edit the filesystem and gain control over the system. As the default filesystem used by EVE OS is squashfs, this is somewhat harder than an ext4, which is easily changeable. This will not stop an attacker, as an attacker can repackage the squashfs with their changes in it and replace the partition altogether. This can also be done directly on the device, as the "003-storage-init" container contains the "mksquashfs" and "unsquashfs" binaries (with the corresponding libs). An attacker can gain full control over the device without changing the PCR values, thus not triggering the "measured boot" mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.2023-09-208.8CVE-2023-43636
MISC
mastodon -- mastodonMastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.2023-09-197.5CVE-2023-42450
MISC
MISC
mastodon -- mastodonMastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.2023-09-197.5CVE-2023-42451
MISC
MISC
memorysafety -- sudo-rsSudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while, in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user). An issue was discovered in versions prior to 0.2.1 where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username `../../../../bin/cp`. When logged in as a user with that name, that user could run `sudo -K` to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of `/bin/cp`. The code then clears that file, resulting in the `cp` binary effectively being removed from the system. An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames. The issue is patched in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values. The `sudo -K` and `sudo -k` commands can run, even if a user has no sudo access. As a workaround, make sure that one's system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on the system, one should not be able to exploit this issue.2023-09-218.1CVE-2023-42456
MISC
MISC
microsoft -- edge_chromiumMicrosoft Edge (Chromium-based) Elevation of Privilege Vulnerability2023-09-157.1CVE-2023-36562
MISC
mimsoftware -- assistantImproper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software's internal security team.  We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3.2023-09-197.4CVE-2023-3892
MISC
minitool -- movie_makerMiniTool Shadow Maker version 4.1 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.2023-09-198.1CVE-2023-38354
MISC
minitool -- movie_makerMiniTool Movie Maker 6.1.0 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.2023-09-198.1CVE-2023-38355
MISC
minitool -- partition_wizardMiniTool Partition Wizard 12.8 contains an insecure installation mechanism that allows attackers to achieve remote code execution through a man in the middle attack.2023-09-198.1CVE-2023-38351
MISC
minitool -- partition_wizardMiniTool Partition Wizard 12.8 contains an insecure update mechanism that allows attackers to achieve remote code execution through a man in the middle attack.2023-09-198.1CVE-2023-38352
MISC
minitool -- power_data_recoveryMiniTool Power Data Recovery 11.6 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.2023-09-198.1CVE-2023-38356
MISC
mitsubishi_electric -- gx_works3Incorrect Default Permissions vulnerability due to incomplete fix to address CVE-2020-14496 in Mitsubishi Electric Corporation FA engineering software products allows a malicious local attacker to execute a malicious code, which could result in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition. However, if the mitigated version described in the advisory for CVE-2020-14496 is used and installed in the default installation folder, this vulnerability does not affect the products.2023-09-207.8CVE-2023-4088
MISC
MISC
MISC
nagios -- nagios_xiA SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.2023-09-198.8CVE-2023-40933
MISC
MISC
MISC
nagios -- nagios_xiA SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.2023-09-197.2CVE-2023-40934
MISC
MISC
MISC
netatalk -- netatalkA Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967.2023-09-209.8CVE-2023-42464
CONFIRM
MISC
MISC
DEBIAN
MLIST
netis-systems -- 360r_firmwareThere is an unauthorized access vulnerability in Netis 360RAC1200 v1.3.4517, which allows attackers to obtain sensitive information of the device without authentication, obtain user tokens, and ultimately log in to the device backend management.2023-09-209.8CVE-2023-43134
MISC
node.js -- node.jssysteminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiConnections()`, `wifiNetworks()` (string only).2023-09-219.8CVE-2023-42810
MISC
MISC
MISC
nozomi_networks -- cmcA Denial of Service (Dos) vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, allows an unauthenticated attacker to crash the IDS module by sending specially crafted malformed network packets. During the (limited) time window before the IDS module is automatically restarted, network traffic may not be analyzed.2023-09-197.5CVE-2023-32649
MISC
nozomi_networks -- cmcA SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, may allow an unauthenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application by sending specially crafted malicious network packets. Malicious users with extensive knowledge on the underlying system may be able to extract arbitrary information from the DBMS in an uncontrolled way, or to alter its structure and data.2023-09-197.4CVE-2023-29245
MISC
nvidia -- cumulus_linuxNVIDIA Cumulus Linux contains a vulnerability in forwarding where a VxLAN-encapsulated IPv6 packet received on an SVI interface with DMAC/DIPv6 set to the link-local address of the SVI interface may be incorrectly forwarded. A successful exploit may lead to information disclosure.2023-09-207.5CVE-2023-25525
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 baseboard management controller (BMC) contains a vulnerability in a web server plugin, where an unauthenticated attacker may cause a stack overflow by sending a specially crafted network packet. A successful exploit of this vulnerability may lead to arbitrary code execution, denial of service, information disclosure, and data tampering.2023-09-209.8CVE-2023-25528
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the KVM service, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, and information disclosure.2023-09-209.8CVE-2023-25530
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause insufficient protection of credentials. A successful exploit of this vulnerability may lead to code execution, denial of service, information disclosure, and escalation of privileges.2023-09-209.8CVE-2023-25531
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the web UI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to information disclosure, code execution, and escalation of privileges.2023-09-209.8CVE-2023-25533
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.2023-09-209.8CVE-2023-25534
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the REST service, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, and information disclosure.2023-09-209.8CVE-2023-31009
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges, information disclosure, and denial of service.2023-09-208.8CVE-2023-31010
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the REST service where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure.2023-09-208.8CVE-2023-31011
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the REST service where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure.2023-09-208.8CVE-2023-31012
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the REST service, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure.2023-09-208.8CVE-2023-31013
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the host KVM daemon, where an unauthenticated attacker may cause a leak of another user's session token by observing timing discrepancies between server responses. A successful exploit of this vulnerability may lead to information disclosure, escalation of privileges, and data tampering.2023-09-208.1CVE-2023-25529
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the host KVM daemon, where an authenticated local attacker may cause corruption of kernel memory. A successful exploit of this vulnerability may lead to arbitrary kernel code execution, denial of service, escalation of privileges, information disclosure, and data tampering.2023-09-207.8CVE-2023-25527
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of services, escalation of privileges, and information disclosure.2023-09-207.8CVE-2023-31008
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in the REST service where a host user may cause as improper authentication issue. A successful exploit of this vulnerability may lead to escalation of privileges, information disclosure, code execution, and denial of service.2023-09-207.8CVE-2023-31015
MISC
nvidia -- dgx_h100_firmwareNVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause insufficient protection of credentials. A successful exploit of this vulnerability may lead to information disclosure.2023-09-207.5CVE-2023-25532
MISC
open_upload_stable -- open_upload_stableFile Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.2023-09-208.8CVE-2023-36319
MISC
MISC
openprinting -- cupsDue to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.2023-09-217.8CVE-2023-4504
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
opensuse -- leapA Improper Link Resolution Before File Access ('Link Following') vulnerability in SUSE SUSE Linux Enterprise Desktop 15 SP5 postfix, SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 postfix, SUSE openSUSE Leap 15.5 postfix.This issue affects SUSE Linux Enterprise Desktop 15 SP5: before 3.7.3-150500.3.5.1; SUSE Linux Enterprise High Performance Computing 15 SP5: before 3.7.3-150500.3.5.1; openSUSE Leap 15.5 : before 3.7.3-150500.3.5.1.2023-09-197.8CVE-2023-32182
MISC
opensuse -- welcomeA Insecure Storage of Sensitive Information vulnerability in openSUSE opensuse-welcome allows local attackers to execute code as the user that runs opensuse-welcome if a custom layout is chosen This issue affects opensuse-welcome: from 0.1 before 0.1.9+git.35.4b9444a.2023-09-197.8CVE-2023-32184
MISC
patreon -- flutter_downloaderA SQL injection in the flutter_downloader component through 1.11.1 for iOS allows remote attackers to steal session tokens and overwrite arbitrary files inside the app's container. The internal database of the framework is exposed to the local user if an app uses UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace properties. As a result, local users can obtain the same attack primitives as remote attackers by tampering with the internal database of the framework on the device.2023-09-199.1CVE-2023-41387
MISC
MISC
peppermint -- peppermintAn issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie.2023-09-188.8CVE-2023-42328
MISC
MISC
MISC
pgadmin -- pgadminA flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.2023-09-228.8CVE-2023-5002
MISC
MISC
phpjabbers -- php_shopping_cartPhpjabbers PHP Shopping Cart 4.2 is vulnerable to SQL Injection via the id parameter.2023-09-217.5CVE-2023-43274
MISC
phppgadmin -- phppgadminphpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP 'unserialize()' function in multiple places. An example is the functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter is deserialized.2023-09-209.8CVE-2023-40619
MISC
plesk -- pleskPlesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. A malicious subscription owner (either a customer or an additional user), can fully compromise the server if an administrator visits a certain page in Plesk related to the malicious subscription.2023-09-209CVE-2023-0829
MISC
plone -- restplone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).2023-09-217.5CVE-2023-42457
MISC
MISC
MISC
MISC
prestashop -- prestashopSQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.2023-09-209.8CVE-2023-34575
MISC
prestashop -- prestashopSQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.2023-09-219.8CVE-2023-34576
MISC
prestashop -- prestashopSQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.2023-09-219.8CVE-2023-34577
MISC
prestashop -- prestashopSimpleImportProduct Prestashop Module v6.2.9 was discovered to contain a SQL injection vulnerability via the key parameter at send.php.2023-09-209.8CVE-2023-39675
MISC
MISC
prestashop -- prestashopMyPrestaModules Prestashop Module v6.2.9 and UpdateProducts Prestashop Module v3.6.9 were discovered to contain a PHPInfo information disclosure vulnerability via send.php.2023-09-207.5CVE-2023-39677
MISC
MISC
MISC
progress -- moveit_transferIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.2023-09-208.8CVE-2023-42660
MISC
MISC
progress -- moveit_transferIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.2023-09-207.2CVE-2023-40043
MISC
MISC
projectworlds -- asset_management_system_project_in_phpProjectworldsl Assets-management-system-in-php 1.0 is vulnerable to SQL Injection via the "id" parameter in delete.php.2023-09-229.8CVE-2023-43144
MISC
qnap -- multimedia_consoleA buffer copy without checking size of input vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote users to execute code via unspecified vectors. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.1 ( 2023/03/29 ) and later Multimedia Console 1.4.7 ( 2023/03/20 ) and later2023-09-229.8CVE-2023-23364
MISC
qnap -- qtsA buffer copy without checking size of input vulnerability has been reported to affect QNAP operating system. If exploited, the vulnerability possibly allows remote users to execute code via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2441 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later2023-09-229.8CVE-2023-23363
MISC
qnap -- qutscloudAn OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote authenticated users to execute commands via susceptible QNAP devices. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later2023-09-228.8CVE-2023-23362
MISC
quarkus -- quarkusA flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.2023-09-208.1CVE-2023-4853
MISC
MISC
MISC
MISC
MISC
MISC
quinn -- quinnquinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases.2023-09-217.5CVE-2023-42805
MISC
MISC
MISC
MISC
openstack_platform -- openstack_platformAn information leak was found in OpenStack's undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials.2023-09-207.5CVE-2022-3596
MISC
MISC
MISC
foreman -- foremanA command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system.2023-09-229.1CVE-2022-3874
MISC
MISC
openshift -- openshiftA flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.2023-09-229.8CVE-2022-4039
MISC
MISC
MISC
reportlab -- reportlabparaparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.2023-09-209.8CVE-2019-19450
MISC
MISC
rockwell_automation -- 1756-en2t_series_a_firmwareA buffer overflow vulnerability exists in the Rockwell Automation select 1756-EN* communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.2023-09-209.8CVE-2023-2262
MISC
samsung -- exynos_2200_firmwareSamsung Mobile Processor Exynos 2200 allows a GPU Use After Free.2023-09-217.5CVE-2023-42482
MISC
samsung -- memory_card_&_ufd_authenticationA DLL hijacking vulnerability in Samsung Memory Card & UFD Authentication Utility PC Software before 1.0.1 could allow a local attacker to escalate privileges. (An attacker must already have user privileges on Windows to exploit this vulnerability.)2023-09-187.3CVE-2023-41929
MISC
simplesamlphp -- saml2Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.2023-09-197.5CVE-2023-41890
MISC
MISC
MISC
snapview -- tungsteniteThe Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).2023-09-217.5CVE-2023-43669
MISC
MISC
MISC
CONFIRM
MISC
MISC
MISC
MISC
MISC
FEDORA
sourcecodester -- online_voting_systemSQL injection vulnerability in janobe Online Voting System v.1.0 allows a remote attacker to execute arbitrary code via the checklogin.php component.2023-09-239.8CVE-2023-43470
MISC
MISC
MISC
sourcecodester -- online_job_portalSQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via the login.php component.2023-09-239.8CVE-2023-43468
MISC
MISC
MISC
sourcecodester -- online_job_portalSQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via the ForPass.php component.2023-09-239.8CVE-2023-43469
MISC
MISC
MISC
spider-flow -- spider-flowA vulnerability was found in spider-flow up to 0.5.0. It has been declared as critical. Affected by this vulnerability is the function DriverManager.getConnection of the file src/main/java/org/spiderflow/controller/DataSourceController.java of the component API. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239857 was assigned to this vulnerability.2023-09-179.8CVE-2023-5016
MISC
MISC
MISC
MISC
springernature -- mee-adminmee-admin 1.5 is vulnerable to Directory Traversal. The download method in the CommonFileController.java file does not verify the incoming data, resulting in arbitrary file reading.2023-09-217.5CVE-2023-42280
MISC
strapi -- strapiStrapi is an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.2023-09-159.8CVE-2023-38507
MISC
MISC
MISC
suse -- rancher_rke2An Allocation of Resources Without Limits or Throttling vulnerability in SUSE RKE2 allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects RKE2: from 1.24.0 before 1.24.17+rke2r1, from v1.25.0 before v1.25.13+rke2r1, from v1.26.0 before v1.26.8+rke2r1, from v1.27.0 before v1.27.5+rke2r1, from v1.28.0 before v1.28.1+rke2r1.2023-09-197.5CVE-2023-32186
MISC
MISC
suse -- k3sAn Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.2023-09-187.5CVE-2023-32187
MISC
MISC
tdsql_chitu -- tdsql_chituAn issue in TDSQL Chitu management platform v.10.3.19.5.0 allows a remote attacker to obtain sensitive information via get_db_info function in install.php.2023-09-187.5CVE-2023-42387
MISC
MISC
technicolor -- tg670_firmwareTechnicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords. One account has administrative privileges, allowing for unrestricted access over the WAN interface if Remote Administration is enabled.2023-09-197.2CVE-2023-31808
MISC
telstra -- arcadyan_lh1000_firmwarefake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, allows unauthenticated attackers to upload firmware images and configuration backups, which could allow them to alter the firmware or the configuration on the device, ultimately leading to code execution as root. 2023-09-209.8CVE-2023-43478
MISC
telstra -- arcadyan_lh1000_firmwareThe ping_from parameter of ping_tracerte.cgi in the web UI of Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, was not properly sanitized before being used in a system call, which could allow an authenticated attacker to achieve command injection as root on the device. 2023-09-208.8CVE-2023-43477
MISC
tenda -- ac10_firmwareBuffer Overflow vulnerability in Tenda AC10V4 v.US_AC10V4.0si_V16.03.10.13_cn_TDC01 allows a remote attacker to cause a denial of service via the mac parameter in the GetParentControlInfo function.2023-09-189.8CVE-2023-42320
MISC
tp-link -- tl-er5120g_firmwareThere is an unauthorized access vulnerability in TP-LINK ER5120G 4.0 2.0.0 Build 210817 Rel.80868n, which allows attackers to obtain sensitive information of the device without authentication, obtain user tokens, and ultimately log in to the device backend management.2023-09-209.8CVE-2023-43135
MISC
tp-link -- tl-er5120g_firmwareTPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds ACL rules after authentication, and the rule name parameter has injection points.2023-09-208.8CVE-2023-43137
MISC
tp-link -- tl-er5120g_firmwareTPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds NAPT rules after authentication, and the rule name has an injection point.2023-09-208.8CVE-2023-43138
MISC
trendmicro -- apex_oneA vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation. Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.2023-09-197.2CVE-2023-41179
MISC
MISC
MISC
uniview -- ipc322lb-sf28-a_firmwareThe vulnerability exists in Uniview IP Camera due to identification and authentication failure at its web-based management interface. A remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable device. Successful exploitation of this vulnerability could allow the attacker to gain complete control of the targeted device.2023-09-199.8CVE-2023-0773
MISC
MISC
vyperlang -- vyperVyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer of the call can be corrupted, leading to incorrect `calldata` in the sub-context. For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode. Each builtin has conditions that must be fulfilled for the corruption to happen. For `raw_call`, the `data` argument of the builtin must be `msg.data` and the `value` or `gas` passed to the builtin must be some complex expression that results in writing to the memory. For `create_copy_of`, the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory. For `create_from_blueprint`, either no constructor parameters should be passed to the builtin or `raw_args` should be set to True, and the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory. As of time of publication, no patched version exists. The issue is still being investigated, and there might be other cases where the corruption might happen. When the builtin is being called from an `internal` function `F`, the issue is not present provided that the function calling `F` wrote to memory before calling `F`. As a workaround, the complex expressions that are being passed as kwargs to the builtin should be cached in memory prior to the call to the builtin.2023-09-188.1CVE-2023-42443
MISC
MISC
whisperfish -- blurhash-rsblurhash-rs is a pure Rust implementation of blurhash, software for encoding images into ASCII strings that can be turned into a gradient of colors representing the original image. In version 0.1.1, the blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input. In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include UTF-8 compliant strings containing multi-byte UTF-8 characters. A patch is available in version 0.2.0, which requires user intervention because of slight API churn. No known workarounds are available.2023-09-197.5CVE-2023-42447
MISC
whisperfish -- phonenumberphonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.2023-09-197.5CVE-2023-42444
MISC
MISC
MISC
windriver -- vxworksAn issue was discovered in Wind River VxWorks 6.9 and 7. The function ``tarExtract`` implements TAR file extraction and thereby also processes files within an archive that have relative or absolute file paths. A developer using the "tarExtract" function may expect that the function will strip leading slashes from absolute paths or stop processing when encountering relative paths that are outside of the extraction path, unless otherwise forced. This could lead to unexpected and undocumented behavior, which in general could result in a directory traversal, and associated unexpected behavior.2023-09-228.8CVE-2023-38346
MISC
MISC
MISC
withsecure -- client_securityCertain WithSecure products allow a remote crash of a scanning engine via unpacking of crafted data files. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-187.5CVE-2023-42520
MISC
withsecure -- client_securityCertain WithSecure products allow a remote crash of a scanning engine via processing of a compressed file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-187.5CVE-2023-42521
MISC
withsecure -- client_securityCertain WithSecure products allow a remote crash of a scanning engine via processing of an import struct in a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-187.5CVE-2023-42522
MISC
withsecure -- client_securityCertain WithSecure products allow a remote crash of a scanning engine via unpacking of a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-187.5CVE-2023-42523
MISC
withsecure -- client_securityCertain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-187.5CVE-2023-42524
MISC
withsecure -- client_securityCertain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-187.5CVE-2023-42525
MISC
withsecure -- client_securityCertain WithSecure products allow a remote crash of a scanning engine via decompression of crafted data files. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0, Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.2023-09-187.5CVE-2023-42526
MISC
withsecure -- f-secure_policy_managerCertain WithSecure products allow Unauthenticated Remote Code Execution via the web server (backend), issue 1 of 2. This affects WithSecure Policy Manager 15 and Policy Manager Proxy 15.2023-09-229.8CVE-2023-43762
MISC
MISC
withsecure -- f-secure_policy_managerCertain WithSecure products allow Unauthenticated Remote Code Execution via the web server (backend), issue 2 of 2. This affects WithSecure Policy Manager 15 on Windows and Linux.2023-09-229.8CVE-2023-43764
MISC
MISC
xen -- xenThe fix for XSA-423 added logic to Linux's netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately, the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.2023-09-227.8CVE-2023-34319
MISC
xui-xray -- xui-xrayAn issue in xui-xray v1.8.3 allows attackers to obtain sensitive information via default password.2023-09-187.5CVE-2023-41595
MISC
MISC
MISC
yii -- yiiweb\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameter.2023-09-219.8CVE-2015-5467
MISC
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
aes-gcm -- aes-gcmaes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the `aes-gcm` crate's `decrypt_in_place*` APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.2023-09-225.5CVE-2023-42811
MISC
MISC
ajino-shiretoko -- ajino-shiretokoAn information leak in ajino-Shiretoko Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.2023-09-206.5CVE-2023-39044
MISC
amd -- epyc_7003_firmwareImproper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.2023-09-204.4CVE-2023-20594
MISC
amd -- ryzen_3_3100_firmwareImproper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.2023-09-205.5CVE-2023-20597
MISC
apple -- multiple_productsA certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.2023-09-215.5CVE-2023-41991
MISC
MISC
bytecodealliance -- wasmtimeWasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result. This issue is not an escape from the WebAssembly sandbox. Execution of WebAssembly guest programs will still behave correctly with respect to memory sandboxing and isolation from the host. Wasmtime considers non-spec-compliant behavior as a security issue nonetheless. This issue was discovered through fuzzing of Wasmtime's code generator Cranelift. Wasmtime versions 10.0.2, 11.0.2, and 12.0.2 are all patched to no longer have this miscompilation. This issue only affects x86_64 hosts and the only workaround is to either scan for this pattern in wasm modules which is nontrivial or to disable the SIMD proposal for WebAssembly. Users prior to 10.0.0 are unaffected by this vulnerability.2023-09-155.3CVE-2023-41880
MISC
MISC
MISC
MISC
MISC
cadence -- cadenceCadence through 0.9.2 2023-08-21 uses an Insecure /tmp/.cadence-aloop-daemon.x Temporary File. The file is used even if it has been created by a local adversary before Cadence started. The adversary can then delete the file, disrupting Cadence.2023-09-225.5CVE-2023-43782
MISC
MISC
cisco -- jabberA vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected application. This vulnerability is due to the improper handling of nested XMPP messages within requests that are sent to the Cisco Jabber client software. An attacker could exploit this vulnerability by connecting to an XMPP messaging server and sending crafted XMPP messages to an affected Jabber client. A successful exploit could allow the attacker to manipulate the content of XMPP messages, possibly allowing the attacker to cause the Jabber client application to perform unsafe actions.2023-09-154.3CVE-2022-20917
MISC
contao -- contaoContao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.2023-09-216.1CVE-2018-5478
MISC
MISC
croc -- crocAn issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction.2023-09-205.5CVE-2023-43616
MISC
MISC
MLIST
croc -- crocAn issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.2023-09-205.3CVE-2023-43617
MISC
MISC
MLIST
croc -- crocAn issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message.2023-09-205.3CVE-2023-43618
MISC
MISC
MLIST
croc -- crocAn issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.2023-09-204.7CVE-2023-43621
MISC
MISC
MLIST
dataease -- dataeaseDataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds.2023-09-215.3CVE-2023-40183
MISC
MISC
MISC
dell -- secure_connect_gateway_policy_managerDell SCG Policy Manager 5.16.00.14 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information.2023-09-215.9CVE-2023-39252
MISC
digitaldruid -- hoteldruidA cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter.2023-09-205.4CVE-2023-43376
MISC
digitaldruid -- hoteldruidA cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter.2023-09-205.4CVE-2023-43377
MISC
discourse -- discourseDiscourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of service for other users. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds.2023-09-156.5CVE-2023-40588
MISC
discourse -- discourseDiscourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, importing a remote theme loads their assets into memory without enforcing limits for file size or number of files. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds.2023-09-156.5CVE-2023-41042
MISC
discourse -- discourseDiscourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. This is only a concern for multisite installations. No action is required when the admins are trusted.2023-09-156.5CVE-2023-41043
MISC
earthgarden_waiting -- earthgarden_waitingAn information leak in Earthgarden_waiting 13.6.1 allows attackers to obtain the channel access token and send crafted messages.2023-09-206.5CVE-2023-39052
MISC
fl3xx_dispatch/fl3xx_crew -- fl3xx_dispatch/fl3xx_crewAn Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter.2023-09-206.5CVE-2023-42334
MISC
frauscher_sensortechnik_gmbh -- fadc/fadciFrauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a SQL injection vulnerability via manipulated parameters of the web interface without authentication. The database contains limited, non-critical log information.2023-09-215.3CVE-2023-4292
MISC
freeswitch -- freeswitchFreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue.2023-09-156.5CVE-2023-40019
MISC
MISC
fujitsu -- arconte_aureaReflected and persistent XSS vulnerability in Arconte Áurea, in its 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to inject malicious JavaScript code, compromise the victim's browser and take control of it, redirect the user to malicious domains or access information being viewed by the legitimate user.2023-09-196.1CVE-2023-4093
MISC
fujitsu -- arconte_aureaUser enumeration vulnerability in Arconte Áurea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform.2023-09-195.3CVE-2023-4095
MISC
galaxy -- galaxyGalaxy is an open-source platform for FAIR data analysis. Prior to version 22.05, Galaxy is vulnerable to server-side request forgery, which allows a malicious to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses. Version 22.05 contains a patch for this issue.2023-09-224.3CVE-2023-42812
MISC
MISC
github -- enterprise_serverAn incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported via the GitHub Bug Bounty program.2023-09-226.5CVE-2023-23766
MISC
MISC
MISC
MISC
MISC
gnome -- gnome-shellA vulnerability was found in GNOME Shell. GNOME Shell's lock screen allows an unauthenticated local user to view windows of the locked desktop session by using keyboard shortcuts to unlock the restricted functionality of the screenshot tool.2023-09-225.5CVE-2023-43090
MISC
MISC
MISC
MISC
gnu -- glibcA flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data and may cause a crash.2023-09-186.5CVE-2023-4527
MISC
MISC
MISC
gnu -- glibcA flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.2023-09-185.9CVE-2023-4806
MISC
MISC
graphql -- graphqlVersions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.2023-09-205.3CVE-2023-26144
MISC
MISC
MISC
MISC
MISC
hestiacp -- hestiacpCross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.2023-09-206.1CVE-2023-5084
MISC
MISC
hydra -- hydraHydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying `$\mathsf{cid}$` allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (= denial of service; easy). A patch is planned for version 0.13.0. As a workaround, rotate keys between heads so not to re-use keys and not result in the same multi-signature participants.2023-09-216.5CVE-2023-42806
MISC
MISC
MISC
MISC
ibm -- robotic_process_automationIBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose sensitive information from access to RPA scripts, workflows and related data. IBM X-Force ID: 261606.2023-09-205.3CVE-2023-38718
MISC
MISC
ibm -- storage_protectIBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456.2023-09-204.4CVE-2023-40368
MISC
MISC
iobit -- malware_fighterAn issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS).2023-09-205.5CVE-2020-24089
MISC
isl -- arp-guardA reflected cross-site scripting (XSS) vulnerability in the url_str URL parameter of ISL ARP Guard v4.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.2023-09-205.4CVE-2023-39575
MISC
ivanti -- endpoint_managerAn issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access.2023-09-216.5CVE-2023-38344
MISC
MISC
jenkins -- jenkinsA missing permission check in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.2023-09-206.5CVE-2023-43501
MISC
MISC
jenkins -- jenkinsJenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.2023-09-205.4CVE-2023-43495
MISC
MISC
jenkins -- jenkinsJenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.2023-09-205.4CVE-2023-43499
MISC
MISC
jenkins -- jenkinsJenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.2023-09-204.3CVE-2023-43494
MISC
MISC
jenkins -- jenkinsA cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes.2023-09-204.3CVE-2023-43502
MISC
MISC
jetbrains -- teamcityIn JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration2023-09-195.4CVE-2023-43566
MISC
keycloak -- keycloakA flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.2023-09-204.8CVE-2022-1438
MISC
MISC
MISC
MISC
MISC
MISC
MISC
kiali -- kialiA content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.2023-09-234.3CVE-2022-3962
MISC
MISC
MISC
kokoroe_members_card_project -- kokoroe_members_cardAn information leak in kokoroe_members card Line 13.6.1 allows attackers to obtain the channel access token and send crafted messages.2023-09-206.5CVE-2023-39045
MISC
kukurudeli_project -- kukurudeliAn information leak in KUKURUDELI Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.2023-09-206.5CVE-2023-39041
MISC
linaro -- op-teeOP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, `shdr_verify_signature` can make a double free. `shdr_verify_signature` used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. The RSA key allocate function (`sw_crypto_acipher_alloc_rsa_public_key`) will try to allocate a memory (which is optee's heap memory). RSA key consists of exponent and modulus (represent as variable `e`, `n`) and its allocation is not atomic way, so it may succeed in `e` but fail in `n`. In this case sw_crypto_acipher_alloc_rsa_public_key` will free on `e` and return as it is failed but variable 'e' is remained as already freed memory address. `shdr_verify_signature` will free again that memory (which is `e`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available.2023-09-156.7CVE-2023-41325
MISC
MISC
mastodon -- mastodonMastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the "Translate" button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.2023-09-195.4CVE-2023-42452
MISC
MISC
minitool -- power_data_recoveryMiniTool Power Data Recovery version 11.6 and before contains an insecure in-app payment system that allows attackers to steal highly sensitive information through a man in the middle attack.2023-09-195.9CVE-2023-38353
MISC
php-login-system -- php-login-systemA reflected cross-site scripting (XSS) vulnerability in msaad1999's PHP-Login-System 2.0.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'validator' parameter in '/reset-password'.2023-09-206.1CVE-2023-38875
MISC
php-login-system -- php-login-systemA reflected cross-site scripting (XSS) vulnerability in msaad1999's PHP-Login-System 2.0.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'selector' parameter in '/reset-password'.2023-09-206.1CVE-2023-38876
MISC
nagios -- nagios_xiA SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php2023-09-196.5CVE-2023-40931
MISC
MISC
MISC
nagios -- nagios_xiA Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar including the login page which means the attacker is able to to steal plaintext credentials.2023-09-195.4CVE-2023-40932
MISC
MISC
MISC
netbox -- netboxCross Site Scripting (XSS) vulnerability in Netbox 3.5.1, allows attackers to execute arbitrary code via Name field in device-roles/add function.2023-09-205.4CVE-2023-36234
MISC
nocodb -- nocodbImproper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.2023-09-216.5CVE-2023-5104
MISC
MISC
nozomi_networks -- cmcA SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain parameters used in the Query functionality, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application. Authenticated users can extract arbitrary information from the DBMS in an uncontrolled way.2023-09-196.5CVE-2023-2567
MISC
nqptp -- nqptpIn nqptp-message-handlers.c in nqptp before 1.2.3, crafted packets received on the control port could crash the program.2023-09-225.5CVE-2023-43771
MISC
MISC
MISC
nvidia -- cumulus_linuxNVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service.2023-09-206.5CVE-2023-25526
MISC
nvidia -- geforce_nowNVIDIA GeForce Now for Android contains a vulnerability in the game launcher component, where a malicious application on the same device can process the implicit intent meant for the streamer component. A successful exploit of this vulnerability may lead to limited information disclosure, denial of service, and code execution.2023-09-204.8CVE-2023-31014
MISC
openharmony -- openharmonyOpenHarmony v3.2.1 and prior version has a liteos-a kernel may crash caused by mqueue undetected entries vulnerability. Local attackers can crash liteos-a kernel by the error input 2023-09-215.5CVE-2023-4753
MISC
openknowledgemaps -- head_startA reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeMaps Head Start versions 4, 5, 6, 7 as well as Visual Project Explorer 1.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'service' parameter in 'headstart_snapshot.php'.2023-09-206.1CVE-2023-40618
MISC
oracle -- apache_flink_stateful_functionsImproper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser. Users should upgrade to Apache Flink Stateful Functions version 3.3.0.2023-09-196.1CVE-2023-41834
MISC
MISC
oracle -- oracle_linux/oracle_vmIn the Unbreakable Enterprise Kernel (UEK), the RDS module in UEK has two setsockopt(2) options, RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. A malicious local user with CAP_NET_ADMIN can use this to crash the kernel. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).2023-09-205.5CVE-2023-22024
MISC
papercut -- mobility_print_serverThe `PaperCutNG Mobility Print` version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery" section). This is possible because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc.2023-09-206.5CVE-2023-2508
MISC
MISC
plone -- ploneplone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in versions 5.6.1 (for Plone 5.2), 6.0.3 (for Plone 6.0.0-6.0.4), 6.1.3 (for Plone 6.0.5-6.0.6), and 6.2.1 (for Plone 6.0.7). There are no known workarounds.2023-09-215.4CVE-2023-41048
MISC
MISC
MISC
MISC
MISC
MISC
MISC
pow -- powPow is an authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.2023-09-186.5CVE-2023-42446
MISC
MISC
prestashop -- prestashopM4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The "f" parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.2023-09-206.5CVE-2022-45447
MISC
prestashop -- prestashopM4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.2023-09-206.1CVE-2022-45448
MISC
progress -- moveit_transferIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer's web interface.  An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure.  If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.2023-09-206.1CVE-2023-42656
MISC
MISC
qt -- qtAn issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.2023-09-185.5CVE-2023-43114
MISC
quboworld -- smart_plug_10a_firmwareAn issue was discovered in Qubo Smart Plug10A version HSP02_01_01_14_SYSTEM-10 A, allows local attackers to gain sensitive information and other unspecified impact via UART console.2023-09-165.5CVE-2023-36160
MISC
keycloak -- keycloakA flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.2023-09-206.8CVE-2022-3916
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
roundcube -- webmailRoundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.2023-09-226.1CVE-2023-43770
MISC
MISC
MLIST
skyworth -- skyworth_osSkyworth 3.0 OS is vulnerable to Directory Traversal.2023-09-206.8CVE-2023-40930
MISC
speciesfilegroup -- taxonworksTaxonWorks is a web-based workbench designed for taxonomists and biodiversity scientists. Prior to version 0.34.0, a SQL injection vulnerability was found in TaxonWorks that allows authenticated attackers to extract arbitrary data from the TaxonWorks database (including the users table). This issue may lead to information disclosure. Version 0.34.0 contains a fix for the issue.2023-09-226.5CVE-2023-43640
MISC
MISC
spring -- springA batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.2023-09-204.3CVE-2023-34047
MISC
strapi -- strapiStrapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.2023-09-155.7CVE-2023-36472
MISC
MISC
student_management_system -- student_management_systemA reflected cross-site scripting (XSS) vulnerability in the Search Student function of Student Management System v1.2.3 and before allows attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload.2023-09-214.8CVE-2023-41616
MISC
summernote -- rich_text_editorCross Site Scripting vulnerability in Summernote Rich Text Editor v.0.8.18 and before allows a remote attacker to execute arbitrary code via a crafted script to the insert link function in the editor component.2023-09-185.4CVE-2023-42371
MISC
MISC
suse -- manager_serverAn Innsertion of Sensitive Information into Log File vulnerability in SUSE SUSE Manager Server Module 4.2 spacewalk-java, SUSE SUSE Manager Server Module 4.3 spacewalk-java causes sensitive information to be logged. This issue affects SUSE Manager Server Module 4.2: before 4.2.50-150300.3.66.5; SUSE Manager Server Module 4.3: before 4.3.58-150400.3.46.4.2023-09-205.5CVE-2023-22644
MISC
symantec -- identity_portalAn authenticated user can see and modify the value for 'next' query parameter in Symantec Identity Portal 14.42023-09-195.4CVE-2023-23957
MISC
the_b_members_card -- the_b_members_cardAn information leak in THE_B_members card v13.6.1 allows attackers to obtain the channel access token and send crafted messages.2023-09-186.5CVE-2023-39058
MISC
MISC
vyperlang -- vyperVyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string.2023-09-185.3CVE-2023-42441
MISC
MISC
MISC
webmin -- webminThere is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, which allows attackers to run malicious scripts by injecting a specially crafted payload.2023-09-214.8CVE-2023-43309
MISC
withsecure -- f-secure_policy_managerCertain WithSecure products allow XSS via an unvalidated parameter in the endpoint. This affects WithSecure Policy Manager 15 on Windows and Linux.2023-09-226.1CVE-2023-43763
MISC
MISC
wordpress -- wordpressThe Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.2. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer.2023-09-195.8CVE-2023-5054
MISC
MISC
wordpress -- wordpressThe Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shortcode in versions up to, and including, 3.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2023-09-225.4CVE-2023-4716
MISC
MISC
MISC
MISC
MISC
MISC
wordpress -- wordpressThe WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2023-09-225.4CVE-2023-4774
MISC
MISC
MISC
wordpress -- wordpressThe Contact Form by FormGet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formget' shortcode in versions up to, and including, 5.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.2023-09-235.4CVE-2023-5125
MISC
MISC
wordpress -- wordpressThe Leyka WordPress plugin through 3.30.3 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)2023-09-194.8CVE-2023-2995
MISC
wordpress -- wordpressThe Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)2023-09-194.8CVE-2023-4376
MISC
wordpress -- wordpressThe Easy Registration Forms for WordPress is vulnerable to Information Disclosure via the 'erforms_user_meta' shortcode in versions up to, and including, 2.1.1 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with subscriber-level capabilities or above, to retrieve arbitrary sensitive user meta.2023-09-234.3CVE-2023-5134
MISC
MISC
xdsoft -- jodit_editorCross Site Scripting vulnerability in xdsoft.net Jodit Editor v.4.0.0-beta.86 allows a remote attacker to obtain sensitive information via the rich text editor component.2023-09-196.1CVE-2023-42399
MISC
MISC
MISC
ykc -- tokushima_awayokochoAn information leak in YKC Tokushima_awayokocho Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.2023-09-186.5CVE-2023-39043
MISC
MISC
MISC
zoo_management_system -- zoo_management_systemA stored cross-site scripting (XSS) vulnerability in the Add Animal Details function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description of Animal parameter.2023-09-214.8CVE-2023-41614
MISC
zope -- zopeZope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.2023-09-215.4CVE-2023-42458
MISC
MISC
MISC
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.