In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 21-22, 2023.
During this period, The National Vulnerability Database published 62, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 7
High: 18
Medium: 16
Low: 5
Severity Not Assigned: 16
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-40151
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description:
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.
References: https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01
CWE-ID: CWE-749
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-6144
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username.
References: https://fluidattacks.com/advisories/almighty/
https://github.com/Armanidrisi/devblog/
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-42770
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description:
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
References: https://https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-21416
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/35/2a/a6/cve-2023-21416-en-US-417790.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-21417
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Sandro Poppi, member of the AXIS OS Bug Bounty Program,
has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges.
Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/2a/82/12/cve-2023-21417-en-US-417791.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-21418
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/49/93/55/cve-2023-21418-en-US-417792.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-4149
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability is located in the user request handling of the web-based management.
References: https://cert.vde.com/en/advisories/VDE-2023-037
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-4424
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j4qm-xgpf-qjw3
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-5553
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 0.9
Impact Score: 6.0
Description: During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/0a/66/25/cve-2023-5553-en-US-417789.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-6235
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An uncontrolled search path element vulnerability has been found in the Duet Display product, affecting version 2.5.9.1. An attacker could place an arbitrary libusk.dll file in the C:\Users\user\AppData\Local\Microsoft\WindowsApps\ directory, which could lead to the execution and persistence of arbitrary code.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/arbitrary-code-execution-duet-display
CWE-ID: CWE-427
Common Platform Enumerations (CPE): Not Found
11. CVE-2021-27502
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: Texas Instruments TI-RTOS, when configured to use HeapMem heap(default),
malloc returns a valid pointer to a small buffer on extremely large
values, which can trigger an integer overflow vulnerability in
'HeapMem_allocUnprotected' and result in code execution.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-21-119-04
https://www.ti.com/tool/TI-RTOS-MCU
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
12. CVE-2021-27504
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: Texas Instruments devices running FREERTOS, malloc returns a valid
pointer to a small buffer on extremely large values, which can trigger
an integer overflow vulnerability in 'malloc' for FreeRTOS, resulting in
code execution.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-21-119-04
https://www.ti.com/tool/TI-RTOS-MCU
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-22516
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References: https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573
https://jira.atlassian.com/browse/BAM-25168
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-22521
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 6.0
Description: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Crowd Data Center and Server 3.4: Upgrade to a release greater than or equal to 5.1.6
Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1
See the release notes ([https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html]). You can download the latest version of Crowd Data Center and Server from the download center ([https://www.atlassian.com/software/crowd/download-archive]).
This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program
References: https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573
https://jira.atlassian.com/browse/CWD-6139
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-5055
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wr8r-7f8x-24jj
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
16. CVE-2021-38405
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The Datalogics APDFL library used in affected products is vulnerable to memory corruption condition while parsing specially crafted PDF files. An attacker could leverage this vulnerability to execute code in the context of the current process.
References: https://cert-portal.siemens.com/productcert/pdf/ssa-301589.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-22-041-07
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-48228
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue.
References: https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225
https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6
https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5
https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14
https://github.com/goauthentik/authentik/pull/7666
https://github.com/goauthentik/authentik/pull/7668
https://github.com/goauthentik/authentik/pull/7669
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5
https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-48239
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, and 27.1.3 and Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 contain a patch for this issue. As a workaround, disable app files_external. This workaround also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.
References: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267
https://github.com/nextcloud/server/pull/41123
https://hackerone.com/reports/2212627
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-6238
Base Score: 7.0
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.9
Description: A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. An unprivileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.
References: https://access.redhat.com/security/cve/CVE-2023-6238
https://bugzilla.redhat.com/show_bug.cgi?id=2250834
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-49103
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
References: https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
https://owncloud.org/security
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-49104
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.8
Description: An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the attacker.
References: https://owncloud.com/security-advisories/subdomain-validation-bypass/
https://owncloud.org/security
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-49105
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
References: https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
https://owncloud.org/security
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-6248
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations:
* Get location data of the vehicle the device is connected to
* Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 )
* Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization )
* Get live video through the connected video camera
* Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts )
References: https://www.digitalcomtech.com/product/syrus-4g-iot-telematics-gateway/
CWE-ID: CWE-200 CWE-287 CWE-319 CWE-94
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-48699
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above.
References: https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57
https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806
https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9
CWE-ID: CWE-95
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-48701
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.3
Description: Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.
References: https://github.com/statamic/cms/releases/tag/v3.4.15
https://github.com/statamic/cms/releases/tag/v4.36.0
https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 21-22, 2023.
During this period, The National Vulnerability Database published 62, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 7
High: 18
Medium: 16
Low: 5
Severity Not Assigned: 16
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-40151
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description:
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.
References: https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01
CWE-ID: CWE-749
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-6144
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username.
References: https://fluidattacks.com/advisories/almighty/
https://github.com/Armanidrisi/devblog/
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-42770
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description:
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
References: https://https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-21416
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/35/2a/a6/cve-2023-21416-en-US-417790.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-21417
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Sandro Poppi, member of the AXIS OS Bug Bounty Program,
has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges.
Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/2a/82/12/cve-2023-21417-en-US-417791.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-21418
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/49/93/55/cve-2023-21418-en-US-417792.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-4149
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability is located in the user request handling of the web-based management.
References: https://cert.vde.com/en/advisories/VDE-2023-037
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-4424
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j4qm-xgpf-qjw3
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-5553
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 0.9
Impact Score: 6.0
Description: During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References: https://www.axis.com/dam/public/0a/66/25/cve-2023-5553-en-US-417789.pdf
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-6235
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An uncontrolled search path element vulnerability has been found in the Duet Display product, affecting version 2.5.9.1. An attacker could place an arbitrary libusk.dll file in the C:\Users\user\AppData\Local\Microsoft\WindowsApps\ directory, which could lead to the execution and persistence of arbitrary code.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/arbitrary-code-execution-duet-display
CWE-ID: CWE-427
Common Platform Enumerations (CPE): Not Found
11. CVE-2021-27502
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: Texas Instruments TI-RTOS, when configured to use HeapMem heap(default),
malloc returns a valid pointer to a small buffer on extremely large
values, which can trigger an integer overflow vulnerability in
'HeapMem_allocUnprotected' and result in code execution.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-21-119-04
https://www.ti.com/tool/TI-RTOS-MCU
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
12. CVE-2021-27504
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: Texas Instruments devices running FREERTOS, malloc returns a valid
pointer to a small buffer on extremely large values, which can trigger
an integer overflow vulnerability in 'malloc' for FreeRTOS, resulting in
code execution.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-21-119-04
https://www.ti.com/tool/TI-RTOS-MCU
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-22516
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References: https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573
https://jira.atlassian.com/browse/BAM-25168
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-22521
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 6.0
Description: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Crowd Data Center and Server 3.4: Upgrade to a release greater than or equal to 5.1.6
Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1
See the release notes ([https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html]). You can download the latest version of Crowd Data Center and Server from the download center ([https://www.atlassian.com/software/crowd/download-archive]).
This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program
References: https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573
https://jira.atlassian.com/browse/CWD-6139
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-5055
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wr8r-7f8x-24jj
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
16. CVE-2021-38405
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The Datalogics APDFL library used in affected products is vulnerable to memory corruption condition while parsing specially crafted PDF files. An attacker could leverage this vulnerability to execute code in the context of the current process.
References: https://cert-portal.siemens.com/productcert/pdf/ssa-301589.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-22-041-07
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-48228
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue.
References: https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225
https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6
https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5
https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14
https://github.com/goauthentik/authentik/pull/7666
https://github.com/goauthentik/authentik/pull/7668
https://github.com/goauthentik/authentik/pull/7669
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5
https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-48239
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, and 27.1.3 and Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 contain a patch for this issue. As a workaround, disable app files_external. This workaround also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.
References: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267
https://github.com/nextcloud/server/pull/41123
https://hackerone.com/reports/2212627
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-6238
Base Score: 7.0
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.9
Description: A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. An unprivileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.
References: https://access.redhat.com/security/cve/CVE-2023-6238
https://bugzilla.redhat.com/show_bug.cgi?id=2250834
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-49103
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
References: https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
https://owncloud.org/security
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-49104
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.8
Description: An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the attacker.
References: https://owncloud.com/security-advisories/subdomain-validation-bypass/
https://owncloud.org/security
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-49105
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
References: https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
https://owncloud.org/security
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-6248
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations:
* Get location data of the vehicle the device is connected to
* Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 )
* Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization )
* Get live video through the connected video camera
* Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts )
References: https://www.digitalcomtech.com/product/syrus-4g-iot-telematics-gateway/
CWE-ID: CWE-200 CWE-287 CWE-319 CWE-94
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-48699
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above.
References: https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57
https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806
https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9
CWE-ID: CWE-95
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-48701
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.3
Description: Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.
References: https://github.com/statamic/cms/releases/tag/v3.4.15
https://github.com/statamic/cms/releases/tag/v4.36.0
https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found