In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 20-21, 2023.
During this period, The National Vulnerability Database published 122, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 8
High: 24
Medium: 70
Low: 0
Severity Not Assigned: 20
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-46115
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 5.8
Description: Tauri is a framework for building binaries for all major desktop platforms. This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the `Vite guide` to showcase how to use Tauri together with Vite. Copying the following snippet `envPrefix: ['VITE_', 'TAURI_'],` from this guide into the `vite.config.ts` of a Tauri project leads to bundling the `TAURI_PRIVATE_KEY` and `TAURI_KEY_PASSWORD` into the Vite frontend code and therefore leaking this value to the released Tauri application. Using the `envPrefix: ['VITE_'],` or any other framework than Vite means you are not impacted by this advisory. Users are advised to rotate their updater private key if they are affected by this (requires Tauri CLI >=1.5.5). After updating the envPrefix configuration, generate a new private key with `tauri signer generate`, saving the new private key and updating the updater's `pubkey` value on `tauri.conf.json` with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.
References: https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259
https://tauri.app/v1/guides/getting-started/setup/vite/
CWE-ID: CWE-200 CWE-522
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-5646
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot for WordPress is vulnerable to Directory Traversal in version 4.9.2 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L452
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2981113%40chatbot%2Ftrunk&old=2980494%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0a9fde0-7677-4e56-b7ac-95fd16a2250f?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5647
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in version 4.9.2. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account. This vulnerability is the same as CVE-2023-5212 but was accidentally reintroduced in version 4.9.2.
References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L693
https://www.wordfence.com/threat-intel/vulnerabilities/id/c5a97bea-a24d-47cb-9cc6-52fdc5b024f4?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
4. CVE-2020-36698
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50. This is due to missing capability checks on several AJAX actions and nonce disclosure in the source page of the administrative dashboard. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to call functions and delete and/or upload files.
References: https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-security-malware-scan-by-cleantalk-plugin/
https://wpscan.com/vulnerability/23960f42-dfc1-4951-9169-02d889283f01
https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb9b039-eb04-4c27-89eb-1932c9c31962?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
5. CVE-2020-36706
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Simple:Press – WordPress Forum Plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ~/admin/resources/jscript/ajaxupload/sf-uploader.php file in versions up to, and including, 6.6.0. This makes it possible for attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
References: https://blog.nintechnet.com/wordpress-simplepress-plugin-fixed-critical-vulnerabilities/
https://wpscan.com/vulnerability/27d4a8a5-9d81-4b42-92be-3f7d1ef22843
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-simple-press-wordpress-forum-arbitrary-file-upload-6-6-0/
https://www.wordfence.com/threat-intel/vulnerabilities/id/53eba5b4-7cc0-48e1-bb9c-6ed3207151ab?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
6. CVE-2022-4712
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The WP Cerber Security plugin for WordPress is vulnerable to stored cross-site scripting via the log parameter when logging in to the site in versions up to, and including, 9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/browser/wp-cerber/trunk/admin/cerber-dashboard.php?rev=2721561#L1338
https://www.wordfence.com/threat-intel/vulnerabilities/id/6cd9cbba-10b0-4fb0-ad49-4593a307a615?source=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-2325
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.2
Description: Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
References: https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-39680
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: Sollace Unicopia version 1.1.1 and before was discovered to deserialize untrusted data, allowing attackers to execute arbitrary code.
References: https://gist.github.com/apple502j/4ab77291c98e45f4a5bf780c8eda8afa
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-4274
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 0.9.89. This allows authenticated attackers with administrative privileges to delete the contents of arbitrary directories on the server, which can be a critical issue in a shared environments.
References: https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.89/includes/class-wpvivid-setting.php#L200
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2956458%40wpvivid-backuprestore%2Ftrunk&old=2948265%40wpvivid-backuprestore%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5d94f38f-4b52-4b0d-800c-a6fca40bda3c?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-4402
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/API/Product.php?rev=2950425#L49
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ede7a25-9bb2-408e-b7fb-e5bd4f594351?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-4488
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/dropbox-folder-share/trunk/HynoTech/UsosGenerales/js/editor-view.php?rev=2904670
https://www.wordfence.com/threat-intel/vulnerabilities/id/647a2f27-092a-4db1-932d-87ae8c2efcca?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-4598
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.0.8/admin/view/wp-slimstat-db.php#L970
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2959452%40wp-slimstat&new=2959452%40wp-slimstat&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/07c0f5a5-3455-4f06-b481-f4d678309c50?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-5414
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including those belonging to other sites, for example in shared hosting environments.
References: https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/classes/class-email-subscribers-logs.php?rev=2919465#L28
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977318%40email-subscribers%2Ftrunk&old=2972043%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=#file4
https://www.wordfence.com/threat-intel/vulnerabilities/id/417186ba-36ef-4d06-bbcd-e85eb9219689?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-5523
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
References: https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/
CWE-ID: CWE-829
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-5524
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
via specific file types
References: https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5524/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-5576
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.8
Description: The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering.
References: https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json
https://plugins.trac.wordpress.org/changeset/2977863/
https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
17. CVE-2020-36714
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_administrator() function in versions up to, and including, 1.0.125. This makes it possible for authenticated attackers to access and interact with available AJAX functions.
References: https://blog.nintechnet.com/wordpress-brizy-page-builder-plugin-fixed-critical-vulnerabilities/
https://www.wordfence.com/threat-intel/vulnerabilities/id/9495e25d-a5a6-4f25-9363-783626e58a4a?source=cve
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
18. CVE-2021-4334
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.
References: https://support.fancyproductdesigner.com/support/discussions/topics/13000029981
https://www.wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21?source=cve
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
19. CVE-2022-2441
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.
References: https://github.com/orangelabweb/imagemagick-engine/blob/1.7.4/imagemagick-engine.php#L529
https://github.com/orangelabweb/imagemagick-engine/blob/v.1.7.2/imagemagick-engine.php#L529
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2801283%40imagemagick-engine%2Ftrunk&old=2732430%40imagemagick-engine%2Ftrunk&sfp_email=&sfph_mail=
https://www.exploit-db.com/exploits/51025
https://www.wordfence.com/threat-intel/vulnerabilities/id/b1f17a83-1df0-44fe-bd86-243cff6ec91b?source=cve
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-2441
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
20. CVE-2022-3342
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link.
References: https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863
https://plugins.trac.wordpress.org/changeset/2805282/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
21. CVE-2022-4290
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Cyr to Lat plugin for WordPress is vulnerable to authenticated SQL Injection via the 'ctl_sanitize_title' function in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This potentially allows authenticated users with the ability to add or modify terms or tags to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. A partial patch became available in version 3.6 and the issue was fully patched in version 3.7.
References: https://plugins.trac.wordpress.org/browser/cyr3lat/trunk/cyr-to-lat.php?rev=1117224#L69
https://www.wordfence.com/threat-intel/vulnerabilities/id/c9c29130-1b42-4edd-ad62-6f635e03ae31?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
22. CVE-2022-4943
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-4386
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/API/PostBlock.php?rev=2950425#L30
https://www.wordfence.com/threat-intel/vulnerabilities/id/af468f83-d6ad-474c-bf7f-c4eeb6df1b54?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-4999
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Horizontal scrolling announcement plugin for WordPress is vulnerable to SQL Injection via the plugin's [horizontal-scrolling] shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/horizontal-scrolling-announcement/trunk/horizontal-scrolling-announcement.php#L79
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf50922a-58a6-4ca4-80b7-cafb37b87216?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-34044
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.0
Description: VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to 13.5) contain an out-of-bounds
read vulnerability that exists in the functionality for sharing host
Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual
machine may be able to read privileged information contained in
hypervisor memory from a virtual machine.
References: https://www.vmware.com/security/advisories/VMSA-2023-0022.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-3487
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.2
Description:
An integer overflow in Silicon Labs Gecko Bootloader version 4.3.1 and earlier allows unbounded memory access when reading from or writing to storage slots.
References: https://community.silabs.com/s/contentdocument/0698Y00000ZmXqLQAV
https://github.com/SiliconLabs/gecko_sdk/releases
CWE-ID: CWE-125 CWE-20 CWE-787
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-23373
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following version:
QUSBCam2 2.0.3 ( 2023/06/15 ) and later
References: https://www.qnap.com/en/security-advisory/qsa-23-43
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-5688
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
References: https://github.com/modoboa/modoboa/commit/d33d3cd2d11dbfebd8162c46e2c2a9873919a967
https://huntr.com/bounties/0ceb10e4-952b-4ca4-baf8-5b6f12e3a8a7
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-5689
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
References: https://github.com/modoboa/modoboa/commit/d33d3cd2d11dbfebd8162c46e2c2a9873919a967
https://huntr.com/bounties/24835833-3421-412b-bafb-1b7ea3cf60e6
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-45805
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project `foo` can be targeted by creating the project `foo-2` and uploading the file `foo-2-2.tar.gz` to pypi.org. PyPI will see this as project `foo-2` version `2`, while PDM will see this as project `foo` version `2-2`. The version must only be `parseable as a version` and the filename must be a prefix of the project name, but it's not verified to match the version being installed. Version `2-2` is also not a valid normalized version per PEP 440. Matching the project name exactly (not just prefix) would fix the issue. When installing dependencies with PDM, what's actually installed could differ from what's listed in `pyproject.toml` (including arbitrary code execution on install). It could also be used for downgrade attacks by only changing the version. This issue has been addressed in commit `6853e2642df` which is included in release version `2.9.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229
https://github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99
https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831
https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9
https://peps.python.org/pep-0440/#post-release-spelling
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-46117
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. A vulnerability has been identified in reconftw where inadequate validation of retrieved subdomains may lead to a Remote Code Execution (RCE) attack. An attacker can exploit this vulnerability by crafting a malicious CSP entry on it's own domain. Successful exploitation can lead to the execution of arbitrary code within the context of the application, potentially compromising the system. This issue has been addressed in version 2.7.1.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/six2dez/reconftw/commit/e639de356c0880fe5fe01a32de9d0c58afb5f086
https://github.com/six2dez/reconftw/security/advisories/GHSA-fxwr-vr9x-wvjp
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-37824
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Sitolog sitologapplicationconnect v7.8.a and before was discovered to contain a SQL injection vulnerability via the component /activate_hook.php.
References: https://security.friendsofpresta.org/modules/2023/10/11/sitologapplicationconnect.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 20-21, 2023.
During this period, The National Vulnerability Database published 122, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 8
High: 24
Medium: 70
Low: 0
Severity Not Assigned: 20
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-46115
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 5.8
Description: Tauri is a framework for building binaries for all major desktop platforms. This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the `Vite guide` to showcase how to use Tauri together with Vite. Copying the following snippet `envPrefix: ['VITE_', 'TAURI_'],` from this guide into the `vite.config.ts` of a Tauri project leads to bundling the `TAURI_PRIVATE_KEY` and `TAURI_KEY_PASSWORD` into the Vite frontend code and therefore leaking this value to the released Tauri application. Using the `envPrefix: ['VITE_'],` or any other framework than Vite means you are not impacted by this advisory. Users are advised to rotate their updater private key if they are affected by this (requires Tauri CLI >=1.5.5). After updating the envPrefix configuration, generate a new private key with `tauri signer generate`, saving the new private key and updating the updater's `pubkey` value on `tauri.conf.json` with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.
References: https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259
https://tauri.app/v1/guides/getting-started/setup/vite/
CWE-ID: CWE-200 CWE-522
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-5646
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot for WordPress is vulnerable to Directory Traversal in version 4.9.2 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L452
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2981113%40chatbot%2Ftrunk&old=2980494%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0a9fde0-7677-4e56-b7ac-95fd16a2250f?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5647
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in version 4.9.2. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account. This vulnerability is the same as CVE-2023-5212 but was accidentally reintroduced in version 4.9.2.
References: https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L693
https://www.wordfence.com/threat-intel/vulnerabilities/id/c5a97bea-a24d-47cb-9cc6-52fdc5b024f4?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
4. CVE-2020-36698
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50. This is due to missing capability checks on several AJAX actions and nonce disclosure in the source page of the administrative dashboard. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to call functions and delete and/or upload files.
References: https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-security-malware-scan-by-cleantalk-plugin/
https://wpscan.com/vulnerability/23960f42-dfc1-4951-9169-02d889283f01
https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb9b039-eb04-4c27-89eb-1932c9c31962?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
5. CVE-2020-36706
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Simple:Press – WordPress Forum Plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ~/admin/resources/jscript/ajaxupload/sf-uploader.php file in versions up to, and including, 6.6.0. This makes it possible for attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
References: https://blog.nintechnet.com/wordpress-simplepress-plugin-fixed-critical-vulnerabilities/
https://wpscan.com/vulnerability/27d4a8a5-9d81-4b42-92be-3f7d1ef22843
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-simple-press-wordpress-forum-arbitrary-file-upload-6-6-0/
https://www.wordfence.com/threat-intel/vulnerabilities/id/53eba5b4-7cc0-48e1-bb9c-6ed3207151ab?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
6. CVE-2022-4712
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The WP Cerber Security plugin for WordPress is vulnerable to stored cross-site scripting via the log parameter when logging in to the site in versions up to, and including, 9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/browser/wp-cerber/trunk/admin/cerber-dashboard.php?rev=2721561#L1338
https://www.wordfence.com/threat-intel/vulnerabilities/id/6cd9cbba-10b0-4fb0-ad49-4593a307a615?source=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-2325
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.2
Description: Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
References: https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-39680
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: Sollace Unicopia version 1.1.1 and before was discovered to deserialize untrusted data, allowing attackers to execute arbitrary code.
References: https://gist.github.com/apple502j/4ab77291c98e45f4a5bf780c8eda8afa
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-4274
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 0.9.89. This allows authenticated attackers with administrative privileges to delete the contents of arbitrary directories on the server, which can be a critical issue in a shared environments.
References: https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.89/includes/class-wpvivid-setting.php#L200
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2956458%40wpvivid-backuprestore%2Ftrunk&old=2948265%40wpvivid-backuprestore%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5d94f38f-4b52-4b0d-800c-a6fca40bda3c?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-4402
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/API/Product.php?rev=2950425#L49
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ede7a25-9bb2-408e-b7fb-e5bd4f594351?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-4488
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/dropbox-folder-share/trunk/HynoTech/UsosGenerales/js/editor-view.php?rev=2904670
https://www.wordfence.com/threat-intel/vulnerabilities/id/647a2f27-092a-4db1-932d-87ae8c2efcca?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-4598
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.0.8/admin/view/wp-slimstat-db.php#L970
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2959452%40wp-slimstat&new=2959452%40wp-slimstat&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/07c0f5a5-3455-4f06-b481-f4d678309c50?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-5414
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including those belonging to other sites, for example in shared hosting environments.
References: https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/classes/class-email-subscribers-logs.php?rev=2919465#L28
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977318%40email-subscribers%2Ftrunk&old=2972043%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=#file4
https://www.wordfence.com/threat-intel/vulnerabilities/id/417186ba-36ef-4d06-bbcd-e85eb9219689?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-5523
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
References: https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/
CWE-ID: CWE-829
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-5524
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 6.0
Description: Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
via specific file types
References: https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5524/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-5576
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.8
Description: The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering.
References: https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json
https://plugins.trac.wordpress.org/changeset/2977863/
https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
17. CVE-2020-36714
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_administrator() function in versions up to, and including, 1.0.125. This makes it possible for authenticated attackers to access and interact with available AJAX functions.
References: https://blog.nintechnet.com/wordpress-brizy-page-builder-plugin-fixed-critical-vulnerabilities/
https://www.wordfence.com/threat-intel/vulnerabilities/id/9495e25d-a5a6-4f25-9363-783626e58a4a?source=cve
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
18. CVE-2021-4334
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.
References: https://support.fancyproductdesigner.com/support/discussions/topics/13000029981
https://www.wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21?source=cve
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
19. CVE-2022-2441
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.
References: https://github.com/orangelabweb/imagemagick-engine/blob/1.7.4/imagemagick-engine.php#L529
https://github.com/orangelabweb/imagemagick-engine/blob/v.1.7.2/imagemagick-engine.php#L529
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2801283%40imagemagick-engine%2Ftrunk&old=2732430%40imagemagick-engine%2Ftrunk&sfp_email=&sfph_mail=
https://www.exploit-db.com/exploits/51025
https://www.wordfence.com/threat-intel/vulnerabilities/id/b1f17a83-1df0-44fe-bd86-243cff6ec91b?source=cve
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-2441
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
20. CVE-2022-3342
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link.
References: https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863
https://plugins.trac.wordpress.org/changeset/2805282/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
21. CVE-2022-4290
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Cyr to Lat plugin for WordPress is vulnerable to authenticated SQL Injection via the 'ctl_sanitize_title' function in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This potentially allows authenticated users with the ability to add or modify terms or tags to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. A partial patch became available in version 3.6 and the issue was fully patched in version 3.7.
References: https://plugins.trac.wordpress.org/browser/cyr3lat/trunk/cyr-to-lat.php?rev=1117224#L69
https://www.wordfence.com/threat-intel/vulnerabilities/id/c9c29130-1b42-4edd-ad62-6f635e03ae31?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
22. CVE-2022-4943
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-4386
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/API/PostBlock.php?rev=2950425#L30
https://www.wordfence.com/threat-intel/vulnerabilities/id/af468f83-d6ad-474c-bf7f-c4eeb6df1b54?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-4999
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Horizontal scrolling announcement plugin for WordPress is vulnerable to SQL Injection via the plugin's [horizontal-scrolling] shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/horizontal-scrolling-announcement/trunk/horizontal-scrolling-announcement.php#L79
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf50922a-58a6-4ca4-80b7-cafb37b87216?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-34044
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.0
Description: VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to 13.5) contain an out-of-bounds
read vulnerability that exists in the functionality for sharing host
Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual
machine may be able to read privileged information contained in
hypervisor memory from a virtual machine.
References: https://www.vmware.com/security/advisories/VMSA-2023-0022.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-3487
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.2
Description:
An integer overflow in Silicon Labs Gecko Bootloader version 4.3.1 and earlier allows unbounded memory access when reading from or writing to storage slots.
References: https://community.silabs.com/s/contentdocument/0698Y00000ZmXqLQAV
https://github.com/SiliconLabs/gecko_sdk/releases
CWE-ID: CWE-125 CWE-20 CWE-787
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-23373
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following version:
QUSBCam2 2.0.3 ( 2023/06/15 ) and later
References: https://www.qnap.com/en/security-advisory/qsa-23-43
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-5688
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
References: https://github.com/modoboa/modoboa/commit/d33d3cd2d11dbfebd8162c46e2c2a9873919a967
https://huntr.com/bounties/0ceb10e4-952b-4ca4-baf8-5b6f12e3a8a7
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-5689
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
References: https://github.com/modoboa/modoboa/commit/d33d3cd2d11dbfebd8162c46e2c2a9873919a967
https://huntr.com/bounties/24835833-3421-412b-bafb-1b7ea3cf60e6
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-45805
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project `foo` can be targeted by creating the project `foo-2` and uploading the file `foo-2-2.tar.gz` to pypi.org. PyPI will see this as project `foo-2` version `2`, while PDM will see this as project `foo` version `2-2`. The version must only be `parseable as a version` and the filename must be a prefix of the project name, but it's not verified to match the version being installed. Version `2-2` is also not a valid normalized version per PEP 440. Matching the project name exactly (not just prefix) would fix the issue. When installing dependencies with PDM, what's actually installed could differ from what's listed in `pyproject.toml` (including arbitrary code execution on install). It could also be used for downgrade attacks by only changing the version. This issue has been addressed in commit `6853e2642df` which is included in release version `2.9.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229
https://github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99
https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831
https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9
https://peps.python.org/pep-0440/#post-release-spelling
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-46117
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. A vulnerability has been identified in reconftw where inadequate validation of retrieved subdomains may lead to a Remote Code Execution (RCE) attack. An attacker can exploit this vulnerability by crafting a malicious CSP entry on it's own domain. Successful exploitation can lead to the execution of arbitrary code within the context of the application, potentially compromising the system. This issue has been addressed in version 2.7.1.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/six2dez/reconftw/commit/e639de356c0880fe5fe01a32de9d0c58afb5f086
https://github.com/six2dez/reconftw/security/advisories/GHSA-fxwr-vr9x-wvjp
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-37824
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Sitolog sitologapplicationconnect v7.8.a and before was discovered to contain a SQL injection vulnerability via the component /activate_hook.php.
References: https://security.friendsofpresta.org/modules/2023/10/11/sitologapplicationconnect.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found