Latest vulnerabilities [Sunday, December 17, 2023]

Latest vulnerabilities [Sunday, December 17, 2023]
{{titre}}

Last update performed on 12/17/2023 at 11:57:05 PM

(0) CRITICAL VULNERABILITIES [9.0, 10.0]

(2) HIGH VULNERABILITIES [7.0, 8.9]

Source : vuldb.com

Vulnerability ID : CVE-2023-6901

First published on : 17-12-2023 14:15:37
Last modified on : 17-12-2023 14:15:37

Description :
A vulnerability, which was classified as critical, was found in codelyfe Stupid Simple CMS up to 1.2.3. This affects an unknown part of the file /terminal/handle-command.php of the component HTTP POST Request Handler. The manipulation of the argument command with the input whoami leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248259.

CVE ID : CVE-2023-6901
Source : cna@vuldb.com
CVSS Score : 7.3

References :
https://github.com/g1an123/POC/blob/main/README.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.248259 | source : cna@vuldb.com
https://vuldb.com/?id.248259 | source : cna@vuldb.com

Vulnerability : CWE-78


Source : hpe.com

Vulnerability ID : CVE-2023-50271

First published on : 17-12-2023 15:15:07
Last modified on : 17-12-2023 15:15:07

Description :
A potential security vulnerability has been identified with HP-UX System Management Homepage (SMH). This vulnerability could be exploited locally or remotely to disclose information.

CVE ID : CVE-2023-50271
Source : security-alert@hpe.com
CVSS Score : 7.2

References :
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbux04551en_us | source : security-alert@hpe.com

Vulnerability : CWE-200


(18) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : vuldb.com

Vulnerability ID : CVE-2023-6887

First published on : 17-12-2023 01:15:27
Last modified on : 17-12-2023 01:15:27

Description :
A vulnerability classified as critical has been found in saysky ForestBlog up to 20220630. This affects an unknown part of the file /admin/upload/img of the component Image Upload Handler. The manipulation of the argument filename leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248247.

CVE ID : CVE-2023-6887
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/daydust/vuln/blob/main/ForestBlog/Arbitrary_File_Upload_Vulnerability.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.248247 | source : cna@vuldb.com
https://vuldb.com/?id.248247 | source : cna@vuldb.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-6888

First published on : 17-12-2023 01:15:27
Last modified on : 17-12-2023 01:15:27

Description :
A vulnerability classified as critical was found in PHZ76 RtspServer 1.0.0. This vulnerability affects the function ParseRequestLine of the file RtspMesaage.cpp. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-248248. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-6888
Source : cna@vuldb.com
CVSS Score : 6.3

References :
http://www.huiyao.love/2023/12/08/rtspserver-stackoverflow-vulnerability/ | source : cna@vuldb.com
https://github.com/hu1y40/PoC/blob/main/rtspserver_stackoverflow_poc.py | source : cna@vuldb.com
https://vuldb.com/?ctiid.248248 | source : cna@vuldb.com
https://vuldb.com/?id.248248 | source : cna@vuldb.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2023-6895

First published on : 17-12-2023 08:15:07
Last modified on : 17-12-2023 08:15:07

Description :
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. VDB-248254 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-6895
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/willchen0011/cve/blob/main/rce.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.248254 | source : cna@vuldb.com
https://vuldb.com/?id.248254 | source : cna@vuldb.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-6898

First published on : 17-12-2023 11:15:08
Last modified on : 17-12-2023 11:15:08

Description :
A vulnerability classified as critical has been found in SourceCodester Best Courier Management System 1.0. Affected is an unknown function of the file manage_user.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-248256.

CVE ID : CVE-2023-6898
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/Glunko/gaatitrack-courier-management-system_vulnerability/blob/main/sql_injection.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.248256 | source : cna@vuldb.com
https://vuldb.com/?id.248256 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-6902

First published on : 17-12-2023 16:15:13
Last modified on : 17-12-2023 16:15:13

Description :
A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2.4 and classified as critical. This vulnerability affects unknown code of the file /file-manager/upload.php. The manipulation of the argument file leads to unrestricted upload. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-248260.

CVE ID : CVE-2023-6902
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/g1an123/POC/blob/main/Unauthorized%20file%20upload%20getshell.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.248260 | source : cna@vuldb.com
https://vuldb.com/?id.248260 | source : cna@vuldb.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-6891

First published on : 17-12-2023 04:15:07
Last modified on : 17-12-2023 04:15:07

Description :
A vulnerability has been found in PeaZip 9.4.0 and classified as problematic. Affected by this vulnerability is an unknown functionality in the library dragdropfilesdll.dll of the component Library Handler. The manipulation leads to uncontrolled search path. An attack has to be approached locally. Upgrading to version 9.6.0 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-248251. NOTE: Vendor was contacted early, confirmed the existence of the flaw and immediately worked on a patched release.

CVE ID : CVE-2023-6891
Source : cna@vuldb.com
CVSS Score : 5.3

References :
https://peazip.github.io/changelog.html | source : cna@vuldb.com
https://vuldb.com/?ctiid.248251 | source : cna@vuldb.com
https://vuldb.com/?id.248251 | source : cna@vuldb.com

Vulnerability : CWE-427


Vulnerability ID : CVE-2023-6886

First published on : 17-12-2023 01:15:27
Last modified on : 17-12-2023 01:15:27

Description :
A vulnerability was found in xnx3 wangmarket 6.1. It has been rated as critical. Affected by this issue is some unknown functionality of the component Role Management Page. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-248246 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-6886
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/xnx3/wangmarket/issues/8 | source : cna@vuldb.com
https://vuldb.com/?ctiid.248246 | source : cna@vuldb.com
https://vuldb.com/?id.248246 | source : cna@vuldb.com

Vulnerability : CWE-94


Vulnerability ID : CVE-2023-6900

First published on : 17-12-2023 14:15:36
Last modified on : 17-12-2023 14:15:36

Description :
A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-6900
Source : cna@vuldb.com
CVSS Score : 4.6

References :
https://treasure-blarney-085.notion.site/DashMachine-Arbitrary-File-Deletion-ab44f2fe68e843c393ae9e0c1d487676 | source : cna@vuldb.com
https://vuldb.com/?ctiid.248258 | source : cna@vuldb.com
https://vuldb.com/?id.248258 | source : cna@vuldb.com

Vulnerability : CWE-24


Vulnerability ID : CVE-2023-6893

First published on : 17-12-2023 07:15:07
Last modified on : 17-12-2023 07:15:07

Description :
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK) and classified as problematic. Affected by this issue is some unknown functionality of the file /php/exportrecord.php. The manipulation of the argument downname with the input C:\ICPAS\Wnmp\WWW\php\conversion.php leads to path traversal. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-248252. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-6893
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/willchen0011/cve/blob/main/download.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.248252 | source : cna@vuldb.com
https://vuldb.com/?id.248252 | source : cna@vuldb.com

Vulnerability : CWE-22


Vulnerability ID : CVE-2023-6894

First published on : 17-12-2023 08:15:06
Last modified on : 17-12-2023 08:15:06

Description :
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been classified as problematic. This affects an unknown part of the file access/html/system.html of the component Log File Handler. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-248253 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-6894
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/willchen0011/cve/blob/main/unaccess.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.248253 | source : cna@vuldb.com
https://vuldb.com/?id.248253 | source : cna@vuldb.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-6899

First published on : 17-12-2023 13:15:42
Last modified on : 17-12-2023 13:15:42

Description :
A vulnerability classified as problematic was found in rmountjoy92 DashMachine 0.5-4. Affected by this vulnerability is an unknown functionality of the file /settings/save_config of the component Config Handler. The manipulation of the argument value_template leads to code injection. The exploit has been disclosed to the public and may be used. The identifier VDB-248257 was assigned to this vulnerability.

CVE ID : CVE-2023-6899
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://treasure-blarney-085.notion.site/DashMachine-Unauthorized-RCE-931a35a81af9448ebe9fb4cd904d4a0c | source : cna@vuldb.com
https://vuldb.com/?ctiid.248257 | source : cna@vuldb.com
https://vuldb.com/?id.248257 | source : cna@vuldb.com

Vulnerability : CWE-94


Source : patchstack.com

Vulnerability ID : CVE-2023-49824

First published on : 17-12-2023 11:15:07
Last modified on : 17-12-2023 11:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in PixelYourSite Product Catalog Feed by PixelYourSite.This issue affects Product Catalog Feed by PixelYourSite: from n/a through 2.1.1.

CVE ID : CVE-2023-49824
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/product-catalog-feed/wordpress-product-catalog-feed-by-pixelyoursite-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-49834

First published on : 17-12-2023 11:15:08
Last modified on : 17-12-2023 11:15:08

Description :
Cross-Site Request Forgery (CSRF) vulnerability in realmag777 FOX โ€“ Currency Switcher Professional for WooCommerce.This issue affects FOX โ€“ Currency Switcher Professional for WooCommerce: from n/a through 1.4.1.4.

CVE ID : CVE-2023-49834
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/woocommerce-currency-switcher/wordpress-fox-currency-switcher-professional-for-woocommerce-plugin-1-4-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-24380

First published on : 17-12-2023 10:15:07
Last modified on : 17-12-2023 10:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Webbjocke Simple Wp Sitemap.This issue affects Simple Wp Sitemap: from n/a through 1.2.1.

CVE ID : CVE-2023-24380
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/simple-wp-sitemap/wordpress-simple-wp-sitemap-plugin-1-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-49751

First published on : 17-12-2023 10:15:07
Last modified on : 17-12-2023 10:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu Block for Font Awesome.This issue affects Block for Font Awesome: from n/a through 1.4.0.

CVE ID : CVE-2023-49751
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/block-for-font-awesome/wordpress-block-for-font-awesome-plugin-1-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-49769

First published on : 17-12-2023 10:15:07
Last modified on : 17-12-2023 10:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.4.

CVE ID : CVE-2023-49769
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/integrate-google-drive/wordpress-integrate-google-drive-plugin-1-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-49775

First published on : 17-12-2023 10:15:08
Last modified on : 17-12-2023 10:15:08

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Denis Kobozev CSV Importer.This issue affects CSV Importer: from n/a through 0.3.8.

CVE ID : CVE-2023-49775
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/csv-importer/wordpress-csv-importer-plugin-0-3-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-49816

First published on : 17-12-2023 11:15:07
Last modified on : 17-12-2023 11:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Innovative Solutions Fix My Feed RSS Repair.This issue affects Fix My Feed RSS Repair: from n/a through 1.4.

CVE ID : CVE-2023-49816
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/fix-my-feed-rss-repair/wordpress-fix-my-feed-rss-repair-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


(1) LOW VULNERABILITIES [0.1, 3.9]

Source : vuldb.com

Vulnerability ID : CVE-2023-6896

First published on : 17-12-2023 10:15:08
Last modified on : 17-12-2023 10:15:08

Description :
A vulnerability was found in SourceCodester Simple Image Stack Website 1.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation of the argument search with the input sy2ap%22%3e%3cscript%3ealert(1)%3c%2fscript%3etkxh1 leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248255.

CVE ID : CVE-2023-6896
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://vuldb.com/?ctiid.248255 | source : cna@vuldb.com
https://vuldb.com/?id.248255 | source : cna@vuldb.com
https://www.yuque.com/u39434519/pfhiwd/vry762ncuczem3yi?singleDoc# | source : cna@vuldb.com

Vulnerability : CWE-79


(1) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-50965

First published on : 17-12-2023 02:15:21
Last modified on : 17-12-2023 02:15:21

Description :
In MicroHttpServer (aka Micro HTTP Server) through 4398570, _ReadStaticFiles in lib/middleware.c allows a stack-based buffer overflow and potentially remote code execution via a long URI.

CVE ID : CVE-2023-50965
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/starnight/MicroHttpServer/issues/5 | source : cve@mitre.org
https://github.com/starnight/MicroHttpServer/tree/43985708ef5fe7677392c54e229bd22e136c2665 | source : cve@mitre.org


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.