Latest vulnerabilities [Sunday, December 3, 2023]

Latest vulnerabilities [Sunday, December 3, 2023]
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/VULNERABILITIES-REPORTS-LOGO.png
{{titre}}

Last update performed on 12/03/2023 at 11:57:01 PM

(0) CRITICAL VULNERABILITIES [9.0, 10.0]

(1) HIGH VULNERABILITIES [7.0, 8.9]

Source : vuldb.com

Vulnerability ID : CVE-2020-36768

First published on : 03-12-2023 11:15:08
Last modified on : 03-12-2023 16:37:30

Description :
A vulnerability was found in rl-institut NESP2 Initial Release/1.0. It has been classified as critical. Affected is an unknown function of the file app/database.py. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 07c0cdf36cf6a4345086d07b54423723a496af5e. It is recommended to apply a patch to fix this issue. VDB-246642 is the identifier assigned to this vulnerability.

CVE ID : CVE-2020-36768
Source : cna@vuldb.com
CVSS Score : 7.3

References :
https://github.com/rl-institut/NESP2/commit/07c0cdf36cf6a4345086d07b54423723a496af5e | source : cna@vuldb.com
https://github.com/rl-institut/NESP2/issues/334 | source : cna@vuldb.com
https://github.com/rl-institut/NESP2/pull/333 | source : cna@vuldb.com
https://vuldb.com/?ctiid.246642 | source : cna@vuldb.com
https://vuldb.com/?id.246642 | source : cna@vuldb.com

Vulnerability : CWE-89


(2) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : us.ibm.com

Vulnerability ID : CVE-2023-45178

First published on : 03-12-2023 18:15:42
Last modified on : 03-12-2023 18:15:42

Description :
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 CLI is vulnerable to a denial of service when a specially crafted request is used. IBM X-Force ID: 268073.

CVE ID : CVE-2023-45178
Source : psirt@us.ibm.com
CVSS Score : 6.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/268073 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7087207 | source : psirt@us.ibm.com

Vulnerability : CWE-20


Source : vuldb.com

Vulnerability ID : CVE-2023-6474

First published on : 03-12-2023 00:15:07
Last modified on : 03-12-2023 16:37:30

Description :
A vulnerability has been found in PHPGurukul Nipah Virus Testing Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file manage-phlebotomist.php. The manipulation of the argument pid leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-246640.

CVE ID : CVE-2023-6474
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/dhabaleshwar/niv_testing_csrf/blob/main/exploit.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.246640 | source : cna@vuldb.com
https://vuldb.com/?id.246640 | source : cna@vuldb.com

Vulnerability : CWE-352


(2) LOW VULNERABILITIES [0.1, 3.9]

Source : vuldb.com

Vulnerability ID : CVE-2018-25094

First published on : 03-12-2023 11:15:07
Last modified on : 03-12-2023 16:37:30

Description :
A vulnerability was found in ???????????????? Online Accounting System up to 1.4.0 and classified as problematic. This issue affects some unknown processing of the file ckeditor/filemanager/browser/default/image.php. The manipulation of the argument fid with the input ../../../etc/passwd leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The identifier of the patch is 9d9618422b980335bb30be612ea90f4f56cb992c. It is recommended to upgrade the affected component. The identifier VDB-246641 was assigned to this vulnerability.

CVE ID : CVE-2018-25094
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://github.com/59160781/project/commit/9d9618422b980335bb30be612ea90f4f56cb992c | source : cna@vuldb.com
https://vuldb.com/?ctiid.246641 | source : cna@vuldb.com
https://vuldb.com/?id.246641 | source : cna@vuldb.com

Vulnerability : CWE-24


Vulnerability ID : CVE-2022-4957

First published on : 03-12-2023 19:15:07
Last modified on : 03-12-2023 19:15:07

Description :
A vulnerability was found in librespeed speedtest up to 5.2.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file results/stats.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. Upgrading to version 5.2.5 is able to address this issue. The patch is named a85f2c086f3449dffa8fe2edb5e2ef3ee72dc0e9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-246643.

CVE ID : CVE-2022-4957
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://github.com/librespeed/speedtest/commit/a85f2c086f3449dffa8fe2edb5e2ef3ee72dc0e9 | source : cna@vuldb.com
https://github.com/librespeed/speedtest/releases/tag/5.2.5 | source : cna@vuldb.com
https://vuldb.com/?ctiid.246643 | source : cna@vuldb.com
https://vuldb.com/?id.246643 | source : cna@vuldb.com

Vulnerability : CWE-79


(4) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-49926

First published on : 03-12-2023 03:15:07
Last modified on : 03-12-2023 16:37:30

Description :
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.

CVE ID : CVE-2023-49926
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/MISP/MISP/commit/dc73287ee2000476e3a5800ded402825ca10f7e8 | source : cve@mitre.org
https://github.com/MISP/MISP/compare/v2.4.178...v2.4.179 | source : cve@mitre.org


Vulnerability ID : CVE-2023-49946

First published on : 03-12-2023 19:15:08
Last modified on : 03-12-2023 19:15:08

Description :
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.

CVE ID : CVE-2023-49946
Source : cve@mitre.org
CVSS Score : /

References :
https://about.gitea.com/security | source : cve@mitre.org
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md | source : cve@mitre.org
https://forgejo.org/2023-11-release-v1-20-5-1/ | source : cve@mitre.org
https://github.com/gogs/gogs/security | source : cve@mitre.org


Vulnerability ID : CVE-2023-49947

First published on : 03-12-2023 19:15:08
Last modified on : 03-12-2023 19:15:08

Description :
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.

CVE ID : CVE-2023-49947
Source : cve@mitre.org
CVSS Score : /

References :
https://codeberg.org/forgejo/forgejo/commit/44df78edd40076b349d50dc5fb02af417a44cfab | source : cve@mitre.org
https://forgejo.org/2023-11-release-v1-20-5-1/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-49948

First published on : 03-12-2023 19:15:08
Last modified on : 03-12-2023 19:15:08

Description :
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.

CVE ID : CVE-2023-49948
Source : cve@mitre.org
CVSS Score : /

References :
https://codeberg.org/forgejo/forgejo/commit/d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d | source : cve@mitre.org
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md | source : cve@mitre.org
https://forgejo.org/2023-11-release-v1-20-5-1/ | source : cve@mitre.org


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.