Latest vulnerabilities of Thursday, November 2, 2023

Latest vulnerabilities of Thursday, November 2, 2023
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/VULNERABILITIES-REPORTS-LOGO.png
{{titre}}

Last update performed on 11/02/2023 at 11:57:01 PM

(38) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : github.com

Vulnerability ID : CVE-2023-42802

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.

CVE ID : CVE-2023-42802
Source : security-advisories@github.com
CVSS Score : 10.0

References :
https://github.com/glpi-project/glpi/releases/tag/10.0.10 | source : security-advisories@github.com
https://github.com/glpi-project/glpi/security/advisories/GHSA-rrh2-x4ch-pq3m | source : security-advisories@github.com

Vulnerability : CWE-20


Source : fluidattacks.com

Vulnerability ID : CVE-2023-45111

First published on : 02-11-2023 02:15:08
Last modified on : 02-11-2023 12:54:39

Description :
Online Examination System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'email' parameter of the feed.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45111
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/pires | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45112

First published on : 02-11-2023 02:15:08
Last modified on : 02-11-2023 12:54:36

Description :
Online Examination System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'feedback' parameter of the feed.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45112
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/pires | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45113

First published on : 02-11-2023 02:15:08
Last modified on : 02-11-2023 12:54:36

Description :
Online Examination System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'name' parameter of the feed.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45113
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/pires | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45114

First published on : 02-11-2023 02:15:08
Last modified on : 02-11-2023 12:54:36

Description :
Online Examination System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'subject' parameter of the feed.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45114
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/pires | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45012

First published on : 02-11-2023 03:15:09
Last modified on : 02-11-2023 12:54:36

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'user_email' parameter of the bus_info.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45012
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45013

First published on : 02-11-2023 03:15:09
Last modified on : 02-11-2023 12:54:36

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'user_query' parameter of the bus_info.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45013
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45014

First published on : 02-11-2023 03:15:09
Last modified on : 02-11-2023 12:54:36

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'bus_id' parameter of the bus_info.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45014
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45015

First published on : 02-11-2023 03:15:09
Last modified on : 02-11-2023 12:54:36

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'date' parameter of the bus_info.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45015
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45016

First published on : 02-11-2023 03:15:09
Last modified on : 02-11-2023 12:54:36

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'source' parameter of the search.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45016
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45017

First published on : 02-11-2023 03:15:09
Last modified on : 02-11-2023 12:54:36

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'destination' parameter of the search.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45017
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45018

First published on : 02-11-2023 03:15:10
Last modified on : 02-11-2023 12:54:30

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the includes/login.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45018
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45019

First published on : 02-11-2023 03:15:10
Last modified on : 02-11-2023 12:54:30

Description :
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'category' parameter of the category.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45019
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/oconnor | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45323

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'name' parameter of the routers/add-item.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45323
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45324

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'price' parameter of the routers/add-item.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45324
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45325

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'address' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45325
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45326

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'email' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45326
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45327

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'name' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45327
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45328

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'password' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45328
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45329

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'role' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45329
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45330

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45330
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45331

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'contact' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45331
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45332

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'deleted' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45332
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45333

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'verified' parameter of the routers/add-users.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45333
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45334

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'status' parameter of the routers/edit-orders.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45334
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45335

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'id' parameter of the routers/edit-orders.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45335
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45336

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'password' parameter of the routers/router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45336
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45337

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the routers/router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45337
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45339

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'type' parameter of the routers/add-ticket.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45339
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45340

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'phone' parameter of the routers/details-router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45340
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45341

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The '*_price' parameter of the routers/menu-router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45341
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45342

First published on : 02-11-2023 14:15:12
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'phone' parameter of the routers/register-router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45342
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45343

First published on : 02-11-2023 14:15:13
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'ticket_id' parameter of the routers/ticket-message.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45343
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45344

First published on : 02-11-2023 14:15:13
Last modified on : 02-11-2023 14:26:30

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The '*_balance' parameter of the routers/user-router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45344
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45338

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'id' parameter of the routers/add-ticket.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45338
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45345

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The '*_deleted' parameter of the routers/user-router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45345
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45346

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The '*_role' parameter of the routers/user-router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45346
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-45347

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
Online Food Ordering System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The '*_verified' parameter of the routers/user-router.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-45347
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/hann | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


(11) HIGH VULNERABILITIES [7.0, 8.9]

Source : hq.dhs.gov

Vulnerability ID : CVE-2023-5846

First published on : 02-11-2023 17:15:11
Last modified on : 02-11-2023 18:21:28

Description :
Franklin Fueling System TS-550 versions prior to 1.9.23.8960 are vulnerable to attackers decoding admin credentials, resulting in unauthenticated access to the device.

CVE ID : CVE-2023-5846
Source : ics-cert@hq.dhs.gov
CVSS Score : 8.3

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-916


Source : redhat.com

Vulnerability ID : CVE-2023-5408

First published on : 02-11-2023 03:15:10
Last modified on : 02-11-2023 12:54:30

Description :
A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.

CVE ID : CVE-2023-5408
Source : secalert@redhat.com
CVSS Score : 8.2

References :
https://access.redhat.com/errata/RHSA-2023:6130 | source : secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2023-5408 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2242173 | source : secalert@redhat.com
https://github.com/openshift/kubernetes/pull/1736 | source : secalert@redhat.com


Source : nvidia.com

Vulnerability ID : CVE-2023-31027

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA GPU Display Driver for Windows contains a vulnerability that allows Windows users with low levels of privilege to escalate privileges when an administrator is updating GPU drivers, which may lead to escalation of privileges.

CVE ID : CVE-2023-31027
Source : psirt@nvidia.com
CVSS Score : 8.2

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-427


Vulnerability ID : CVE-2023-31017

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker may be able to write arbitrary data to privileged locations by using reparse points. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

CVE ID : CVE-2023-31017
Source : psirt@nvidia.com
CVSS Score : 7.8

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-552


Vulnerability ID : CVE-2023-31019

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA GPU Display Driver for Windows contains a vulnerability in wksServicePlugin.dll, where the driver implementation does not restrict or incorrectly restricts access from the named pipe server to a connecting client, which may lead to potential impersonation to the client's secure context.

CVE ID : CVE-2023-31019
Source : psirt@nvidia.com
CVSS Score : 7.8

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-284


Vulnerability ID : CVE-2023-31016

First published on : 02-11-2023 19:15:40
Last modified on : 02-11-2023 19:15:40

Description :
NVIDIA GPU Display Driver for Windows contains a vulnerability where an uncontrolled search path element may allow an attacker to execute arbitrary code, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

CVE ID : CVE-2023-31016
Source : psirt@nvidia.com
CVSS Score : 7.3

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-427


Source : github.com

Vulnerability ID : CVE-2023-46725

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
FoodCoopShop is open source software for food coops and local shops. Versions prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability.

CVE ID : CVE-2023-46725
Source : security-advisories@github.com
CVSS Score : 8.1

References :
https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808 | source : security-advisories@github.com
https://github.com/foodcoopshop/foodcoopshop/pull/972 | source : security-advisories@github.com
https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7 | source : security-advisories@github.com
https://pastebin.com/8K5Brwbq | source : security-advisories@github.com

Vulnerability : CWE-918


Source : open-xchange.com

Vulnerability ID : CVE-2023-26452

First published on : 02-11-2023 14:15:10
Last modified on : 02-11-2023 14:26:34

Description :
Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known.

CVE ID : CVE-2023-26452
Source : security@open-xchange.com
CVSS Score : 7.6

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-26453

First published on : 02-11-2023 14:15:10
Last modified on : 02-11-2023 14:26:34

Description :
Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known.

CVE ID : CVE-2023-26453
Source : security@open-xchange.com
CVSS Score : 7.6

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-26454

First published on : 02-11-2023 14:15:10
Last modified on : 02-11-2023 14:26:34

Description :
Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known.

CVE ID : CVE-2023-26454
Source : security@open-xchange.com
CVSS Score : 7.6

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-89


Source : wordfence.com

Vulnerability ID : CVE-2023-5860

First published on : 02-11-2023 12:15:09
Last modified on : 02-11-2023 12:54:30

Description :
The Icons Font Loader plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE ID : CVE-2023-5860
Source : security@wordfence.com
CVSS Score : 7.2

References :
https://plugins.trac.wordpress.org/changeset/2987296/icons-font-loader | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/12a9fbe8-445a-478a-b6ce-cd669ccb6a2d?source=cve | source : security@wordfence.com

Vulnerability : CWE-434


(34) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : emc.com

Vulnerability ID : CVE-2023-43076

First published on : 02-11-2023 11:15:14
Last modified on : 02-11-2023 12:54:30

Description :
Dell PowerScale OneFS 8.2.x,9.0.0.x-9.5.0.x contains a denial-of-service vulnerability. A low privilege remote attacker could potentially exploit this vulnerability to cause an out of memory (OOM) condition.

CVE ID : CVE-2023-43076
Source : security_alert@emc.com
CVSS Score : 6.5

References :
https://www.dell.com/support/kbdoc/en-us/000218934/powerscale-onefs-security-updates-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-401


Vulnerability ID : CVE-2023-43087

First published on : 02-11-2023 11:15:14
Last modified on : 02-11-2023 12:54:30

Description :
Dell PowerScale OneFS 8.2.x, 9.0.0.x-9.5.0.x contains an improper handling of insufficient permissions. A low privileged remote attacker could potentially exploit this vulnerability to cause information disclosure.

CVE ID : CVE-2023-43087
Source : security_alert@emc.com
CVSS Score : 4.3

References :
https://www.dell.com/support/kbdoc/en-us/000218934/powerscale-onefs-security-updates-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-280


Source : nvidia.com

Vulnerability ID : CVE-2023-31018

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA GPU Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a NULL-pointer dereference, which may lead to denial of service.

CVE ID : CVE-2023-31018
Source : psirt@nvidia.com
CVSS Score : 6.5

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-476


Vulnerability ID : CVE-2023-31020

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause improper access control, which may lead to denial of service or data tampering.

CVE ID : CVE-2023-31020
Source : psirt@nvidia.com
CVSS Score : 6.1

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-284


Vulnerability ID : CVE-2023-31026

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA vGPU software for Windows and Linux contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a NULL-pointer dereference may lead to denial of service.

CVE ID : CVE-2023-31026
Source : psirt@nvidia.com
CVSS Score : 6.0

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-476


Vulnerability ID : CVE-2023-31021

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA vGPU software for Windows and Linux contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a malicious user in the guest VM can cause a NULL-pointer dereference, which may lead to denial of service.

CVE ID : CVE-2023-31021
Source : psirt@nvidia.com
CVSS Score : 5.5

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-476


Vulnerability ID : CVE-2023-31022

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a NULL-pointer dereference may lead to denial of service.

CVE ID : CVE-2023-31022
Source : psirt@nvidia.com
CVSS Score : 5.5

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-476


Vulnerability ID : CVE-2023-31023

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
NVIDIA Display Driver for Windows contains a vulnerability where an attacker may cause a pointer dereference of an untrusted value, which may lead to denial of service.

CVE ID : CVE-2023-31023
Source : psirt@nvidia.com
CVSS Score : 5.5

References :
https://nvidia.custhelp.com/app/answers/detail/a_id/5491 | source : psirt@nvidia.com

Vulnerability : CWE-822


Source : vuldb.com

Vulnerability ID : CVE-2023-5918

First published on : 02-11-2023 12:15:09
Last modified on : 02-11-2023 12:54:30

Description :
A vulnerability, which was classified as critical, was found in SourceCodester Visitor Management System 1.0. Affected is an unknown function of the file manage_user.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-244308.

CVE ID : CVE-2023-5918
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/Castle1984/CveRecord/blob/main/Sql_apply.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.244308 | source : cna@vuldb.com
https://vuldb.com/?id.244308 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5923

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
A vulnerability classified as critical has been found in Campcodes Simple Student Information System 1.0. This affects an unknown part of the file /admin/index.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-244323.

CVE ID : CVE-2023-5923
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%201.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244323 | source : cna@vuldb.com
https://vuldb.com/?id.244323 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5924

First published on : 02-11-2023 19:15:41
Last modified on : 02-11-2023 19:15:41

Description :
A vulnerability classified as critical was found in Campcodes Simple Student Information System 1.0. This vulnerability affects unknown code of the file /admin/courses/view_course.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-244324.

CVE ID : CVE-2023-5924
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%202.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244324 | source : cna@vuldb.com
https://vuldb.com/?id.244324 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5925

First published on : 02-11-2023 20:15:10
Last modified on : 02-11-2023 20:15:10

Description :
A vulnerability, which was classified as critical, has been found in Campcodes Simple Student Information System 1.0. This issue affects some unknown processing of the file /classes/Master.php. The manipulation of the argument f leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-244325 was assigned to this vulnerability.

CVE ID : CVE-2023-5925
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%203.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244325 | source : cna@vuldb.com
https://vuldb.com/?id.244325 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5926

First published on : 02-11-2023 20:15:10
Last modified on : 02-11-2023 20:15:10

Description :
A vulnerability, which was classified as critical, was found in Campcodes Simple Student Information System 1.0. Affected is an unknown function of the file /admin/students/update_status.php. The manipulation of the argument student_id leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-244326 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-5926
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%204.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244326 | source : cna@vuldb.com
https://vuldb.com/?id.244326 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5927

First published on : 02-11-2023 20:15:10
Last modified on : 02-11-2023 20:15:10

Description :
A vulnerability has been found in Campcodes Simple Student Information System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/courses/manage_course.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-244327.

CVE ID : CVE-2023-5927
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%205.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244327 | source : cna@vuldb.com
https://vuldb.com/?id.244327 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5928

First published on : 02-11-2023 20:15:10
Last modified on : 02-11-2023 20:15:10

Description :
A vulnerability was found in Campcodes Simple Student Information System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/departments/manage_department.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-244328.

CVE ID : CVE-2023-5928
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%206.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244328 | source : cna@vuldb.com
https://vuldb.com/?id.244328 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5929

First published on : 02-11-2023 21:15:10
Last modified on : 02-11-2023 21:15:10

Description :
A vulnerability was found in Campcodes Simple Student Information System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/students/manage_academic.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-244329 was assigned to this vulnerability.

CVE ID : CVE-2023-5929
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%207.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244329 | source : cna@vuldb.com
https://vuldb.com/?id.244329 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5919

First published on : 02-11-2023 14:15:13
Last modified on : 02-11-2023 14:26:30

Description :
A vulnerability was found in SourceCodester Company Website CMS 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /dashboard/createblog of the component Create Blog Page. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-244310 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-5919
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://vuldb.com/?ctiid.244310 | source : cna@vuldb.com
https://vuldb.com/?id.244310 | source : cna@vuldb.com
https://www.jianshu.com/p/a451953f36f1?v=1698808954608 | source : cna@vuldb.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-5916

First published on : 02-11-2023 11:15:14
Last modified on : 02-11-2023 12:54:30

Description :
A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability.

CVE ID : CVE-2023-5916
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/Lissy93/dashy/issues/1336 | source : cna@vuldb.com
https://treasure-blarney-085.notion.site/Dashy-0dca8a0ebbd84f78ae6d03528ff1538c?pvs=4 | source : cna@vuldb.com
https://vuldb.com/?ctiid.244305 | source : cna@vuldb.com
https://vuldb.com/?id.244305 | source : cna@vuldb.com

Vulnerability : CWE-284


Source : redhat.com

Vulnerability ID : CVE-2023-38469

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

CVE ID : CVE-2023-38469
Source : secalert@redhat.com
CVSS Score : 6.2

References :
https://access.redhat.com/security/cve/CVE-2023-38469 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2191687 | source : secalert@redhat.com


Vulnerability ID : CVE-2023-38470

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

CVE ID : CVE-2023-38470
Source : secalert@redhat.com
CVSS Score : 6.2

References :
https://access.redhat.com/security/cve/CVE-2023-38470 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2191690 | source : secalert@redhat.com


Vulnerability ID : CVE-2023-38471

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.

CVE ID : CVE-2023-38471
Source : secalert@redhat.com
CVSS Score : 6.2

References :
https://access.redhat.com/security/cve/CVE-2023-38471 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2191691 | source : secalert@redhat.com


Vulnerability ID : CVE-2023-38472

First published on : 02-11-2023 15:15:08
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.

CVE ID : CVE-2023-38472
Source : secalert@redhat.com
CVSS Score : 6.2

References :
https://access.redhat.com/security/cve/CVE-2023-38472 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2191692 | source : secalert@redhat.com


Vulnerability ID : CVE-2022-4900

First published on : 02-11-2023 16:15:08
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

CVE ID : CVE-2022-4900
Source : secalert@redhat.com
CVSS Score : 6.2

References :
https://access.redhat.com/security/cve/CVE-2022-4900 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2179880 | source : secalert@redhat.com


Vulnerability ID : CVE-2023-38473

First published on : 02-11-2023 16:15:08
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.

CVE ID : CVE-2023-38473
Source : secalert@redhat.com
CVSS Score : 6.2

References :
https://access.redhat.com/security/cve/CVE-2023-38473 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2191694 | source : secalert@redhat.com


Vulnerability ID : CVE-2023-3164

First published on : 02-11-2023 12:15:09
Last modified on : 02-11-2023 12:54:30

Description :
A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.

CVE ID : CVE-2023-3164
Source : secalert@redhat.com
CVSS Score : 4.4

References :
https://access.redhat.com/security/cve/CVE-2023-4156 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2215930 | source : secalert@redhat.com


Source : open-xchange.com

Vulnerability ID : CVE-2023-29043

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when performing certain actions, like copying content. The relevant attribute does now get encoded to avoid the possibility of executing script code. No publicly available exploits are known.

CVE ID : CVE-2023-29043
Source : security@open-xchange.com
CVSS Score : 6.1

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-26455

First published on : 02-11-2023 14:15:10
Last modified on : 02-11-2023 14:26:34

Description :
RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known.

CVE ID : CVE-2023-26455
Source : security@open-xchange.com
CVSS Score : 5.6

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-287


Vulnerability ID : CVE-2023-26456

First published on : 02-11-2023 14:15:10
Last modified on : 02-11-2023 14:26:34

Description :
Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.

CVE ID : CVE-2023-26456
Source : security@open-xchange.com
CVSS Score : 5.4

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-29044

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get escaped to avoid code execution. No publicly available exploits are known.

CVE ID : CVE-2023-29044
Source : security@open-xchange.com
CVSS Score : 5.4

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-29045

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now gets checked for validity to avoid code execution. No publicly available exploits are known.

CVE ID : CVE-2023-29045
Source : security@open-xchange.com
CVSS Score : 5.4

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-29047

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible to the imageconverter SQL user account. None No publicly available exploits are known.

CVE ID : CVE-2023-29047
Source : security@open-xchange.com
CVSS Score : 5.3

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-29046

First published on : 02-11-2023 14:15:11
Last modified on : 02-11-2023 14:26:34

Description :
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.

CVE ID : CVE-2023-29046
Source : security@open-xchange.com
CVSS Score : 4.3

References :
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf | source : security@open-xchange.com

Vulnerability : CWE-400


Source : algosec.com

Vulnerability ID : CVE-2023-46595

First published on : 02-11-2023 08:15:08
Last modified on : 02-11-2023 12:54:30

Description :
Net-NTLM leak in Fireflow A32.20 and A32.50 allows an attacker to obtain victimโ€™s domain credentials and Net-NTLM hash which can lead to relay domain attacks.

CVE ID : CVE-2023-46595
Source : security.vulnerabilities@algosec.com
CVSS Score : 5.9

References :
https://cwe.mitre.org/data/definitions/79.html | source : security.vulnerabilities@algosec.com

Vulnerability : CWE-79


Source : wordfence.com

Vulnerability ID : CVE-2023-5606

First published on : 02-11-2023 09:15:08
Last modified on : 02-11-2023 12:54:30

Description :
The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. NOTE: This vulnerability is a re-introduction of CVE-2023-4253.

CVE ID : CVE-2023-5606
Source : security@wordfence.com
CVSS Score : 4.4

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2987335%40chatbot%2Ftrunk&old=2986133%40chatbot%2Ftrunk&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc305c48-8337-42b7-ad61-61aea8018def?source=cve | source : security@wordfence.com

Vulnerability : CWE-79


(8) LOW VULNERABILITIES [0.1, 3.9]

Source : mattermost.com

Vulnerability ID : CVE-2023-5875

First published on : 02-11-2023 09:15:08
Last modified on : 02-11-2023 12:54:30

Description :
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server

CVE ID : CVE-2023-5875
Source : responsibledisclosure@mattermost.com
CVSS Score : 3.7

References :
https://mattermost.com/security-updates | source : responsibledisclosure@mattermost.com

Vulnerability : CWE-693


Vulnerability ID : CVE-2023-5876

First published on : 02-11-2023 09:15:08
Last modified on : 02-11-2023 12:54:30

Description :
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service.

CVE ID : CVE-2023-5876
Source : responsibledisclosure@mattermost.com
CVSS Score : 3.1

References :
https://mattermost.com/security-updates | source : responsibledisclosure@mattermost.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2023-5920

First published on : 02-11-2023 09:15:08
Last modified on : 02-11-2023 12:54:30

Description :
Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input.

CVE ID : CVE-2023-5920
Source : responsibledisclosure@mattermost.com
CVSS Score : 2.9

References :
https://mattermost.com/security-updates | source : responsibledisclosure@mattermost.com

Vulnerability : CWE-200


Source : vuldb.com

Vulnerability ID : CVE-2023-5930

First published on : 02-11-2023 21:15:10
Last modified on : 02-11-2023 21:15:10

Description :
A vulnerability was found in Campcodes Simple Student Information System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/students/manage_academic.php. The manipulation of the argument student_id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-244330 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-5930
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://github.com/E1CHO/cve_hub/blob/main/Simple%20Student%20Information%20System/Simple%20Student%20Information%20System%20-%20vuln%208.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.244330 | source : cna@vuldb.com
https://vuldb.com/?id.244330 | source : cna@vuldb.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-5910

First published on : 02-11-2023 00:15:23
Last modified on : 02-11-2023 12:54:36

Description :
A vulnerability was found in PopojiCMS 2.0.1 and classified as problematic. This issue affects some unknown processing of the file install.php of the component Web Config. The manipulation of the argument Site Title with the input <script>alert(1)</script> leads to cross site scripting. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-244229 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-5910
Source : cna@vuldb.com
CVSS Score : 2.6

References :
https://github.com/hujiahua1997/popojicms2.0.1-Storage-xss-exists/blob/main/image-20231020213521150-16978089243571.png | source : cna@vuldb.com
https://github.com/hujiahua1997/popojicms2.0.1-Storage-xss-exists/blob/main/popojicms2.0.1-Storage-xss-exists.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.244229 | source : cna@vuldb.com
https://vuldb.com/?id.244229 | source : cna@vuldb.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-5917

First published on : 02-11-2023 11:15:14
Last modified on : 02-11-2023 12:54:30

Description :
A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. The patch is named ccf6e6c255d38692d72fcb613b113e6eaa240aac. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-244307.

CVE ID : CVE-2023-5917
Source : cna@vuldb.com
CVSS Score : 2.4

References :
https://github.com/phpbb/phpbb/commit/ccf6e6c255d38692d72fcb613b113e6eaa240aac | source : cna@vuldb.com
https://github.com/phpbb/phpbb/releases/tag/release-3.3.11 | source : cna@vuldb.com
https://vuldb.com/?ctiid.244307 | source : cna@vuldb.com
https://vuldb.com/?id.244307 | source : cna@vuldb.com
https://www.phpbb.com/ | source : cna@vuldb.com
https://www.phpbb.com/community/viewtopic.php?t=2646991 | source : cna@vuldb.com

Vulnerability : CWE-79


Source : moxa.com

Vulnerability ID : CVE-2023-4217

First published on : 02-11-2023 17:15:11
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability has been identified in PT-G503 Series versions prior to v5.2, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.

CVE ID : CVE-2023-4217
Source : psirt@moxa.com
CVSS Score : 3.1

References :
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230203-pt-g503-series-multiple-vulnerabilities | source : psirt@moxa.com

Vulnerability : CWE-1004


Vulnerability ID : CVE-2023-5035

First published on : 02-11-2023 17:15:11
Last modified on : 02-11-2023 18:21:28

Description :
A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.

CVE ID : CVE-2023-5035
Source : psirt@moxa.com
CVSS Score : 3.1

References :
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230203-pt-g503-series-multiple-vulnerabilities | source : psirt@moxa.com

Vulnerability : CWE-614


(22) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : jpcert.or.jp

Vulnerability ID : CVE-2023-46327

First published on : 02-11-2023 03:15:10
Last modified on : 02-11-2023 12:54:30

Description :
Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book with encrypted form, but the encryption strength is insufficient. With the knowledge of the encryption process and the encryption key, the information such as the server credentials may be obtained from the exported Address Book data. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].

CVE ID : CVE-2023-46327
Source : vultures@jpcert.or.jp
CVSS Score : /

References :
https://jvn.jp/en/vu/JVNVU96482726/index.html | source : vultures@jpcert.or.jp
https://security.business.xerox.com/en-us/documents/bulletins/ | source : vultures@jpcert.or.jp
https://www.fujifilm.com/fbglobal/eng/company/news/notice/2023/1031_addressbook_announce.html | source : vultures@jpcert.or.jp


Source : mitre.org

Vulnerability ID : CVE-2023-46695

First published on : 02-11-2023 06:15:08
Last modified on : 02-11-2023 12:54:30

Description :
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

CVE ID : CVE-2023-46695
Source : cve@mitre.org
CVSS Score : /

References :
https://docs.djangoproject.com/en/4.2/releases/security/ | source : cve@mitre.org
https://groups.google.com/forum/#!forum/django-announce | source : cve@mitre.org
https://www.djangoproject.com/weblog/2023/nov/01/security-releases/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-47204

First published on : 02-11-2023 06:15:08
Last modified on : 02-11-2023 12:54:30

Description :
Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code.

CVE ID : CVE-2023-47204
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/toumorokoshi/transmute-core/pull/58 | source : cve@mitre.org
https://github.com/toumorokoshi/transmute-core/releases/tag/v1.13.5 | source : cve@mitre.org


Vulnerability ID : CVE-2023-43193

First published on : 02-11-2023 12:15:09
Last modified on : 02-11-2023 12:54:30

Description :
Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

CVE ID : CVE-2023-43193
Source : cve@mitre.org
CVSS Score : /

References :
https://fuchai.net/cve/CVE-2023-43193 | source : cve@mitre.org
https://github.com/Submitty/Submitty/pull/8032 | source : cve@mitre.org


Vulnerability ID : CVE-2023-43336

First published on : 02-11-2023 12:15:09
Last modified on : 02-11-2023 12:54:30

Description :
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101.

CVE ID : CVE-2023-43336
Source : cve@mitre.org
CVSS Score : /

References :
http://freepbx.com | source : cve@mitre.org
http://sangoma.com | source : cve@mitre.org
https://medium.com/@janirudransh/security-disclosure-of-vulnerability-cve-2023-23336-4429d416f826 | source : cve@mitre.org


Vulnerability ID : CVE-2023-46475

First published on : 02-11-2023 13:15:08
Last modified on : 02-11-2023 14:26:34

Description :
A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code.

CVE ID : CVE-2023-46475
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/easysoft/zentaopms | source : cve@mitre.org
https://github.com/elementalSec/CVE-Disclosures/blob/main/ZentaoPMS/CVE-2023-46475/CVE-2023-46475%20-%20Cross-Site%20Scripting%20(Stored).md | source : cve@mitre.org


Vulnerability ID : CVE-2023-46925

First published on : 02-11-2023 17:15:11
Last modified on : 02-11-2023 18:21:28

Description :
Reportico 7.1.21 is vulnerable to Cross Site Scripting (XSS).

CVE ID : CVE-2023-46925
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/reportico-web/reportico/issues/47 | source : cve@mitre.org


Vulnerability ID : CVE-2023-39284

First published on : 02-11-2023 21:15:09
Last modified on : 02-11-2023 21:15:09

Description :
An issue was discovered in IhisiServicesSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There are arbitrary calls to SetVariable with unsanitized arguments in the SMI handler.

CVE ID : CVE-2023-39284
Source : cve@mitre.org
CVSS Score : /

References :
https://www.insyde.com/security-pledge | source : cve@mitre.org
https://www.insyde.com/security-pledge/SA-2023056 | source : cve@mitre.org


Vulnerability ID : CVE-2023-31579

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token.

CVE ID : CVE-2023-31579
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/dromara/lamp-cloud/issues/183 | source : cve@mitre.org
https://github.com/xubowenW/JWTissues/blob/main/lamp%20issue.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-39042

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
An information leak in Gyouza-newhushimi v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39042
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39042.md | source : cve@mitre.org
https://liff.line.me/1660693321-VmNyyXqO | source : cve@mitre.org


Vulnerability ID : CVE-2023-39047

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
An information leak in shouzu sweets oz v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39047
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39047.md | source : cve@mitre.org
https://liff.line.me/1657207159-oGgKdNNW | source : cve@mitre.org


Vulnerability ID : CVE-2023-39048

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
An information leak in Tokudaya.honten v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39048
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39048.md | source : cve@mitre.org
https://liff.line.me/1660822133-g5YonEZK | source : cve@mitre.org


Vulnerability ID : CVE-2023-39050

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
An information leak in Daiky-value.Fukueten v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39050
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39050.md | source : cve@mitre.org
https://liff.line.me/1657264266-MPKmV0nq | source : cve@mitre.org


Vulnerability ID : CVE-2023-39051

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
An information leak in VISION MEAT WORKS Track Diner 10/10mbl v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39051
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39051.md | source : cve@mitre.org
https://liff.line.me/1660679085-jy2OO7WE | source : cve@mitre.org


Vulnerability ID : CVE-2023-39053

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
An information leak in Hattoriya v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39053
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39053.md | source : cve@mitre.org
https://liff.line.me/1657507029-eDjDJQ68 | source : cve@mitre.org


Vulnerability ID : CVE-2023-39054

First published on : 02-11-2023 22:15:08
Last modified on : 02-11-2023 22:15:08

Description :
An information leak in Tokudaya.ekimae_mc v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39054
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39054.md | source : cve@mitre.org
https://liff.line.me/1660822001-2aM5Rl7Q | source : cve@mitre.org


Vulnerability ID : CVE-2023-39057

First published on : 02-11-2023 22:15:09
Last modified on : 02-11-2023 22:15:09

Description :
An information leak in hirochanKAKIwaiting v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE ID : CVE-2023-39057
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39057.md | source : cve@mitre.org
https://liff.line.me/1657563463-WZNjNErk | source : cve@mitre.org


Vulnerability ID : CVE-2023-39283

First published on : 02-11-2023 22:15:09
Last modified on : 02-11-2023 22:15:09

Description :
An SMM memory corruption vulnerability in the SMM driver (SMRAM write) in CsmInt10HookSmm in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to send arbitrary data to SMM which could lead to privilege escalation.

CVE ID : CVE-2023-39283
Source : cve@mitre.org
CVSS Score : /

References :
https://www.insyde.com/security-pledge | source : cve@mitre.org
https://www.insyde.com/security-pledge/SA-2023055 | source : cve@mitre.org


Vulnerability ID : CVE-2023-42299

First published on : 02-11-2023 22:15:09
Last modified on : 02-11-2023 22:15:09

Description :
Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_subimage_data function.

CVE ID : CVE-2023-42299
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/OpenImageIO/oiio/issues/3840 | source : cve@mitre.org


Vulnerability ID : CVE-2023-43194

First published on : 02-11-2023 22:15:09
Last modified on : 02-11-2023 22:15:09

Description :
Submitty before v22.06.00 is vulnerable to Incorrect Access Control. An attacker can delete any post in the forum by modifying request parameter.

CVE ID : CVE-2023-43194
Source : cve@mitre.org
CVSS Score : /

References :
https://fuchai.net/cve/CVE-2023-43194 | source : cve@mitre.org
https://github.com/Submitty/Submitty/pull/8032 | source : cve@mitre.org


Vulnerability ID : CVE-2023-46352

First published on : 02-11-2023 22:15:09
Last modified on : 02-11-2023 22:15:09

Description :
In the module "Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module" (facebookconversiontrackingplus) up to version 2.4.9 from Smart Modules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can access exports from the module which can lead to a leak of personal information from ps_customer table such as name / surname / email.

CVE ID : CVE-2023-46352
Source : cve@mitre.org
CVSS Score : /

References :
https://addons.prestashop.com/en/analytics-statistics/18739-pixel-plus-events-capi-pixel-catalog-for-facebook.html | source : cve@mitre.org
https://security.friendsofpresta.org/modules/2023/10/31/facebookconversiontrackingplus.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-46958

First published on : 02-11-2023 22:15:09
Last modified on : 02-11-2023 22:15:09

Description :
An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file.

CVE ID : CVE-2023-46958
Source : cve@mitre.org
CVSS Score : /

References :
http://lmxcms.com | source : cve@mitre.org
http://www.lmxcms.com/ | source : cve@mitre.org
https://gist.github.com/durian5201314/6507d1057c62f4bf93e740a631617434 | source : cve@mitre.org


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.