In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 31-01, 2023.
During this period, The National Vulnerability Database published 121, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 33
Medium: 23
Low: 1
Severity Not Assigned: 59
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-46129
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
References: http://www.openwall.com/lists/oss-security/2023/10/31/1
https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9
CWE-ID: CWE-321 CWE-325
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-5863
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
References: https://github.com/thorsten/phpmyfaq/commit/97e813dcd2022bd10a8770569a8b02591716365f
https://huntr.com/bounties/fbfd4e84-61fb-4063-8f11-15877b8c1f6f
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5864
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 0.7
Impact Score: 6.0
Description: Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
References: https://github.com/thorsten/phpmyfaq/commit/b3e5a053b59dcc072d76a55d6ce0311ea30174fa
https://huntr.com/bounties/e4b0e8f4-5e06-49d1-832f-5756573623ad
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-5865
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
References: https://github.com/thorsten/phpmyfaq/commit/5f43786f52c3d517e7665abd25d534e180e08dc5
https://huntr.com/bounties/4c4b7395-d9fd-4ca0-98d7-2e20c1249aff
CWE-ID: CWE-613
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-36263
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
References: https://security.friendsofpresta.org/modules/2023/10/25/opartlimitquantity.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-5412
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/image-horizontal-reel-scroll-slideshow/trunk/image-horizontal-reel-scroll-slideshow.php?rev=2827121#L176
https://plugins.trac.wordpress.org/changeset/2985331/image-horizontal-reel-scroll-slideshow#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/08fb698f-c87c-4200-85fe-3fe72745633e?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-5428
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Image vertical reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/image-vertical-reel-scroll-slideshow/trunk/image-vertical-reel-scroll-slideshow.php?rev=2827122#L273
https://plugins.trac.wordpress.org/changeset/2985333/image-vertical-reel-scroll-slideshow#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/01d31d8a-4459-488a-9cbe-92761faa58b4?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-5429
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Information Reel plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/information-reel/trunk/information-reel.php?rev=2827123#L134
https://plugins.trac.wordpress.org/changeset/2985373/information-reel#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/64db63e5-ff76-494a-be4f-d820f0cc9ab0?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-5430
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Jquery news ticker plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/jquery-news-ticker/trunk/jquery-news-ticker.php?rev=2827068#L92
https://plugins.trac.wordpress.org/changeset/2985559/jquery-news-ticker#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/3b7f8739-7f40-40a7-952e-002ea3b82ac7?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-5431
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Left right image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/left-right-image-slideshow-gallery/trunk/left-right-image-slideshow-gallery.php?rev=2827127#L211
https://plugins.trac.wordpress.org/changeset/2985417/left-right-image-slideshow-gallery#file0
https://www.wordfence.com/threat-intel/vulnerabilities/id/69902627-ce79-4a43-8949-43db6a9cc0dd?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-5433
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Message ticker plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/message-ticker/trunk/message-ticker.php?rev=2827131#L142
https://plugins.trac.wordpress.org/changeset/2985499/message-ticker#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/d0b1fa88-2fc6-41af-bd39-12af92dc6533?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-5434
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Superb slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/superb-slideshow-gallery/trunk/superb-slideshow-gallery.php?rev=2827170#L127
https://plugins.trac.wordpress.org/changeset/2985501/superb-slideshow-gallery#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/3a12945d-a67c-4a19-a4e7-f65f5f2a21bb?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-5435
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Up down image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/up-down-image-slideshow-gallery/trunk/up-down-image-slideshow-gallery.php?rev=2827173#L208
https://plugins.trac.wordpress.org/changeset/2985497/up-down-image-slideshow-gallery#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b72cf6f-4924-4fa5-8e1a-4054dfe73be0?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-5436
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Vertical marquee plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/vertical-marquee-plugin/trunk/vertical-marquee-plugin.php?rev=2827080#L170
https://plugins.trac.wordpress.org/changeset/2985561/vertical-marquee-plugin#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd90d9c0-0cab-4fd3-b016-106032f300f7?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-5437
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The WP fade in text news plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-fade-in-text-news/trunk/wp-fade-in-text-news.php?rev=2827202#L236
https://plugins.trac.wordpress.org/changeset/2985398/wp-fade-in-text-news#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4accf10-710e-4cba-8d61-04e422324f9d?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-5438
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The wp image slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-image-slideshow/trunk/wp-image-slideshow.php?rev=2827205#L189
https://plugins.trac.wordpress.org/changeset/2985394/wp-image-slideshow#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e24383b-5b0f-4114-908b-4c2778632f73?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-5439
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Wp photo text slider 50 plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-photo-text-slider-50/trunk/wp-photo-text-slider-50.php?rev=2827206#L196
https://plugins.trac.wordpress.org/changeset/2985502/wp-photo-text-slider-50#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/515502b5-c344-4855-aff1-57833233c5d2?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-5464
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Jquery accordion slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/jquery-accordion-slideshow/trunk/jquery-accordion-slideshow.php?rev=2827053#L177
https://plugins.trac.wordpress.org/changeset/2985511/jquery-accordion-slideshow#file0
https://www.wordfence.com/threat-intel/vulnerabilities/id/0531ca34-5d7b-4071-a1aa-934f14b87728?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-46312
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Zaytech Smart Online Order for Clover plugin <= 1.5.4 versions.
References: https://patchstack.com/database/vulnerability/clover-online-orders/wordpress-smart-online-order-for-clover-plugin-1-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-46313
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Katie Seaborn Zotpress plugin <= 7.3.4 versions.
References: https://patchstack.com/database/vulnerability/zotpress/wordpress-zotpress-plugin-7-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-46622
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ollybach WPPizza – A Restaurant Plugin plugin <= 3.18.2 versions.
References: https://patchstack.com/database/vulnerability/wppizza/wordpress-wppizza-plugin-3-18-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2022-3007
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: ** UNSUPPPORTED WHEN ASSIGNED ** The vulnerability exists in Syska SW100 Smartwatch due to an improper implementation and/or configuration of Nordic Device Firmware Update (DFU) which is used for performing Over-The-Air (OTA) firmware updates on the Bluetooth Low Energy (BLE) devices. An unauthenticated attacker could exploit this vulnerability by setting arbitrary values to handle on the vulnerable device over Bluetooth.
Successful exploitation of this vulnerability could allow the attacker to perform firmware update, device reboot or data manipulation on the target device.
References: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2023-0333
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-38994
Base Score: 7.9
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 5.8
Description: An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function.
References: https://forge.univention.org/bugzilla/show_bug.cgi?id=56324
https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0
https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-5099
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the 'src' attribute of the 'csvsearch' shortcode. This allows authenticated attackers, with contributor-level permissions and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/changeset/2985200/hk-filter-and-search
https://www.wordfence.com/threat-intel/vulnerabilities/id/ee2b4055-8cbd-49b7-bb0b-eddef85060fc?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-22518
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
References: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
https://jira.atlassian.com/browse/CONFSERVER-93142
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-37243
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The C:\Windows\Temp\Agent.Package.Availability\Agent.Package.Availability.exe file is automatically launched as SYSTEM when the system reboots. Since the C:\Windows\Temp\Agent.Package.Availability folder inherits permissions from C:\Windows\Temp and Agent.Package.Availability.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.
References: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0010.md
CWE-ID: CWE-379
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-40050
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Upload profile either
through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec
check command with maliciously crafted profile allows remote code execution.
References: https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050
https://docs.chef.io/automate/profiles/
https://docs.chef.io/release_notes_automate/
CWE-ID: CWE-434 CWE-94
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-42658
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description:
Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile.
References: https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Inspec-CVE-2023-42658
https://docs.chef.io/inspec/cli/
https://docs.chef.io/release_notes_inspec/
CWE-ID: CWE-917 CWE-94
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-46236
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10, a server-side-request-forgery (SSRF) vulnerability allowed an unauthenticated user to trigger a GET request as the server to an arbitrary endpoint and URL scheme. This also allows remote access to files visible to the Apache user group. Other impacts vary based on server configuration. Version 1.5.10 contains a patch.
References: https://github.com/FOGProject/fogproject/commit/9125f35ff649a3e7fd7771b1c8e5add3c726f763
https://github.com/FOGProject/fogproject/security/advisories/GHSA-8qg4-9363-873h
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-46239
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.
References: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
https://github.com/quic-go/quic-go/releases/tag/v0.37.3
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
CWE-ID: CWE-248
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-46240
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
References: https://codeigniter4.github.io/userguide/general/errors.html#error-reporting
https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj
CWE-ID: CWE-209
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-46245
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Kimai is a web-based multi-user time-tracking application. Versions 2.1.0 and prior are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. As of time of publication, no patches or known workarounds are available.
References: https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw
CWE-ID: CWE-1336
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-46248
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Cody is an artificial intelligence (AI) coding assistant. The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the Cody configuration file `.vscode/cody.json` and overwrite Cody commands. If a user with the extension installed opens this malicious repository and runs a Cody command such as /explain or /doc, this could allow arbitrary code execution on the user's machine. The vulnerability is rated as critical severity, but with low exploitability. It requires the user to have a malicious repository loaded and execute the overwritten command in VS Code. The issue is exploitable regardless of the user blocking code execution on a repository through VS Code Workspace Trust. The issue was found during a regular 3rd party penetration test. The maintainers of Cody do not have evidence of open source repositories having malicious `.vscode/cody.json` files to exploit this vulnerability. The issue is fixed in version 0.14.1 of the Cody VSCode extension. In case users can't promptly upgrade, they should not open any untrusted repositories with the Cody extension loaded.
References: https://github.com/sourcegraph/cody/pull/1414
https://github.com/sourcegraph/cody/security/advisories/GHSA-8wmq-fwv7-xmwq
CWE-ID: CWE-15
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-46249
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
References: https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0
https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4
https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
35. CVE-2023-46723
Base Score: 8.9
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 6.0
Description: lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`.
References: https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh
CWE-ID: CWE-538
Common Platform Enumerations (CPE): Not Found
36. CVE-2023-20886
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: VMware Workspace ONE UEM console contains an open redirect vulnerability.
A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.
References: https://www.vmware.com/security/advisories/VMSA-2023-0025.html
CWE-ID: CWE-601
Common Platform Enumerations (CPE): Not Found
37. CVE-2023-3676
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
References: https://github.com/kubernetes/kubernetes/issues/119339
https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
38. CVE-2023-3955
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
References: https://github.com/kubernetes/kubernetes/issues/119595
https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 31-01, 2023.
During this period, The National Vulnerability Database published 121, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 33
Medium: 23
Low: 1
Severity Not Assigned: 59
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-46129
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
References: http://www.openwall.com/lists/oss-security/2023/10/31/1
https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9
CWE-ID: CWE-321 CWE-325
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-5863
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
References: https://github.com/thorsten/phpmyfaq/commit/97e813dcd2022bd10a8770569a8b02591716365f
https://huntr.com/bounties/fbfd4e84-61fb-4063-8f11-15877b8c1f6f
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5864
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 0.7
Impact Score: 6.0
Description: Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
References: https://github.com/thorsten/phpmyfaq/commit/b3e5a053b59dcc072d76a55d6ce0311ea30174fa
https://huntr.com/bounties/e4b0e8f4-5e06-49d1-832f-5756573623ad
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-5865
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
References: https://github.com/thorsten/phpmyfaq/commit/5f43786f52c3d517e7665abd25d534e180e08dc5
https://huntr.com/bounties/4c4b7395-d9fd-4ca0-98d7-2e20c1249aff
CWE-ID: CWE-613
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-36263
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
References: https://security.friendsofpresta.org/modules/2023/10/25/opartlimitquantity.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-5412
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/image-horizontal-reel-scroll-slideshow/trunk/image-horizontal-reel-scroll-slideshow.php?rev=2827121#L176
https://plugins.trac.wordpress.org/changeset/2985331/image-horizontal-reel-scroll-slideshow#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/08fb698f-c87c-4200-85fe-3fe72745633e?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-5428
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Image vertical reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/image-vertical-reel-scroll-slideshow/trunk/image-vertical-reel-scroll-slideshow.php?rev=2827122#L273
https://plugins.trac.wordpress.org/changeset/2985333/image-vertical-reel-scroll-slideshow#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/01d31d8a-4459-488a-9cbe-92761faa58b4?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-5429
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Information Reel plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/information-reel/trunk/information-reel.php?rev=2827123#L134
https://plugins.trac.wordpress.org/changeset/2985373/information-reel#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/64db63e5-ff76-494a-be4f-d820f0cc9ab0?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-5430
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Jquery news ticker plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/jquery-news-ticker/trunk/jquery-news-ticker.php?rev=2827068#L92
https://plugins.trac.wordpress.org/changeset/2985559/jquery-news-ticker#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/3b7f8739-7f40-40a7-952e-002ea3b82ac7?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-5431
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Left right image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/left-right-image-slideshow-gallery/trunk/left-right-image-slideshow-gallery.php?rev=2827127#L211
https://plugins.trac.wordpress.org/changeset/2985417/left-right-image-slideshow-gallery#file0
https://www.wordfence.com/threat-intel/vulnerabilities/id/69902627-ce79-4a43-8949-43db6a9cc0dd?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-5433
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Message ticker plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/message-ticker/trunk/message-ticker.php?rev=2827131#L142
https://plugins.trac.wordpress.org/changeset/2985499/message-ticker#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/d0b1fa88-2fc6-41af-bd39-12af92dc6533?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-5434
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Superb slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/superb-slideshow-gallery/trunk/superb-slideshow-gallery.php?rev=2827170#L127
https://plugins.trac.wordpress.org/changeset/2985501/superb-slideshow-gallery#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/3a12945d-a67c-4a19-a4e7-f65f5f2a21bb?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-5435
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Up down image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/up-down-image-slideshow-gallery/trunk/up-down-image-slideshow-gallery.php?rev=2827173#L208
https://plugins.trac.wordpress.org/changeset/2985497/up-down-image-slideshow-gallery#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b72cf6f-4924-4fa5-8e1a-4054dfe73be0?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-5436
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Vertical marquee plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/vertical-marquee-plugin/trunk/vertical-marquee-plugin.php?rev=2827080#L170
https://plugins.trac.wordpress.org/changeset/2985561/vertical-marquee-plugin#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd90d9c0-0cab-4fd3-b016-106032f300f7?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-5437
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The WP fade in text news plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-fade-in-text-news/trunk/wp-fade-in-text-news.php?rev=2827202#L236
https://plugins.trac.wordpress.org/changeset/2985398/wp-fade-in-text-news#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4accf10-710e-4cba-8d61-04e422324f9d?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-5438
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The wp image slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-image-slideshow/trunk/wp-image-slideshow.php?rev=2827205#L189
https://plugins.trac.wordpress.org/changeset/2985394/wp-image-slideshow#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e24383b-5b0f-4114-908b-4c2778632f73?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-5439
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Wp photo text slider 50 plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/wp-photo-text-slider-50/trunk/wp-photo-text-slider-50.php?rev=2827206#L196
https://plugins.trac.wordpress.org/changeset/2985502/wp-photo-text-slider-50#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/515502b5-c344-4855-aff1-57833233c5d2?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-5464
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Jquery accordion slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/jquery-accordion-slideshow/trunk/jquery-accordion-slideshow.php?rev=2827053#L177
https://plugins.trac.wordpress.org/changeset/2985511/jquery-accordion-slideshow#file0
https://www.wordfence.com/threat-intel/vulnerabilities/id/0531ca34-5d7b-4071-a1aa-934f14b87728?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-46312
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Zaytech Smart Online Order for Clover plugin <= 1.5.4 versions.
References: https://patchstack.com/database/vulnerability/clover-online-orders/wordpress-smart-online-order-for-clover-plugin-1-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-46313
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Katie Seaborn Zotpress plugin <= 7.3.4 versions.
References: https://patchstack.com/database/vulnerability/zotpress/wordpress-zotpress-plugin-7-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-46622
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ollybach WPPizza – A Restaurant Plugin plugin <= 3.18.2 versions.
References: https://patchstack.com/database/vulnerability/wppizza/wordpress-wppizza-plugin-3-18-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2022-3007
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: ** UNSUPPPORTED WHEN ASSIGNED ** The vulnerability exists in Syska SW100 Smartwatch due to an improper implementation and/or configuration of Nordic Device Firmware Update (DFU) which is used for performing Over-The-Air (OTA) firmware updates on the Bluetooth Low Energy (BLE) devices. An unauthenticated attacker could exploit this vulnerability by setting arbitrary values to handle on the vulnerable device over Bluetooth.
Successful exploitation of this vulnerability could allow the attacker to perform firmware update, device reboot or data manipulation on the target device.
References: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2023-0333
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-38994
Base Score: 7.9
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 5.8
Description: An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function.
References: https://forge.univention.org/bugzilla/show_bug.cgi?id=56324
https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0
https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-5099
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the 'src' attribute of the 'csvsearch' shortcode. This allows authenticated attackers, with contributor-level permissions and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/changeset/2985200/hk-filter-and-search
https://www.wordfence.com/threat-intel/vulnerabilities/id/ee2b4055-8cbd-49b7-bb0b-eddef85060fc?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-22518
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
References: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
https://jira.atlassian.com/browse/CONFSERVER-93142
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-37243
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The C:\Windows\Temp\Agent.Package.Availability\Agent.Package.Availability.exe file is automatically launched as SYSTEM when the system reboots. Since the C:\Windows\Temp\Agent.Package.Availability folder inherits permissions from C:\Windows\Temp and Agent.Package.Availability.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.
References: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0010.md
CWE-ID: CWE-379
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-40050
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Upload profile either
through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec
check command with maliciously crafted profile allows remote code execution.
References: https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050
https://docs.chef.io/automate/profiles/
https://docs.chef.io/release_notes_automate/
CWE-ID: CWE-434 CWE-94
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-42658
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description:
Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile.
References: https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Inspec-CVE-2023-42658
https://docs.chef.io/inspec/cli/
https://docs.chef.io/release_notes_inspec/
CWE-ID: CWE-917 CWE-94
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-46236
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10, a server-side-request-forgery (SSRF) vulnerability allowed an unauthenticated user to trigger a GET request as the server to an arbitrary endpoint and URL scheme. This also allows remote access to files visible to the Apache user group. Other impacts vary based on server configuration. Version 1.5.10 contains a patch.
References: https://github.com/FOGProject/fogproject/commit/9125f35ff649a3e7fd7771b1c8e5add3c726f763
https://github.com/FOGProject/fogproject/security/advisories/GHSA-8qg4-9363-873h
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-46239
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.
References: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
https://github.com/quic-go/quic-go/releases/tag/v0.37.3
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
CWE-ID: CWE-248
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-46240
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
References: https://codeigniter4.github.io/userguide/general/errors.html#error-reporting
https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj
CWE-ID: CWE-209
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-46245
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Kimai is a web-based multi-user time-tracking application. Versions 2.1.0 and prior are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. As of time of publication, no patches or known workarounds are available.
References: https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw
CWE-ID: CWE-1336
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-46248
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Cody is an artificial intelligence (AI) coding assistant. The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the Cody configuration file `.vscode/cody.json` and overwrite Cody commands. If a user with the extension installed opens this malicious repository and runs a Cody command such as /explain or /doc, this could allow arbitrary code execution on the user's machine. The vulnerability is rated as critical severity, but with low exploitability. It requires the user to have a malicious repository loaded and execute the overwritten command in VS Code. The issue is exploitable regardless of the user blocking code execution on a repository through VS Code Workspace Trust. The issue was found during a regular 3rd party penetration test. The maintainers of Cody do not have evidence of open source repositories having malicious `.vscode/cody.json` files to exploit this vulnerability. The issue is fixed in version 0.14.1 of the Cody VSCode extension. In case users can't promptly upgrade, they should not open any untrusted repositories with the Cody extension loaded.
References: https://github.com/sourcegraph/cody/pull/1414
https://github.com/sourcegraph/cody/security/advisories/GHSA-8wmq-fwv7-xmwq
CWE-ID: CWE-15
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-46249
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
References: https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0
https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4
https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
35. CVE-2023-46723
Base Score: 8.9
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 6.0
Description: lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`.
References: https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh
CWE-ID: CWE-538
Common Platform Enumerations (CPE): Not Found
36. CVE-2023-20886
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: VMware Workspace ONE UEM console contains an open redirect vulnerability.
A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.
References: https://www.vmware.com/security/advisories/VMSA-2023-0025.html
CWE-ID: CWE-601
Common Platform Enumerations (CPE): Not Found
37. CVE-2023-3676
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
References: https://github.com/kubernetes/kubernetes/issues/119339
https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
38. CVE-2023-3955
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
References: https://github.com/kubernetes/kubernetes/issues/119595
https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found