In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 19-20, 2023.
During this period, The National Vulnerability Database published 105, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 6
High: 35
Medium: 22
Low: 2
Severity Not Assigned: 40
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-34437
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description:
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05
contains a vulnerability in their password retrieval functionality which could allow an attacker to access passwords stored on the device.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-05
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-37504
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.
References: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107511
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5336
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The iPanorama 360 – WordPress Virtual Tour Builder plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/ipanorama-360-virtual-tour-builder-lite/tags/1.8.0/includes/plugin.php#L439
https://plugins.trac.wordpress.org/changeset/2980553/ipanorama-360-virtual-tour-builder-lite#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/3566b602-c991-488f-9de2-57236c4735b5?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-37503
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: HCL Compass is vulnerable to insecure password requirements. An attacker could easily guess the password and gain access to user accounts.
References: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107512
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-5204
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/qcld-wpwbot-search.php?rev=2957286#L177
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5ad12146-200b-48e5-82de-7572541edcc4?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-5212
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account.
References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php?rev=2957286#L576
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9e-03d69ae7acf2?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-5241
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L376
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/25199281-5286-4d75-8d27-26ce215e0993?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
8. CVE-2022-24400
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2022-24401
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2022-24402
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2022-25333
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine. However, only the module header authenticity is validated. An adversary can re-use any correctly signed header and append a forged payload, to be encrypted using the CEK (obtainable through CVE-2022-25332) in order to obtain arbitrary code execution in secure context. This constitutes a full break of the TEE security architecture.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2022-25334
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
13. CVE-2022-26941
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2022-26942
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2022-26943
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2022-27813
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-35180
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-35181
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.
References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35181
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-35182
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-35183
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35183
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-35184
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-35185
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35185
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-35186
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35186
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-35187
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35187
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-35126
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008. A specially crafted document can cause memory corruption, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1825
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1825
CWE-ID: CWE-129
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-34366
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A use-after-free vulnerability exists in the Figure stream parsing functionality of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause memory corruption, resulting in arbitrary code execution. Victim would need to open a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1758
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1758
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-35986
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description:
Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files. This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-38127
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An integer overflow exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause the parser to make an under-sized allocation, which can later allow for memory corruption, potentially resulting in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1808
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1808
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-38128
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An out-of-bounds write vulnerability exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause a type confusion, which can lead to memory corruption and eventually arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1809
CWE-ID: CWE-843
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-39431
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description:
Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-5059
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description:
Santesoft Sante FFT Imaging lacks proper validation of user-supplied data when parsing DICOM files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-02
CWE-ID: CWE-125
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-41089
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description:
The affected product is vulnerable to an improper authentication vulnerability, which may allow an attacker to impersonate a legitimate user as long as the device keeps the session active, since the attack takes advantage of the cookie header to generate "legitimate" requests.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-02
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-38584
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
In Weintek's cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.
References: https://dl.weintek.com/public/Document/TEC/TEC23005E_cMT_Web_Security_Update.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-40145
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
In Weintek's cMT3000 HMI Web CGI device, an anonymous attacker can execute arbitrary commands after login to the device.
References: https://dl.weintek.com/public/Document/TEC/TEC23005E_cMT_Web_Security_Update.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
35. CVE-2023-43492
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
In Weintek's cMT3000 HMI Web CGI device, the cgi-bin codesys.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.
References: https://dl.weintek.com/public/Document/TEC/TEC23005E_cMT_Web_Security_Update.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
36. CVE-2023-45823
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. During a security audit of Artifact Hub's code base a security researcher identified a bug in which by using symbolic links in certain kinds of repositories loaded into Artifact Hub, it was possible to read internal files. Artifact Hub indexes content from a variety of sources, including git repositories. When processing git based repositories, Artifact Hub clones the repository and, depending on the artifact kind, reads some files from it. During this process, in some cases, no validation was done to check if the file was a symbolic link. This made possible to read arbitrary files in the system, potentially leaking sensitive information. This issue has been resolved in version `1.16.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog&version=1.16.0
https://github.com/artifacthub/hub/security/advisories/GHSA-hmq4-c2r4-5q8h
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
37. CVE-2023-41895
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
38. CVE-2023-41896
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw
https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q
CWE-ID: CWE-345
Common Platform Enumerations (CPE): Not Found
39. CVE-2023-41897
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw
https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q
https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/
CWE-ID: CWE-1021
Common Platform Enumerations (CPE): Not Found
40. CVE-2023-41898
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.
References: https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg
CWE-ID: CWE-345 CWE-94
Common Platform Enumerations (CPE): Not Found
41. CVE-2023-44385
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.
References: https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 19-20, 2023.
During this period, The National Vulnerability Database published 105, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 6
High: 35
Medium: 22
Low: 2
Severity Not Assigned: 40
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-34437
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description:
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05
contains a vulnerability in their password retrieval functionality which could allow an attacker to access passwords stored on the device.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-05
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-37504
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.
References: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107511
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5336
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The iPanorama 360 – WordPress Virtual Tour Builder plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/ipanorama-360-virtual-tour-builder-lite/tags/1.8.0/includes/plugin.php#L439
https://plugins.trac.wordpress.org/changeset/2980553/ipanorama-360-virtual-tour-builder-lite#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/3566b602-c991-488f-9de2-57236c4735b5?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-37503
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: HCL Compass is vulnerable to insecure password requirements. An attacker could easily guess the password and gain access to user accounts.
References: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107512
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-5204
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/qcld-wpwbot-search.php?rev=2957286#L177
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5ad12146-200b-48e5-82de-7572541edcc4?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-5212
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account.
References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php?rev=2957286#L576
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9e-03d69ae7acf2?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-5241
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L376
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/25199281-5286-4d75-8d27-26ce215e0993?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
8. CVE-2022-24400
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2022-24401
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2022-24402
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2022-25333
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine. However, only the module header authenticity is validated. An adversary can re-use any correctly signed header and append a forged payload, to be encrypted using the CEK (obtainable through CVE-2022-25332) in order to obtain arbitrary code execution in secure context. This constitutes a full break of the TEE security architecture.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2022-25334
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
13. CVE-2022-26941
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2022-26942
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2022-26943
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2022-27813
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions.
References: https://tetraburst.com/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-35180
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-35181
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.
References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35181
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-35182
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-35183
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35183
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-35184
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-35185
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35185
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-35186
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35186
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-35187
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
https://https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35187
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-35126
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008. A specially crafted document can cause memory corruption, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1825
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1825
CWE-ID: CWE-129
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-34366
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A use-after-free vulnerability exists in the Figure stream parsing functionality of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause memory corruption, resulting in arbitrary code execution. Victim would need to open a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1758
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1758
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-35986
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description:
Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files. This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-38127
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An integer overflow exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause the parser to make an under-sized allocation, which can later allow for memory corruption, potentially resulting in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1808
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1808
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-38128
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An out-of-bounds write vulnerability exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause a type confusion, which can lead to memory corruption and eventually arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
References: https://jvn.jp/en/jp/JVN28846531/index.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1809
CWE-ID: CWE-843
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-39431
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description:
Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-5059
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description:
Santesoft Sante FFT Imaging lacks proper validation of user-supplied data when parsing DICOM files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-02
CWE-ID: CWE-125
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-41089
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description:
The affected product is vulnerable to an improper authentication vulnerability, which may allow an attacker to impersonate a legitimate user as long as the device keeps the session active, since the attack takes advantage of the cookie header to generate "legitimate" requests.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-02
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-38584
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
In Weintek's cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.
References: https://dl.weintek.com/public/Document/TEC/TEC23005E_cMT_Web_Security_Update.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-40145
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description:
In Weintek's cMT3000 HMI Web CGI device, an anonymous attacker can execute arbitrary commands after login to the device.
References: https://dl.weintek.com/public/Document/TEC/TEC23005E_cMT_Web_Security_Update.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
35. CVE-2023-43492
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
In Weintek's cMT3000 HMI Web CGI device, the cgi-bin codesys.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.
References: https://dl.weintek.com/public/Document/TEC/TEC23005E_cMT_Web_Security_Update.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
36. CVE-2023-45823
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. During a security audit of Artifact Hub's code base a security researcher identified a bug in which by using symbolic links in certain kinds of repositories loaded into Artifact Hub, it was possible to read internal files. Artifact Hub indexes content from a variety of sources, including git repositories. When processing git based repositories, Artifact Hub clones the repository and, depending on the artifact kind, reads some files from it. During this process, in some cases, no validation was done to check if the file was a symbolic link. This made possible to read arbitrary files in the system, potentially leaking sensitive information. This issue has been resolved in version `1.16.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog&version=1.16.0
https://github.com/artifacthub/hub/security/advisories/GHSA-hmq4-c2r4-5q8h
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
37. CVE-2023-41895
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
38. CVE-2023-41896
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw
https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q
CWE-ID: CWE-345
Common Platform Enumerations (CPE): Not Found
39. CVE-2023-41897
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw
https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q
https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/
CWE-ID: CWE-1021
Common Platform Enumerations (CPE): Not Found
40. CVE-2023-41898
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.
References: https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg
CWE-ID: CWE-345 CWE-94
Common Platform Enumerations (CPE): Not Found
41. CVE-2023-44385
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.
References: https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found