In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 09-10, 2023.
During this period, The National Vulnerability Database published 104, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 8
Medium: 17
Low: 10
Severity Not Assigned: 66
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2021-43609
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.
References: https://community.spiceworks.com/blogs/help-desk-server-release-notes/3610-1-3-2-1-3-3
https://github.com/d5sec/CVE-2021-43609-POC
https://www.linkedin.com/pulse/cve-2021-43609-write-up-division5-security-4lgwe
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-40054
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226
References: https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-4-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40054
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-40055
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227
References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40055
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-41137
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server.
References: https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-41138
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.
References: https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory
CWE-ID: CWE-226
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-43791
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.
References: https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b
https://github.com/HumanSignal/label-studio/pull/4690
https://github.com/HumanSignal/label-studio/releases/tag/1.8.2
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-46743
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 0.7
Impact Score: 6.0
Description: application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the `userCanWrite` query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3.
References: https://github.com/xwikisas/application-collabora/security/advisories/GHSA-mvq3-xxg2-rj57
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-47110
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.3
Description: blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4.
References: https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-xfm3-hjcc-gv78
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-47610
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.
References: https://ics-cert.kaspersky.com/advisories/2023/11/08/klcert-23-018-telit-cinterion-thales-gemalto-modules-buffer-copy-without-checking-size-of-input-vulnerability/
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-39198
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.
References: https://access.redhat.com/security/cve/CVE-2023-39198
https://bugzilla.redhat.com/show_bug.cgi?id=2218332
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-4379
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 5.8
Description: An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/415496
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 09-10, 2023.
During this period, The National Vulnerability Database published 104, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 8
Medium: 17
Low: 10
Severity Not Assigned: 66
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2021-43609
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.
References: https://community.spiceworks.com/blogs/help-desk-server-release-notes/3610-1-3-2-1-3-3
https://github.com/d5sec/CVE-2021-43609-POC
https://www.linkedin.com/pulse/cve-2021-43609-write-up-division5-security-4lgwe
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-40054
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226
References: https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-4-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40054
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-40055
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227
References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40055
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-41137
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server.
References: https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-41138
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.
References: https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory
CWE-ID: CWE-226
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-43791
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.
References: https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b
https://github.com/HumanSignal/label-studio/pull/4690
https://github.com/HumanSignal/label-studio/releases/tag/1.8.2
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-46743
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 0.7
Impact Score: 6.0
Description: application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the `userCanWrite` query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3.
References: https://github.com/xwikisas/application-collabora/security/advisories/GHSA-mvq3-xxg2-rj57
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-47110
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.3
Description: blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4.
References: https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-xfm3-hjcc-gv78
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-47610
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.
References: https://ics-cert.kaspersky.com/advisories/2023/11/08/klcert-23-018-telit-cinterion-thales-gemalto-modules-buffer-copy-without-checking-size-of-input-vulnerability/
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-39198
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.
References: https://access.redhat.com/security/cve/CVE-2023-39198
https://bugzilla.redhat.com/show_bug.cgi?id=2218332
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-4379
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 5.8
Description: An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/415496
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found