Latest vulnerabilities of Thursday, September 21, 2023

Latest vulnerabilities of Thursday, September 21, 2023
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/VULNERABILITIES-REPORTS-LOGO.png
{{titre}}

Last update performed on 09/21/2023 at 11:58:02 PM

(5) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : cert.vde.com

Vulnerability ID : CVE-2023-4291

First published on : 21-09-2023 07:15:18
Last modified on : 21-09-2023 12:04:56

Description :
Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface without authentication. This could lead to a full compromise of the FDS101 device.

CVE ID : CVE-2023-4291
Source : info@cert.vde.com
CVSS Score : 9.8

References :
https://cert.vde.com/en/advisories/VDE-2023-038 | source : info@cert.vde.com

Vulnerability : CWE-94


Source : mitre.org

Vulnerability ID : CVE-2023-34577

First published on : 21-09-2023 17:15:16
Last modified on : 21-09-2023 17:15:16

Description :
SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.

CVE ID : CVE-2023-34577
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://security.friendsofpresta.org/modules/2023/09/19/opartplannedpopup.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-34576

First published on : 21-09-2023 20:15:10
Last modified on : 21-09-2023 20:15:10

Description :
SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.

CVE ID : CVE-2023-34576
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://security.friendsofpresta.org/modules/2023/09/19/opartfaq.html | source : cve@mitre.org


Source : github.com

Vulnerability ID : CVE-2023-42810

First published on : 21-09-2023 18:15:12
Last modified on : 21-09-2023 18:15:12

Description :
systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiConnections()`, `wifiNetworks()` (string only).

CVE ID : CVE-2023-42810
Source : security-advisories@github.com
CVSS Score : 9.8

References :
https://github.com/sebhildebrandt/systeminformation/commit/7972565812ccb2a610a22911c54c3446f4171392 | source : security-advisories@github.com
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-gx6r-qc2v-3p3v | source : security-advisories@github.com
https://systeminformation.io/security.html | source : security-advisories@github.com

Vulnerability : CWE-77


Source : asrg.io

Vulnerability ID : CVE-2023-43632

First published on : 21-09-2023 14:15:11
Last modified on : 21-09-2023 16:08:49

Description :
As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this server is done using protobuf, and the data is comprised of 2 parts: 1. Header 2. Data When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come. Then, in the function “handleRequest” this size is then used in order to allocate a payload on the stack for the incoming data. As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data. * An attacker can crash the system. * An attacker can gain control over the system, specifically on the “vtpm_server” process which has very high privileges.

CVE ID : CVE-2023-43632
Source : cve@asrg.io
CVSS Score : 9.0

References :
https://asrg.io/security-advisories/freely-allocate-buffer-on-the-stack-with-data-from-socket/ | source : cve@asrg.io

Vulnerability : CWE-789


(9) HIGH VULNERABILITIES [7.0, 8.9]

Source : asrg.io

Vulnerability ID : CVE-2023-43631

First published on : 21-09-2023 14:15:10
Last modified on : 21-09-2023 16:08:49

Description :
On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could easily add their own keys and gain full control over the system without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thus not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.

CVE ID : CVE-2023-43631
Source : cve@asrg.io
CVSS Score : 8.8

References :
https://asrg.io/security-advisories/ssh-as-root-unlockable-without-triggering-measured-boot/ | source : cve@asrg.io

Vulnerability : CWE-522
Vulnerability : CWE-922


Vulnerability ID : CVE-2023-43633

First published on : 21-09-2023 14:15:11
Last modified on : 21-09-2023 16:08:49

Description :
On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions. This could be used to unlock the ssh with custom “authorized_keys” via the “debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before. Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb” key, allowing VNC access via the “app.allow.vnc” key, and more. An attacker could easily enable these debug functionalities without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thereby not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.

CVE ID : CVE-2023-43633
Source : cve@asrg.io
CVSS Score : 8.8

References :
https://asrg.io/security-advisories/debug-functions-unlockable-without-triggering-measured-boot/ | source : cve@asrg.io

Vulnerability : CWE-522
Vulnerability : CWE-922


Vulnerability ID : CVE-2023-43634

First published on : 21-09-2023 14:15:11
Last modified on : 21-09-2023 16:08:49

Description :
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault”

CVE ID : CVE-2023-43634
Source : cve@asrg.io
CVSS Score : 8.8

References :
https://asrg.io/security-advisories/config-partition-not-protected-by-measured-boot/ | source : cve@asrg.io

Vulnerability : CWE-522
Vulnerability : CWE-922


Vulnerability ID : CVE-2023-43637

First published on : 21-09-2023 14:15:11
Last modified on : 21-09-2023 16:08:49

Description :
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage.

CVE ID : CVE-2023-43637
Source : cve@asrg.io
CVSS Score : 7.8

References :
https://asrg.io/security-advisories/vault-key-partially-predetermined/ | source : cve@asrg.io

Vulnerability : CWE-321


Source : eclipse.org

Vulnerability ID : CVE-2023-4760

First published on : 21-09-2023 08:15:09
Last modified on : 21-09-2023 12:04:56

Description :
In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept. For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.

CVE ID : CVE-2023-4760
Source : emo@eclipse.org
CVSS Score : 7.6

References :
https://github.com/eclipse-rap/org.eclipse.rap/pull/141 | source : emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160 | source : emo@eclipse.org

Vulnerability : CWE-22
Vulnerability : CWE-23


Source : cert.vde.com

Vulnerability ID : CVE-2023-4152

First published on : 21-09-2023 07:15:14
Last modified on : 21-09-2023 12:04:56

Description :
Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a path traversal vulnerability of the web interface by a crafted URL without authentication. This enables an remote attacker to read all files on the filesystem of the FDS101 device.

CVE ID : CVE-2023-4152
Source : info@cert.vde.com
CVSS Score : 7.5

References :
https://cert.vde.com/en/advisories/VDE-2023-038/ | source : info@cert.vde.com

Vulnerability : CWE-22


Source : github.com

Vulnerability ID : CVE-2023-40183

First published on : 21-09-2023 15:15:10
Last modified on : 21-09-2023 16:08:49

Description :
DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds.

CVE ID : CVE-2023-40183
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/dataease/dataease/commit/826513053146721a2b3e09a9c9d3ea41f8f10569 | source : security-advisories@github.com
https://github.com/dataease/dataease/releases/tag/v1.18.11 | source : security-advisories@github.com
https://github.com/dataease/dataease/security/advisories/GHSA-w2r4-2r4w-fjxv | source : security-advisories@github.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-42457

First published on : 21-09-2023 15:15:10
Last modified on : 21-09-2023 16:08:49

Description :
plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).

CVE ID : CVE-2023-42457
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7 | source : security-advisories@github.com
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302 | source : security-advisories@github.com
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq | source : security-advisories@github.com

Vulnerability : CWE-400
Vulnerability : CWE-770


Vulnerability ID : CVE-2023-42805

First published on : 21-09-2023 17:15:23
Last modified on : 21-09-2023 17:15:23

Description :
quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases.

CVE ID : CVE-2023-42805
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/quinn-rs/quinn/pull/1667 | source : security-advisories@github.com
https://github.com/quinn-rs/quinn/pull/1668 | source : security-advisories@github.com
https://github.com/quinn-rs/quinn/pull/1669 | source : security-advisories@github.com
https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3 | source : security-advisories@github.com

Vulnerability : CWE-20


(6) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : github.com

Vulnerability ID : CVE-2023-42806

First published on : 21-09-2023 17:15:23
Last modified on : 21-09-2023 17:15:23

Description :
Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying `$\mathsf{cid}$` allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (= denial of service; easy). A patch is planned for version 0.13.0. As a workaround, rotate keys between heads so not to re-use keys and not result in the same multi-signature participants.

CVE ID : CVE-2023-42806
Source : security-advisories@github.com
CVSS Score : 6.5

References :
https://github.com/input-output-hk/hydra/blob/ec6c7a2ab651462228475d0b34264e9a182c22bb/hydra-node/src/Hydra/HeadLogic.hs#L357 | source : security-advisories@github.com
https://github.com/input-output-hk/hydra/blob/ec6c7a2ab651462228475d0b34264e9a182c22bb/hydra-node/src/Hydra/Snapshot.hs#L50-L54 | source : security-advisories@github.com
https://github.com/input-output-hk/hydra/blob/ec6c7a2ab651462228475d0b34264e9a182c22bb/hydra-plutus/src/Hydra/Contract/Head.hs#L583-L599 | source : security-advisories@github.com
https://github.com/input-output-hk/hydra/security/advisories/GHSA-gr36-mc6v-72qq | source : security-advisories@github.com

Vulnerability : CWE-347


Vulnerability ID : CVE-2023-42807

First published on : 21-09-2023 17:15:23
Last modified on : 21-09-2023 17:15:23

Description :
Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app.

CVE ID : CVE-2023-42807
Source : security-advisories@github.com
CVSS Score : 6.3

References :
https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63 | source : security-advisories@github.com

Vulnerability : CWE-89


Source : emc.com

Vulnerability ID : CVE-2023-39252

First published on : 21-09-2023 06:15:12
Last modified on : 21-09-2023 12:04:56

Description :
Dell SCG Policy Manager 5.16.00.14 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information.

CVE ID : CVE-2023-39252
Source : security_alert@emc.com
CVSS Score : 5.9

References :
https://www.dell.com/support/kbdoc/en-us/000217683/dsa-2023-321-security-update-for-dell-secure-connect-gateway-security-policy-manager-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-327


Source : huntr.dev

Vulnerability ID : CVE-2023-5104

First published on : 21-09-2023 09:15:10
Last modified on : 21-09-2023 12:04:56

Description :
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.

CVE ID : CVE-2023-5104
Source : security@huntr.dev
CVSS Score : 5.7

References :
https://github.com/nocodb/nocodb/commit/db0385cb8aab2a34e233454607f59152ac62b3e2 | source : security@huntr.dev
https://huntr.dev/bounties/1b5c6d9f-941e-4dd7-a964-42b53d6826b0 | source : security@huntr.dev

Vulnerability : CWE-20


Source : cert.vde.com

Vulnerability ID : CVE-2023-4292

First published on : 21-09-2023 07:15:19
Last modified on : 21-09-2023 12:04:56

Description :
Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a SQL injection vulnerability via manipulated parameters of the web interface without authentication. The database contains limited, non-critical log information.

CVE ID : CVE-2023-4292
Source : info@cert.vde.com
CVSS Score : 5.3

References :
https://https://cert.vde.com/en/advisories/VDE-2023-038 | source : info@cert.vde.com

Vulnerability : CWE-89


Source : mitre.org

Vulnerability ID : CVE-2023-42482

First published on : 21-09-2023 20:15:10
Last modified on : 21-09-2023 20:15:10

Description :
Samsung Mobile Processor Exynos 2200 allows a GPU Use After Free.

CVE ID : CVE-2023-42482
Source : cve@mitre.org
CVSS Score : 4.7

References :
https://semiconductor.samsung.com/support/quality-support/product-security-updates/ | source : cve@mitre.org


(4) LOW VULNERABILITIES [0.1, 3.9]

Source : openharmony.io

Vulnerability ID : CVE-2023-4753

First published on : 21-09-2023 10:15:09
Last modified on : 21-09-2023 12:04:56

Description :
OpenHarmony v3.2.1 and prior version has a liteos-a kernel may crash caused by mqueue undetected entries vulnerability. Local attackers can crash liteos-a kernel by the error input

CVE ID : CVE-2023-4753
Source : scy@openharmony.io
CVSS Score : 3.9

References :
https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2023/2023-11.md | source : scy@openharmony.io

Vulnerability : CWE-20


Source : github.com

Vulnerability ID : CVE-2023-41048

First published on : 21-09-2023 15:15:10
Last modified on : 21-09-2023 16:08:49

Description :
plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in versions 5.6.1 (for Plone 5.2), 6.0.3 (for Plone 6.0.0-6.0.4), 6.1.3 (for Plone 6.0.5-6.0.6), and 6.2.1 (for Plone 6.0.7). There are no known workarounds.

CVE ID : CVE-2023-41048
Source : security-advisories@github.com
CVSS Score : 3.7

References :
https://github.com/plone/Products.PloneHotfix20210518 | source : security-advisories@github.com
https://github.com/plone/plone.namedfile/commit/188f66a4577021cf8f2bf7c0f5150f9b9573f167 | source : security-advisories@github.com
https://github.com/plone/plone.namedfile/commit/217d6ce847b7171bf1b73fcb6c08010eb449216a | source : security-advisories@github.com
https://github.com/plone/plone.namedfile/commit/f0f911f2a72b2e5c923dc2ab9179319cc47788f9 | source : security-advisories@github.com
https://github.com/plone/plone.namedfile/commit/ff5269fb4c79f4eb91dd934561b8824a49a03b60 | source : security-advisories@github.com
https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x | source : security-advisories@github.com

Vulnerability : CWE-79
Vulnerability : CWE-80


Vulnerability ID : CVE-2023-42458

First published on : 21-09-2023 17:15:22
Last modified on : 21-09-2023 17:15:22

Description :
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.

CVE ID : CVE-2023-42458
Source : security-advisories@github.com
CVSS Score : 3.7

References :
https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088 | source : security-advisories@github.com
https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb | source : security-advisories@github.com
https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v | source : security-advisories@github.com

Vulnerability : CWE-79
Vulnerability : CWE-80


Vulnerability ID : CVE-2023-42456

First published on : 21-09-2023 16:15:09
Last modified on : 21-09-2023 16:15:09

Description :
Sudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user). An issue was discovered in versions prior to 0.2.1 where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username `../../../../bin/cp`. When logged in as a user with that name, that user could run `sudo -K` to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of `/bin/cp`. The code then clears that file, resulting in the `cp` binary effectively being removed from the system. An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames. The issue is patched in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values. The `sudo -K` and `sudo -k` commands can run, even if a user has no sudo access. As a workaround, make sure that one's system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on the system, one should not be able to exploit this issue.

CVE ID : CVE-2023-42456
Source : security-advisories@github.com
CVSS Score : 3.1

References :
https://github.com/memorysafety/sudo-rs/commit/bfdbda22968e3de43fa8246cab1681cfd5d5493d | source : security-advisories@github.com
https://github.com/memorysafety/sudo-rs/security/advisories/GHSA-2r3c-m6v7-9354 | source : security-advisories@github.com

Vulnerability : CWE-22
Vulnerability : CWE-23


(21) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2015-5467

First published on : 21-09-2023 06:15:10
Last modified on : 21-09-2023 12:04:56

Description :
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

CVE ID : CVE-2015-5467
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2-dev/CVE-2015-5467.yaml | source : cve@mitre.org
https://www.yiiframework.com/news/87/yii-2-0-5-is-released-security-fix | source : cve@mitre.org


Vulnerability ID : CVE-2015-8371

First published on : 21-09-2023 06:15:11
Last modified on : 21-09-2023 12:04:56

Description :
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

CVE ID : CVE-2015-8371
Source : cve@mitre.org
CVSS Score : /

References :
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html | source : cve@mitre.org
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml | source : cve@mitre.org
https://github.com/composer/composer | source : cve@mitre.org
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml | source : cve@mitre.org


Vulnerability ID : CVE-2018-5478

First published on : 21-09-2023 06:15:12
Last modified on : 21-09-2023 12:04:56

Description :
Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.

CVE ID : CVE-2018-5478
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-5478.yaml | source : cve@mitre.org
https://security.snyk.io/vuln/SNYK-PHP-CONTAOCORE-70397 | source : cve@mitre.org


Vulnerability ID : CVE-2023-43669

First published on : 21-09-2023 06:15:13
Last modified on : 21-09-2023 12:04:56

Description :
The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).

CVE ID : CVE-2023-43669
Source : cve@mitre.org
CVSS Score : /

References :
https://crates.io/crates/tungstenite/versions | source : cve@mitre.org
https://cwe.mitre.org/data/definitions/407.html | source : cve@mitre.org
https://github.com/snapview/tungstenite-rs/issues/376 | source : cve@mitre.org


Vulnerability ID : CVE-2023-43235

First published on : 21-09-2023 13:15:09
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter StartTime and EndTime in SetWifiDownSettings.

CVE ID : CVE-2023-43235
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/823G/SetWifiDownSettings/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43236

First published on : 21-09-2023 13:15:10
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter statuscheckpppoeuser in dir_setWanWifi.

CVE ID : CVE-2023-43236
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/816/dir_setWanWifi/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43237

First published on : 21-09-2023 13:15:10
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter macCloneMac in setMAC.

CVE ID : CVE-2023-43237
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/816/setMAC/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43238

First published on : 21-09-2023 13:15:10
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter nvmacaddr in form2Dhcpip.cgi.

CVE ID : CVE-2023-43238
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/816/form2Dhcpip_cgi/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43239

First published on : 21-09-2023 13:15:10
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter flag_5G in showMACfilterMAC.

CVE ID : CVE-2023-43239
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/816/showMACfilterMAC/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43240

First published on : 21-09-2023 13:15:10
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter sip_address in ipportFilter.

CVE ID : CVE-2023-43240
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/816/ipportFilter/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43241

First published on : 21-09-2023 13:15:10
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter TXPower and GuardInt in SetWLanRadioSecurity.

CVE ID : CVE-2023-43241
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/823G/SetWLanRadioSecurity/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43242

First published on : 21-09-2023 13:15:10
Last modified on : 21-09-2023 16:08:49

Description :
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter removeRuleList in form2IPQoSTcDel.

CVE ID : CVE-2023-43242
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/peris-navince/founded-0-days/blob/main/Dlink/816/form2IPQoSTcDel/1.md | source : cve@mitre.org
https://www.dlink.com/en/security-bulletin/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-43274

First published on : 21-09-2023 14:15:10
Last modified on : 21-09-2023 16:08:49

Description :
Phpjabbers PHP Shopping Cart 4.2 is vulnerable to SQL Injection via the id parameter.

CVE ID : CVE-2023-43274
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2 | source : cve@mitre.org


Vulnerability ID : CVE-2023-43309

First published on : 21-09-2023 14:15:10
Last modified on : 21-09-2023 16:08:49

Description :
There is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, which allows attackers to run malicious scripts by injecting a specially crafted payload.

CVE ID : CVE-2023-43309
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/TishaManandhar/Webmin_xss_POC/blob/main/XSS | source : cve@mitre.org


Vulnerability ID : CVE-2023-42279

First published on : 21-09-2023 18:15:12
Last modified on : 21-09-2023 18:15:12

Description :
Dreamer CMS 4.1.3 is vulnerable to SQL Injection.

CVE ID : CVE-2023-42279
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/zaizainani/-Vulnerability-recurrence-sorting/blob/main/sqlattack-en.pdf | source : cve@mitre.org


Vulnerability ID : CVE-2023-42280

First published on : 21-09-2023 19:15:11
Last modified on : 21-09-2023 19:15:11

Description :
mee-admin 1.5 is vulnerable to Directory Traversal. The download method in the CommonFileController.java file does not verify the incoming data, resulting in arbitrary file reading.

CVE ID : CVE-2023-42280
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/zaizainani/-Vulnerability-recurrence-sorting/blob/main/anyfiledown-en.pdf | source : cve@mitre.org


Vulnerability ID : CVE-2023-38343

First published on : 21-09-2023 21:15:09
Last modified on : 21-09-2023 21:15:09

Description :
An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

CVE ID : CVE-2023-38343
Source : cve@mitre.org
CVSS Score : /

References :
https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928 | source : cve@mitre.org
https://www.ivanti.com/releases | source : cve@mitre.org


Vulnerability ID : CVE-2023-38344

First published on : 21-09-2023 21:15:10
Last modified on : 21-09-2023 21:15:10

Description :
An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access.

CVE ID : CVE-2023-38344
Source : cve@mitre.org
CVSS Score : /

References :
https://gist.github.com/bhyahoo/76533e91840200a1d9f3fb1eb87eb0f1 | source : cve@mitre.org
https://www.ivanti.com/releases | source : cve@mitre.org


Source : apple.com

Vulnerability ID : CVE-2023-41991

First published on : 21-09-2023 19:15:11
Last modified on : 21-09-2023 20:15:10

Description :
A certificate validation issue was addressed. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, watchOS 10.0.1. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

CVE ID : CVE-2023-41991
Source : product-security@apple.com
CVSS Score : /

References :
https://support.apple.com/en-us/HT213926 | source : product-security@apple.com
https://support.apple.com/en-us/HT213927 | source : product-security@apple.com
https://support.apple.com/en-us/HT213928 | source : product-security@apple.com
https://support.apple.com/en-us/HT213929 | source : product-security@apple.com
https://support.apple.com/en-us/HT213931 | source : product-security@apple.com
https://support.apple.com/kb/HT213926 | source : product-security@apple.com


Vulnerability ID : CVE-2023-41992

First published on : 21-09-2023 19:15:11
Last modified on : 21-09-2023 20:15:10

Description :
The issue was addressed with improved checks. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 10.0.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

CVE ID : CVE-2023-41992
Source : product-security@apple.com
CVSS Score : /

References :
https://support.apple.com/en-us/HT213926 | source : product-security@apple.com
https://support.apple.com/en-us/HT213927 | source : product-security@apple.com
https://support.apple.com/en-us/HT213928 | source : product-security@apple.com
https://support.apple.com/en-us/HT213929 | source : product-security@apple.com
https://support.apple.com/en-us/HT213931 | source : product-security@apple.com
https://support.apple.com/en-us/HT213932 | source : product-security@apple.com
https://support.apple.com/kb/HT213926 | source : product-security@apple.com


Vulnerability ID : CVE-2023-41993

First published on : 21-09-2023 19:15:11
Last modified on : 21-09-2023 19:15:11

Description :
The issue was addressed with improved checks. This issue is fixed in Safari 16.6.1, macOS Ventura 13.6, OS 17.0.1 and iPadOS 17.0.1, iOS 16.7 and iPadOS 16.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

CVE ID : CVE-2023-41993
Source : product-security@apple.com
CVSS Score : /

References :
https://support.apple.com/en-us/HT213926 | source : product-security@apple.com
https://support.apple.com/en-us/HT213927 | source : product-security@apple.com
https://support.apple.com/en-us/HT213930 | source : product-security@apple.com
https://support.apple.com/en-us/HT213931 | source : product-security@apple.com


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.