Latest vulnerabilities [Wednesday, January 17, 2024]

Latest vulnerabilities [Wednesday, January 17, 2024]
{{titre}}

Last update performed on 01/17/2024 at 11:57:07 PM

(3) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : wordfence.com

Vulnerability ID : CVE-2021-4434

First published on : 17-01-2024 09:15:25
Last modified on : 17-01-2024 14:01:37

Description :
The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server.

CVE ID : CVE-2021-4434
Source : security@wordfence.com
CVSS Score : 10.0

References :
https://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/98cf2a10-cc53-4479-87d1-71489f6a8c51?source=cve | source : security@wordfence.com


Source : incibe.es

Vulnerability ID : CVE-2024-0643

First published on : 17-01-2024 14:15:43
Last modified on : 17-01-2024 17:35:08

Description :
Unrestricted upload of dangerous file types in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to upload different file extensions without any restrictions, resulting in a full system compromise.

CVE ID : CVE-2024-0643
Source : cve-coordination@incibe.es
CVSS Score : 10.0

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cires21-products | source : cve-coordination@incibe.es

Vulnerability : CWE-434


Vulnerability ID : CVE-2024-0642

First published on : 17-01-2024 14:15:43
Last modified on : 17-01-2024 17:35:08

Description :
Inadequate access control in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to access the application as an administrator user through the application endpoint, due to lack of proper credential management.

CVE ID : CVE-2024-0642
Source : cve-coordination@incibe.es
CVSS Score : 9.8

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cires21-products | source : cve-coordination@incibe.es

Vulnerability : CWE-284


(9) HIGH VULNERABILITIES [7.0, 8.9]

Source : citrix.com

Vulnerability ID : CVE-2023-6549

First published on : 17-01-2024 21:15:11
Last modified on : 17-01-2024 21:15:11

Description :
Denial of Service

CVE ID : CVE-2023-6549
Source : secure@citrix.com
CVSS Score : 8.2

References :
https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549 | source : secure@citrix.com

Vulnerability : CWE-119


Source : cert-in.org.in

Vulnerability ID : CVE-2023-51740

First published on : 17-01-2024 08:15:37
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to transmission of authentication credentials in plaintext over the network. A remote attacker could exploit this vulnerability by eavesdropping on the victim’s network traffic to extract username and password from the web interface (Login Page) of the vulnerable targeted system.

CVE ID : CVE-2023-51740
Source : vdisclose@cert-in.org.in
CVSS Score : 7.5

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-319


Vulnerability ID : CVE-2023-51741

First published on : 17-01-2024 08:15:38
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to transmission of authentication credentials in plaintext over the network. A remote attacker could exploit this vulnerability by eavesdropping on the victim’s network traffic to extract username and password from the web interface (Password Reset Page) of the vulnerable targeted system.

CVE ID : CVE-2023-51741
Source : vdisclose@cert-in.org.in
CVSS Score : 7.5

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-319


Source : incibe.es

Vulnerability ID : CVE-2024-0645

First published on : 17-01-2024 14:15:44
Last modified on : 17-01-2024 17:35:08

Description :
Buffer overflow vulnerability in Explorer++ affecting version 1.3.5.531. A local attacker could execute arbitrary code via a long filename argument by monitoring Structured Exception Handler (SEH) records.

CVE ID : CVE-2024-0645
Source : cve-coordination@incibe.es
CVSS Score : 7.3

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/buffer-overflow-vulnerability-explorer | source : cve-coordination@incibe.es

Vulnerability : CWE-119


Source : cisco.com

Vulnerability ID : CVE-2024-20272

First published on : 17-01-2024 17:15:12
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by uploading arbitrary files to an affected system. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root.

CVE ID : CVE-2024-20272
Source : ykramarz@cisco.com
CVSS Score : 7.3

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD | source : ykramarz@cisco.com


Source : wordfence.com

Vulnerability ID : CVE-2024-0405

First published on : 17-01-2024 05:15:08
Last modified on : 17-01-2024 14:01:41

Description :
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.

CVE ID : CVE-2024-0405
Source : security@wordfence.com
CVSS Score : 7.2

References :
https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L380 | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L926 | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3020809%40burst-statistics%2Ftrunk&old=3012004%40burst-statistics%2Ftrunk&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6e0-25e68c1deeae?source=cve | source : security@wordfence.com


Source : progress.com

Vulnerability ID : CVE-2024-0396

First published on : 17-01-2024 16:15:46
Last modified on : 17-01-2024 17:35:02

Description :
In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.

CVE ID : CVE-2024-0396
Source : security@progress.com
CVSS Score : 7.1

References :
https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024 | source : security@progress.com
https://www.progress.com/moveit | source : security@progress.com

Vulnerability : CWE-20


Source : patchstack.com

Vulnerability ID : CVE-2022-41990

First published on : 17-01-2024 17:15:09
Last modified on : 17-01-2024 17:35:02

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Vinoj Cardoza 3D Tag Cloud allows Stored XSS.This issue affects 3D Tag Cloud: from n/a through 3.8.

CVE ID : CVE-2022-41990
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/cardoza-3d-tag-cloud/wordpress-3d-tag-cloud-plugin-3-8-stored-cross-site-scripting-xss-via-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Source : redhat.com

Vulnerability ID : CVE-2024-0646

First published on : 17-01-2024 16:15:47
Last modified on : 17-01-2024 17:35:02

Description :
An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE ID : CVE-2024-0646
Source : secalert@redhat.com
CVSS Score : 7.0

References :
https://access.redhat.com/security/cve/CVE-2024-0646 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2253908 | source : secalert@redhat.com
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5a595000e267 | source : secalert@redhat.com


(50) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : cert-in.org.in

Vulnerability ID : CVE-2023-51719

First published on : 17-01-2024 07:15:45
Last modified on : 17-01-2024 14:01:41

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Traceroute parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51719
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51720

First published on : 17-01-2024 07:15:46
Last modified on : 17-01-2024 14:01:41

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 1 parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51720
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51721

First published on : 17-01-2024 07:15:47
Last modified on : 17-01-2024 14:01:41

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 2 parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51721
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51722

First published on : 17-01-2024 07:15:47
Last modified on : 17-01-2024 14:01:41

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 3 parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51722
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51723

First published on : 17-01-2024 07:15:48
Last modified on : 17-01-2024 14:01:41

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Description parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51723
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51724

First published on : 17-01-2024 07:15:49
Last modified on : 17-01-2024 14:01:41

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the URL parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51724
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51725

First published on : 17-01-2024 07:15:49
Last modified on : 17-01-2024 14:01:41

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Contact Email Address parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51725
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51726

First published on : 17-01-2024 07:15:50
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the SMTP Server Name parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51726
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51727

First published on : 17-01-2024 07:15:50
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the SMTP Username parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51727
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51728

First published on : 17-01-2024 07:15:51
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the SMTP Password parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51728
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51729

First published on : 17-01-2024 07:15:52
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the DDNS Username parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51729
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51730

First published on : 17-01-2024 07:15:52
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the DDNS Password parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51730
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51731

First published on : 17-01-2024 07:15:53
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Hostname parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51731
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51732

First published on : 17-01-2024 07:15:53
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the IPsec Tunnel Name parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51732
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51733

First published on : 17-01-2024 08:15:36
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Identity parameter under Local endpoint settings at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51733
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51734

First published on : 17-01-2024 08:15:36
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Identity parameter under Remote endpoint settings at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51734
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51735

First published on : 17-01-2024 08:15:36
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Pre-shared key parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51735
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51736

First published on : 17-01-2024 08:15:36
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the L2TP/PPTP Username parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51736
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51737

First published on : 17-01-2024 08:15:37
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Preshared Phrase parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51737
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51738

First published on : 17-01-2024 08:15:37
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Network Name (SSID) parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51738
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51739

First published on : 17-01-2024 08:15:37
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Device Name parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

CVE ID : CVE-2023-51739
Source : vdisclose@cert-in.org.in
CVSS Score : 6.9

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51742

First published on : 17-01-2024 08:15:38
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Add Downstream Frequency parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform a Denial of Service (DoS) attack on the targeted system.

CVE ID : CVE-2023-51742
Source : vdisclose@cert-in.org.in
CVSS Score : 6.5

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-787


Vulnerability ID : CVE-2023-51743

First published on : 17-01-2024 08:15:38
Last modified on : 17-01-2024 14:01:37

Description :
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Set Upstream Channel ID (UCID) parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform a Denial of Service (DoS) attack on the targeted system.

CVE ID : CVE-2023-51743
Source : vdisclose@cert-in.org.in
CVSS Score : 6.5

References :
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0013 | source : vdisclose@cert-in.org.in

Vulnerability : CWE-787


Source : cisco.com

Vulnerability ID : CVE-2024-20277

First published on : 17-01-2024 17:15:12
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the affected device. A successful exploit could allow the attacker to execute arbitrary commands and elevate privileges to root.

CVE ID : CVE-2024-20277
Source : ykramarz@cisco.com
CVSS Score : 6.8

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thouseyes-privesc-DmzHG3Qv | source : ykramarz@cisco.com


Vulnerability ID : CVE-2023-20258

First published on : 17-01-2024 17:15:10
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. This vulnerability is due to improper processing of serialized Java objects by the affected application. An attacker could exploit this vulnerability by uploading a document containing malicious serialized Java objects to be processed by the affected application. A successful exploit could allow the attacker to cause the application to execute arbitrary commands.

CVE ID : CVE-2023-20258
Source : ykramarz@cisco.com
CVSS Score : 6.5

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-wkZJeyeq | source : ykramarz@cisco.com


Vulnerability ID : CVE-2023-20271

First published on : 17-01-2024 17:15:10
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database.

CVE ID : CVE-2023-20271
Source : ykramarz@cisco.com
CVSS Score : 6.5

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-wkZJeyeq | source : ykramarz@cisco.com


Vulnerability ID : CVE-2024-20287

First published on : 17-01-2024 17:15:12
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device. To exploit this vulnerability, the attacker must have valid administrative credentials for the device.

CVE ID : CVE-2024-20287
Source : ykramarz@cisco.com
CVSS Score : 6.5

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-inject-bHStWgXO | source : ykramarz@cisco.com


Vulnerability ID : CVE-2023-20260

First published on : 17-01-2024 17:15:10
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the application CLI of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager could allow an authenticated, local attacker to gain escalated privileges. This vulnerability is due to improper processing of command line arguments to application scripts. An attacker could exploit this vulnerability by issuing a command on the CLI with malicious options. A successful exploit could allow the attacker to gain the escalated privileges of the root user on the underlying operating system.

CVE ID : CVE-2023-20260
Source : ykramarz@cisco.com
CVSS Score : 6.0

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-wkZJeyeq | source : ykramarz@cisco.com


Vulnerability ID : CVE-2023-20257

First published on : 17-01-2024 17:15:09
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct cross-site scripting attacks. This vulnerability is due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by submitting malicious input containing script or HTML content within requests that would stored within the application interface. A successful exploit could allow the attacker to conduct cross-site scripting attacks against other users of the affected application.

CVE ID : CVE-2023-20257
Source : ykramarz@cisco.com
CVSS Score : 4.8

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-wkZJeyeq | source : ykramarz@cisco.com


Vulnerability ID : CVE-2024-20251

First published on : 17-01-2024 17:15:11
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

CVE ID : CVE-2024-20251
Source : ykramarz@cisco.com
CVSS Score : 4.8

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ISE-XSS-bL4VTML | source : ykramarz@cisco.com


Vulnerability ID : CVE-2024-20270

First published on : 17-01-2024 17:15:11
Last modified on : 17-01-2024 17:35:02

Description :
A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

CVE ID : CVE-2024-20270
Source : ykramarz@cisco.com
CVSS Score : 4.8

References :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-broadworks-xss-6syj82Ju | source : ykramarz@cisco.com


Source : patchstack.com

Vulnerability ID : CVE-2022-36418

First published on : 17-01-2024 16:15:45
Last modified on : 17-01-2024 17:35:08

Description :
Missing Authorization vulnerability in Vagary Digital HREFLANG Tags Lite.This issue affects HREFLANG Tags Lite: from n/a through 2.0.0.

CVE ID : CVE-2022-36418
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/hreflang-tags-by-dcgws/wordpress-hreflang-tags-lite-plugin-2-0-0-unauthenticated-plugin-data-reset-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-40203

First published on : 17-01-2024 16:15:46
Last modified on : 17-01-2024 17:35:08

Description :
Missing Authorization vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce.This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through 4.1.5.

CVE ID : CVE-2022-40203
Source : audit@patchstack.com
CVSS Score : 6.3

References :
https://patchstack.com/database/vulnerability/advanced-dynamic-pricing-for-woocommerce/wordpress-advanced-dynamic-pricing-for-woocommerce-plugin-4-1-5-broken-access-control?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2023-34379

First published on : 17-01-2024 16:15:46
Last modified on : 17-01-2024 17:35:08

Description :
Missing Authorization vulnerability in MagneticOne Cart2Cart: Magento to WooCommerce Migration.This issue affects Cart2Cart: Magento to WooCommerce Migration: from n/a through 2.0.0.

CVE ID : CVE-2023-34379
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/cart2cart-magento-to-woocommerce-migration/wordpress-cart2cart-magento-to-woocommerce-migration-plugin-2-0-0-broken-access-control?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-40702

First published on : 17-01-2024 17:15:09
Last modified on : 17-01-2024 17:35:02

Description :
Missing Authorization vulnerability in Zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.5.2.

CVE ID : CVE-2022-40702
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/advanced-local-pickup-for-woocommerce/wordpress-advanced-local-pickup-for-woocommerce-plugin-1-5-2-broken-access-control?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-41619

First published on : 17-01-2024 17:15:09
Last modified on : 17-01-2024 17:35:02

Description :
Missing Authorization vulnerability in SedLex Image Zoom.This issue affects Image Zoom: from n/a through 1.8.8.

CVE ID : CVE-2022-41619
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/image-zoom/wordpress-image-zoom-plugin-1-8-8-multiple-broken-access-control-vulnerabilities?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-41695

First published on : 17-01-2024 17:15:09
Last modified on : 17-01-2024 17:35:02

Description :
Missing Authorization vulnerability in SedLex Traffic Manager.This issue affects Traffic Manager: from n/a through 1.4.5.

CVE ID : CVE-2022-41695
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/traffic-manager/wordpress-traffic-manager-plugin-1-4-5-multiple-vulnerabilities?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2023-23896

First published on : 17-01-2024 17:15:10
Last modified on : 17-01-2024 17:35:02

Description :
Missing Authorization vulnerability in MyThemeShop URL Shortener by MyThemeShop.This issue affects URL Shortener by MyThemeShop: from n/a through 1.0.17.

CVE ID : CVE-2023-23896
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/mts-url-shortener/wordpress-url-shortener-by-mythemeshop-plugin-1-0-16-broken-access-control-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-41786

First published on : 17-01-2024 18:15:45
Last modified on : 17-01-2024 19:22:17

Description :
Missing Authorization vulnerability in WP Job Portal WP Job Portal – A Complete Job Board.This issue affects WP Job Portal – A Complete Job Board: from n/a through 2.0.1.

CVE ID : CVE-2022-41786
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-plugin-1-1-9-unauthorized-plugin-settings-change-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-42884

First published on : 17-01-2024 19:15:08
Last modified on : 17-01-2024 19:22:17

Description :
Missing Authorization vulnerability in ThemeinProgress WIP Custom Login.This issue affects WIP Custom Login: from n/a through 1.2.7.

CVE ID : CVE-2022-42884
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/wip-custom-login/wordpress-wip-custom-login-plugin-1-2-7-multiple-broken-access-control-vulnerabilities?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-38141

First published on : 17-01-2024 16:15:46
Last modified on : 17-01-2024 17:35:08

Description :
Missing Authorization vulnerability in Zorem Sales Report Email for WooCommerce.This issue affects Sales Report Email for WooCommerce: from n/a through 2.8.

CVE ID : CVE-2022-38141
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/woo-advanced-sales-report-email/wordpress-sales-report-email-for-woocommerce-plugin-2-8-auth-test-email-submission-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2023-23882

First published on : 17-01-2024 17:15:10
Last modified on : 17-01-2024 17:35:02

Description :
Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder – Lite.This issue affects Ultimate Addons for Beaver Builder – Lite: from n/a through 1.5.5.

CVE ID : CVE-2023-23882
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/ultimate-addons-for-beaver-builder-lite/wordpress-ultimate-addons-for-beaver-builder-lite-plugin-1-5-5-broken-access-control-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Vulnerability ID : CVE-2022-41790

First published on : 17-01-2024 18:15:45
Last modified on : 17-01-2024 19:22:17

Description :
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76.

CVE ID : CVE-2022-41790
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/wp-time-slots-booking-form/wordpress-wp-time-slots-booking-form-plugin-1-1-76-missing-authorization-leading-to-feedback-submission-vulnerability | source : audit@patchstack.com

Vulnerability : CWE-862


Source : github.com

Vulnerability ID : CVE-2024-22414

First published on : 17-01-2024 21:15:12
Last modified on : 17-01-2024 21:15:12

Description :
flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/<user>` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div class="content" tag="content">{{comment[2]|safe}}</div>`. Use of the "safe" tag causes flask to _not_ escape the rendered content. To remediate this, simply remove the `|safe` tag from the HTML above. No fix is is available and users are advised to manually edit their installation.

CVE ID : CVE-2024-22414
Source : security-advisories@github.com
CVSS Score : 6.5

References :
https://github.com/DogukanUrker/flaskBlog/security/advisories/GHSA-mrcw-j96f-p6v6 | source : security-advisories@github.com

Vulnerability : CWE-79


Source : avaya.com

Vulnerability ID : CVE-2023-7031

First published on : 17-01-2024 19:15:08
Last modified on : 17-01-2024 19:22:17

Description :
Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support.

CVE ID : CVE-2023-7031
Source : securityalerts@avaya.com
CVSS Score : 5.7

References :
https://support.avaya.com/css/public/documents/101088063 | source : securityalerts@avaya.com

Vulnerability : CWE-200


Source : citrix.com

Vulnerability ID : CVE-2023-6548

First published on : 17-01-2024 20:15:50
Last modified on : 17-01-2024 20:15:50

Description :
[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]

CVE ID : CVE-2023-6548
Source : secure@citrix.com
CVSS Score : 5.5

References :
https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549 | source : secure@citrix.com

Vulnerability : CWE-94


Vulnerability ID : CVE-2023-5914

First published on : 17-01-2024 21:15:11
Last modified on : 17-01-2024 21:15:11

Description :
Cross-site scripting (XSS)

CVE ID : CVE-2023-5914
Source : secure@citrix.com
CVSS Score : 5.4

References :
https://support.citrix.com/article/CTX583759/citrix-storefront-security-bulletin-for-cve20235914 | source : secure@citrix.com

Vulnerability : CWE-79


Source : redhat.com

Vulnerability ID : CVE-2024-0639

First published on : 17-01-2024 16:15:46
Last modified on : 17-01-2024 17:35:02

Description :
A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.

CVE ID : CVE-2024-0639
Source : secalert@redhat.com
CVSS Score : 4.7

References :
https://access.redhat.com/security/cve/CVE-2024-0639 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2258754 | source : secalert@redhat.com
https://github.com/torvalds/linux/commit/6feb37b3b06e9049e20dcf7e23998f92c9c5be9a | source : secalert@redhat.com

Vulnerability : CWE-833


Vulnerability ID : CVE-2024-0641

First published on : 17-01-2024 16:15:47
Last modified on : 17-01-2024 17:35:02

Description :
A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernel’s TIPC subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.

CVE ID : CVE-2024-0641
Source : secalert@redhat.com
CVSS Score : 4.7

References :
https://access.redhat.com/security/cve/CVE-2024-0641 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2258757 | source : secalert@redhat.com
https://github.com/torvalds/linux/commit/08e50cf071847323414df0835109b6f3560d44f5 | source : secalert@redhat.com

Vulnerability : CWE-833


Source : vuldb.com

Vulnerability ID : CVE-2024-0647

First published on : 17-01-2024 19:15:08
Last modified on : 17-01-2024 19:22:17

Description :
A vulnerability, which was classified as problematic, was found in Sparksuite SimpleMDE up to 1.11.2. This affects an unknown part of the component iFrame Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-251373 was assigned to this vulnerability.

CVE ID : CVE-2024-0647
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://vuldb.com/?ctiid.251373 | source : cna@vuldb.com
https://vuldb.com/?id.251373 | source : cna@vuldb.com
https://youtu.be/t-mDofraMcc | source : cna@vuldb.com

Vulnerability : CWE-79


(2) LOW VULNERABILITIES [0.1, 3.9]

Source : us.ibm.com

Vulnerability ID : CVE-2023-50950

First published on : 17-01-2024 17:15:11
Last modified on : 17-01-2024 17:35:02

Description :
IBM QRadar SIEM 7.5 could disclose sensitive email information in responses from offense rules. IBM X-Force ID: 275709.

CVE ID : CVE-2023-50950
Source : psirt@us.ibm.com
CVSS Score : 3.7

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/275709 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7108657 | source : psirt@us.ibm.com

Vulnerability : CWE-200


Source : github.com

Vulnerability ID : CVE-2024-22410

First published on : 17-01-2024 21:15:11
Last modified on : 17-01-2024 21:15:11

Description :
Creditcoin is a network that enables cross-blockchain credit transactions. The Windows binary of the Creditcoin node loads a suite of DLLs provided by Microsoft at startup. If a malicious user has access to overwrite the program files directory it is possible to replace these DLLs and execute arbitrary code. It is the view of the blockchain development team that the threat posed by a hypothetical binary planting attack is minimal and represents a low-security risk. The vulnerable DLL files are from the Windows networking subsystem, the Visual C++ runtime, and low-level cryptographic primitives. Collectively these dependencies are required for a large ecosystem of applications, ranging from enterprise-level security applications to game engines, and don’t represent a fundamental lack of security or oversight in the design and implementation of Creditcoin. The blockchain team takes the stance that running Creditcoin on Windows is officially unsupported and at best should be thought of as experimental.

CVE ID : CVE-2024-22410
Source : security-advisories@github.com
CVSS Score : 3.3

References :
https://github.com/gluwa/creditcoin/security/advisories/GHSA-cx5c-xwcv-vhmq | source : security-advisories@github.com
https://owasp.org/www-community/attacks/Binary_planting | source : security-advisories@github.com

Vulnerability : CWE-426


(12) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-49515

First published on : 17-01-2024 02:15:06
Last modified on : 17-01-2024 14:01:41

Description :
Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.

CVE ID : CVE-2023-49515
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/VineethKumarM/TAPO-TC70-Unauthorized-root-access-using-UART | source : cve@mitre.org
https://github.com/VineethKumarM/TAPO-TC70-Unauthorized-root-access-using-UART/tree/master | source : cve@mitre.org


Vulnerability ID : CVE-2023-25295

First published on : 17-01-2024 03:15:07
Last modified on : 17-01-2024 14:01:41

Description :
Cross Site Scripting (XSS) vulnerability in GRN Software Group eVEWA3 Community version 31 through 53, allows attackers to gain escalated privileges via crafted request to login panel.

CVE ID : CVE-2023-25295
Source : cve@mitre.org
CVSS Score : /

References :
http://evewa3.com | source : cve@mitre.org
http://grn.com | source : cve@mitre.org
https://blog.munz4u.de/posts/2023/03/cve-2023-25295-ato-via-rxss-in-evewa3-community/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-36235

First published on : 17-01-2024 03:15:07
Last modified on : 17-01-2024 14:01:41

Description :
An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter.

CVE ID : CVE-2023-36235
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Ek-Saini/security/blob/main/IDOR-Qloapps | source : cve@mitre.org
https://github.com/webkul/hotelcommerce/pull/537 | source : cve@mitre.org
https://qloapps.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-46952

First published on : 17-01-2024 03:15:07
Last modified on : 17-01-2024 14:01:41

Description :
Cross Site Scripting vulnerability in ABO.CMS v.5.9.3 allows an attacker to execute arbitrary code via a crafted payload to the Referer header.

CVE ID : CVE-2023-46952
Source : cve@mitre.org
CVSS Score : /

References :
http://abo.com | source : cve@mitre.org
http://abocms.com | source : cve@mitre.org
https://github.com/SadFox/ABO.CMS-Blind-XSS | source : cve@mitre.org


Vulnerability ID : CVE-2023-52069

First published on : 17-01-2024 03:15:08
Last modified on : 17-01-2024 14:01:41

Description :
kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter.

CVE ID : CVE-2023-52069
Source : cve@mitre.org
CVSS Score : /

References :
https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html | source : cve@mitre.org
https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html_Password_Xss_2 | source : cve@mitre.org


Vulnerability ID : CVE-2023-52285

First published on : 17-01-2024 08:15:39
Last modified on : 17-01-2024 14:01:37

Description :
ExamSys 9150244 allows SQL Injection via the /Support/action/Pages.php s_score2 parameter.

CVE ID : CVE-2023-52285
Source : cve@mitre.org
CVSS Score : /

References :
https://fh4ntke.medium.com/examsys-multiple-sql-injections-ef94d84e440c | source : cve@mitre.org
https://github.com/lrx0014/ExamSys/commit/915024448428867f2228cf7f06abd1b6e65e9397 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22714

First published on : 17-01-2024 18:15:45
Last modified on : 17-01-2024 19:22:17

Description :
Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) in the editing section of the article content.

CVE ID : CVE-2024-22714
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/RumblingIsOccupied/cms/blob/main/2.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-22715

First published on : 17-01-2024 18:15:45
Last modified on : 17-01-2024 19:22:17

Description :
Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin-edit.php.

CVE ID : CVE-2024-22715
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/RumblingIsOccupied/cms/blob/main/1.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-44077

First published on : 17-01-2024 20:15:50
Last modified on : 17-01-2024 20:15:50

Description :
Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles signature verification, aka PMP-2636.

CVE ID : CVE-2023-44077
Source : cve@mitre.org
CVSS Score : /

References :
https://support.studionetworksolutions.com/hc/en-us/articles/22494658980244-ShareBrowser-v-7-0-Released | source : cve@mitre.org


Vulnerability ID : CVE-2023-48858

First published on : 17-01-2024 20:15:50
Last modified on : 17-01-2024 20:15:50

Description :
A Cross-site scripting (XSS) vulnerability in login page php code in Armex ABO.CMS 5.9 allows remote attackers to inject arbitrary web script or HTML via the login.php? URL part.

CVE ID : CVE-2023-48858
Source : cve@mitre.org
CVSS Score : /

References :
https://abocms.ru/about/versions/version59/ | source : cve@mitre.org
https://github.com/Shumerez/CVE-2023-48858 | source : cve@mitre.org


Source : wpscan.com

Vulnerability ID : CVE-2023-5006

First published on : 17-01-2024 15:15:10
Last modified on : 17-01-2024 17:35:08

Description :
The WP Discord Invite WordPress plugin before 2.5.1 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in administrator to submit a crafted request.

CVE ID : CVE-2023-5006
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/d29bcc1c-241b-4867-a0c8-4ae5f9d1c8e8 | source : contact@wpscan.com


Vulnerability ID : CVE-2023-5041

First published on : 17-01-2024 15:15:10
Last modified on : 17-01-2024 17:35:08

Description :
The Track The Click WordPress plugin before 0.3.12 does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database.

CVE ID : CVE-2023-5041
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/45194442-6eea-4e07-85a5-4a1e2fde3523 | source : contact@wpscan.com


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.