Latest vulnerabilities [Saturday, February 03, 2024]

Latest vulnerabilities [Saturday, February 03, 2024]
{{titre}}

Last update performed on 02/03/2024 at 11:57:05 PM

(0) CRITICAL VULNERABILITIES [9.0, 10.0]

(5) HIGH VULNERABILITIES [7.0, 8.9]

Source : us.ibm.com

Vulnerability ID : CVE-2023-31004

First published on : 03-02-2024 01:15:08
Last modified on : 03-02-2024 01:15:08

Description :
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques. IBM X-Force ID: 254765.

CVE ID : CVE-2023-31004
Source : psirt@us.ibm.com
CVSS Score : 8.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/254765 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7106586 | source : psirt@us.ibm.com

Vulnerability : CWE-300


Vulnerability ID : CVE-2023-30999

First published on : 03-02-2024 01:15:07
Last modified on : 03-02-2024 01:15:07

Description :
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 254651.

CVE ID : CVE-2023-30999
Source : psirt@us.ibm.com
CVSS Score : 7.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/254651 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7106586 | source : psirt@us.ibm.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2023-43016

First published on : 03-02-2024 01:15:09
Last modified on : 03-02-2024 01:15:09

Description :
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. IBM X-Force ID: 266154.

CVE ID : CVE-2023-43016
Source : psirt@us.ibm.com
CVSS Score : 7.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/266154 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7106586 | source : psirt@us.ibm.com

Vulnerability : CWE-258


Vulnerability ID : CVE-2023-32327

First published on : 03-02-2024 01:15:08
Last modified on : 03-02-2024 01:15:08

Description :
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.

CVE ID : CVE-2023-32327
Source : psirt@us.ibm.com
CVSS Score : 7.1

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/254783 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7106586 | source : psirt@us.ibm.com

Vulnerability : CWE-611


Source : gitlab.com

Vulnerability ID : CVE-2024-1064

First published on : 03-02-2024 09:15:11
Last modified on : 03-02-2024 09:15:11

Description :
A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header

CVE ID : CVE-2024-1064
Source : cve@gitlab.com
CVSS Score : 7.5

References :
https://gitlab.com/crafty-controller/crafty-4/-/issues/327 | source : cve@gitlab.com

Vulnerability : CWE-644


(10) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : us.ibm.com

Vulnerability ID : CVE-2023-31006

First published on : 03-02-2024 01:15:08
Last modified on : 03-02-2024 01:15:08

Description :
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server. IBM X-Force ID: 254776.

CVE ID : CVE-2023-31006
Source : psirt@us.ibm.com
CVSS Score : 6.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/254776 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7106586 | source : psirt@us.ibm.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2023-31005

First published on : 03-02-2024 01:15:08
Last modified on : 03-02-2024 01:15:08

Description :
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration. IBM X-Force ID: 254767.

CVE ID : CVE-2023-31005
Source : psirt@us.ibm.com
CVSS Score : 6.2

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/254767 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7106586 | source : psirt@us.ibm.com

Vulnerability : CWE-269


Vulnerability ID : CVE-2023-32329

First published on : 03-02-2024 01:15:08
Last modified on : 03-02-2024 01:15:08

Description :
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation. IBM X-Force ID: 254972.

CVE ID : CVE-2023-32329
Source : psirt@us.ibm.com
CVSS Score : 6.2

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/254972 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7106586 | source : psirt@us.ibm.com

Vulnerability : CWE-345


Source : hcl.com

Vulnerability ID : CVE-2023-37528

First published on : 03-02-2024 06:15:46
Last modified on : 03-02-2024 06:15:46

Description :
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.

CVE ID : CVE-2023-37528
Source : psirt@hcl.com
CVSS Score : 6.5

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0110209 | source : psirt@hcl.com


Vulnerability ID : CVE-2024-23550

First published on : 03-02-2024 06:15:48
Last modified on : 03-02-2024 06:15:48

Description :
HCL DevOps Deploy / HCL Launch (UCD) could disclose sensitive user information when installing the Windows agent.

CVE ID : CVE-2024-23550
Source : psirt@hcl.com
CVSS Score : 6.2

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0110334 | source : psirt@hcl.com


Source : vuldb.com

Vulnerability ID : CVE-2024-1198

First published on : 03-02-2024 00:15:44
Last modified on : 03-02-2024 00:15:44

Description :
A vulnerability, which was classified as critical, was found in openBI up to 6.0.3. Affected is the function addxinzhi of the file application/controllers/User.php of the component Phar Handler. The manipulation of the argument outimgurl leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252696.

CVE ID : CVE-2024-1198
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://note.zhaoj.in/share/qFXZZfp1NLa3 | source : cna@vuldb.com
https://vuldb.com/?ctiid.252696 | source : cna@vuldb.com
https://vuldb.com/?id.252696 | source : cna@vuldb.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-1199

First published on : 03-02-2024 00:15:44
Last modified on : 03-02-2024 00:15:44

Description :
A vulnerability has been found in CodeAstro Employee Task Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file \employee-tasks-php\attendance-info.php. The manipulation of the argument aten_id leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252697 was assigned to this vulnerability.

CVE ID : CVE-2024-1199
Source : cna@vuldb.com
CVSS Score : 5.4

References :
https://docs.qq.com/doc/DYnhIWEdkZXViTXdD | source : cna@vuldb.com
https://vuldb.com/?ctiid.252697 | source : cna@vuldb.com
https://vuldb.com/?id.252697 | source : cna@vuldb.com

Vulnerability : CWE-404


Vulnerability ID : CVE-2024-1200

First published on : 03-02-2024 02:15:52
Last modified on : 03-02-2024 02:15:52

Description :
A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /template/1/default/. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252698 is the identifier assigned to this vulnerability.

CVE ID : CVE-2024-1200
Source : cna@vuldb.com
CVSS Score : 5.3

References :
https://github.com/sweatxi/BugHub/blob/main/Nanchang%20Lanzhi%20Technology%20Co.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.252698 | source : cna@vuldb.com
https://vuldb.com/?id.252698 | source : cna@vuldb.com

Vulnerability : CWE-200


Source : wordfence.com

Vulnerability ID : CVE-2024-0895

First published on : 03-02-2024 06:15:47
Last modified on : 03-02-2024 06:15:47

Description :
The PDF Flipbook, 3D Flipbook โ€“ DearFlip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via outline settings in all versions up to, and including, 2.2.26 due to insufficient input sanitization and output escaping on user supplied data. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE ID : CVE-2024-0895
Source : security@wordfence.com
CVSS Score : 5.4

References :
https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/inc/metaboxes.php#L483 | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030441%403d-flipbook-dflip-lite&new=3030441%403d-flipbook-dflip-lite&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/92e37b28-1a17-417a-b40f-cb4bbe6ec759?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0909

First published on : 03-02-2024 06:15:48
Last modified on : 03-02-2024 06:15:48

Description :
The Anonymous Restricted Content plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.6.2. This is due to insufficient restrictions through the REST API on the posts/pages that protections are being place on. This makes it possible for unauthenticated attackers to access protected content.

CVE ID : CVE-2024-0909
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030199%40anonymous-restricted-content&new=3030199%40anonymous-restricted-content&sfp_email=&sfph_mail= | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030608%40anonymous-restricted-content&new=3030608%40anonymous-restricted-content&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f478ff7c-7193-4c59-a84f-c7cafff9b6c0?source=cve | source : security@wordfence.com


(1) LOW VULNERABILITIES [0.1, 3.9]

Source : vuldb.com

Vulnerability ID : CVE-2024-1215

First published on : 03-02-2024 16:16:00
Last modified on : 03-02-2024 16:16:00

Description :
A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file fetch_data.php. The manipulation of the argument username/city leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252782 is the identifier assigned to this vulnerability.

CVE ID : CVE-2024-1215
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://github.com/PrecursorYork/crud-without-refresh-reload-Reflected_XSS-POC/blob/main/README.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.252782 | source : cna@vuldb.com
https://vuldb.com/?id.252782 | source : cna@vuldb.com

Vulnerability : CWE-79


(4) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-43183

First published on : 03-02-2024 09:15:11
Last modified on : 03-02-2024 09:15:11

Description :
Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows read-only users to arbitrarily change the password of an admin and hijack their account.

CVE ID : CVE-2023-43183
Source : cve@mitre.org
CVSS Score : /

References :
http://seclists.org/fulldisclosure/2024/Jan/43 | source : cve@mitre.org
https://packetstormsecurity.com/files/176841/Reprise-License-Manager-15.1-Privilege-Escalation-File-Write.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-44031

First published on : 03-02-2024 09:15:11
Last modified on : 03-02-2024 09:15:11

Description :
Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows attackers to arbitrarily save sensitive files in insecure locations via a crafted POST request.

CVE ID : CVE-2023-44031
Source : cve@mitre.org
CVSS Score : /

References :
http://seclists.org/fulldisclosure/2024/Jan/43 | source : cve@mitre.org
https://packetstormsecurity.com/files/176841/Reprise-License-Manager-15.1-Privilege-Escalation-File-Write.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-49950

First published on : 03-02-2024 09:15:11
Last modified on : 03-02-2024 09:15:11

Description :
The Jinja templating in Logpoint SIEM 6.10.0 through 7.x before 7.3.0 does not correctly sanitize log data being displayed when using a custom Jinja template in the Alert view. A remote attacker can craft a cross-site scripting (XSS) payload and send it to any system or device that sends logs to the SIEM. If an alert is created, the payload will execute upon the alert data being viewed with that template, which can lead to sensitive data disclosure.

CVE ID : CVE-2023-49950
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/shrikeinfosec/cve-2023-49950/blob/main/cve-2023-49950.md | source : cve@mitre.org
https://servicedesk.logpoint.com/hc/en-us/articles/14124495377437-Stored-XSS-Vulnerability-in-Alerts-via-Log-Injection | source : cve@mitre.org


Source : 2499f714-1537-4658-8207-48ae4bb9eae9

Vulnerability ID : CVE-2024-0853

First published on : 03-02-2024 14:15:50
Last modified on : 03-02-2024 14:15:50

Description :
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

CVE ID : CVE-2024-0853
Source : 2499f714-1537-4658-8207-48ae4bb9eae9
CVSS Score : /

References :
https://curl.se/docs/CVE-2024-0853.html | source : 2499f714-1537-4658-8207-48ae4bb9eae9
https://curl.se/docs/CVE-2024-0853.json | source : 2499f714-1537-4658-8207-48ae4bb9eae9
https://hackerone.com/reports/2298922 | source : 2499f714-1537-4658-8207-48ae4bb9eae9


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.