In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 15-16, 2023.
During this period, The National Vulnerability Database published 289, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 17
High: 23
Medium: 234
Low: 3
Severity Not Assigned: 12
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6831
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.8
Description: Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
References: https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314
CWE-ID: CWE-29
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-48371
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: ITPison OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7590-55002-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-48372
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: ITPison OMICARD EDM 's SMS-related function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database.
References: https://www.twcert.org.tw/tw/cp-132-7591-07c51-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-48373
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ITPison OMICARD EDM has a path traversal vulnerability within its parameter “FileName” in a specific function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files.
References: https://www.twcert.org.tw/tw/cp-132-7592-998bf-1.html
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-48375
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: SmartStar Software CWS is a web-based integration platform, it has a vulnerability of missing authorization and users are able to access data or perform actions that they should not be allowed to perform via commands. An authenticated with normal user privilege can execute administrator privilege, resulting in performing arbitrary system operations or disrupting service.
References: https://www.twcert.org.tw/tw/cp-132-7594-dac20-1.html
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-48376
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SmartStar Software CWS is a web-based integration platform, its file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7595-d58b1-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-48378
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Softnext Mail SQR Expert has a path traversal vulnerability within its parameter in a specific URL. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files.
References: https://www.twcert.org.tw/tw/cp-132-7596-648f3-1.html
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-6826
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The E2Pdf plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'import_action' function in versions up to, and including, 1.20.25. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/controller/e2pdf-templates.php?rev=2993824#L1488
https://plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/controller/e2pdf-templates.php?rev=2993824#L753
https://plugins.trac.wordpress.org/changeset/3009695/e2pdf#file0
https://www.wordfence.com/threat-intel/vulnerabilities/id/03faec37-2cce-4e14-92f2-d941ab1b4ce9?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-6827
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/essential-real-estate/tags/4.3.5/lib/smart-framework/core/fonts/fonts.class.php#L524
https://plugins.trac.wordpress.org/changeset/3009780/essential-real-estate
https://www.wordfence.com/threat-intel/vulnerabilities/id/8bb2ce22-077b-41dd-a2ff-cc1db9d20d38?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-48380
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 5.9
Description: Softnext Mail SQR Expert is an email management platform, it has insufficient filtering for a special character within a spcific function. A remote attacker authenticated as a localhost can exploit this vulnerability to perform command injection attacks, to execute arbitrary system command, manipulate system or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7598-37b03-1.html
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-48384
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: ArmorX Global Technology Corporation ArmorX Spam has insufficient validation for user input within a special function. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database.
References: https://www.twcert.org.tw/tw/cp-132-7601-71c94-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-48388
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Multisuns EasyLog web+ has a vulnerability of using hard-coded credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7603-b1061-1.html
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-48389
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Multisuns EasyLog web+ has a path traversal vulnerability within its parameter in a specific URL. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files.
References: https://www.twcert.org.tw/tw/cp-132-7604-ab0fd-1.html
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-48390
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operations or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7605-2d86d-1.html
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-48392
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information.
References: https://www.twcert.org.tw/tw/cp-132-7622-57e5f-1.html
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-48394
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Kaifa Technology WebITR is an online attendance system, its file uploading function does not restrict upload of file with dangerous type. A remote attacker with regular user privilege can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7624-d0300-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-6837
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
* An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
* A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.
Attacker should have:
* A fresh valid user account in the federated IDP that has not been used earlier.
* Knowledge of the username of a valid user in the local IDP.
When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.
References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-33217
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description:
By abusing a design flaw in the firmware upgrade mechanism of the impacted terminal it's possible to cause a permanent
denial of service for the terminal. the only way to recover the terminal is by sending back the terminal to the manufacturer
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-6553
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L118
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L38
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L62
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L64
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3006541%40backup-backup&new=3006541%40backup-backup&sfp_email=&sfph_mail=
https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it
https://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-33218
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
The Parameter Zone Read and Parameter Zone Write command handlers allow performing a Stack buffer overflow.
This could potentially lead to a Remote Code execution on the targeted device.
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-33219
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
The handler of the retrofit validation command doesn't properly check the boundaries when performing certain validation
operations. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the
targeted device
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-33220
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
During the retrofit validation process, the firmware doesn't properly check the boundaries while copying some attributes
to check. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted
device
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-46116
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 5.8
Description: Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.
References: https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417
https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423
https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2
https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644
https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-49170
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in captainform Forms by CaptainForm – Form Builder for WordPress allows Reflected XSS.This issue affects Forms by CaptainForm – Form Builder for WordPress: from n/a through 2.5.3.
References: https://patchstack.com/database/vulnerability/captainform/wordpress-forms-by-captainform-form-builder-for-wordpress-plugin-2-5-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-49176
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution WP Pocket URLs allows Reflected XSS.This issue affects WP Pocket URLs: from n/a through 1.0.2.
References: https://patchstack.com/database/vulnerability/wp-pocket-urls/wordpress-wp-pocket-urls-plugin-1-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-49177
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gilles Dumas which template file allows Reflected XSS.This issue affects which template file: from n/a through 4.9.0.
References: https://patchstack.com/database/vulnerability/which-template-file/wordpress-which-template-file-plugin-4-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-49178
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player & Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player & Video Gallery): from n/a through 5.0.
References: https://patchstack.com/database/vulnerability/hdw-player-video-player-video-gallery/wordpress-hdw-player-plugin-video-player-video-gallery-plugin-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-49182
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fabio Marzocca List all posts by Authors, nested Categories and Titles allows Reflected XSS.This issue affects List all posts by Authors, nested Categories and Titles: from n/a through 2.7.10.
References: https://patchstack.com/database/vulnerability/list-all-posts-by-authors-nested-categories-and-titles/wordpress-list-all-posts-by-authors-nested-categories-and-title-plugin-2-7-10-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-49183
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NextScripts NextScripts: Social Networks Auto-Poster allows Reflected XSS.This issue affects NextScripts: Social Networks Auto-Poster: from n/a through 4.4.2.
References: https://patchstack.com/database/vulnerability/social-networks-auto-poster-facebook-twitter-g/wordpress-nextscripts-social-networks-auto-poster-plugin-4-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-49185
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Doofinder Doofinder WP & WooCommerce Search allows Reflected XSS.This issue affects Doofinder WP & WooCommerce Search: from n/a through 2.1.7.
References: https://patchstack.com/database/vulnerability/doofinder-for-woocommerce/wordpress-doofinder-wp-woocommerce-search-plugin-2-0-33-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-49187
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spoonthemes Adifier - Classified Ads WordPress Theme allows Reflected XSS.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.
References: https://patchstack.com/database/vulnerability/adifier/wordpress-adifier-classified-ads-wordpress-theme-theme-3-9-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-49159
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Server-Side Request Forgery (SSRF) vulnerability in Elegant Digital Solutions CommentLuv.This issue affects CommentLuv: from n/a through 3.0.4.
References: https://patchstack.com/database/vulnerability/commentluv/wordpress-commentluv-plugin-3-0-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-6680
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.2
Description: An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/421607
CWE-ID: CWE-295
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-50719
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability.
References: https://github.com/xwiki/xwiki-platform/commit/3e5272f2ef0dff06a8f4db10afd1949b2f9e6eea
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p6cp-6r35-32mh
https://jira.xwiki.org/browse/XWIKI-21208
CWE-ID: CWE-200 CWE-359
Common Platform Enumerations (CPE): Not Found
35. CVE-2023-50721
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user. The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1. As a workaround, the patch can be applied manually applied to the page `XWiki.SearchAdmin`.
References: https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7654-vfh6-rw6x
https://jira.xwiki.org/browse/XWIKI-21200
CWE-ID: CWE-94 CWE-95
Common Platform Enumerations (CPE): Not Found
36. CVE-2023-50722
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed through a URL parameter is only executed when the user who is visiting the crafted URL has edit right on at least one configuration section. While any user of the wiki could easily create such a section, this vulnerability doesn't require the attacker to have an account or any access on the wiki. It is sufficient to trick any admin user of the XWiki installation to visit the crafted URL. This vulnerability allows full remote code execution with programming rights and thus impacts the confidentiality, integrity and availability of the whole XWiki installation. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patch can be manually applied to the document `XWiki.ConfigurableClass`.
References: https://github.com/xwiki/xwiki-platform/commit/5e14c8d08fd0c5b619833d35090b470aa4cb52b0
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cp3j-273x-3jxc
https://jira.xwiki.org/browse/XWIKI-21167
CWE-ID: CWE-352 CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2023-50723
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the `XWiki.ConfigurableClassMacros` and `XWiki.ConfigurableClass` pages.
References: https://github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6
https://github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7
https://github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240e
https://github.com/xwiki/xwiki-platform/commit/bd82be936c21b65dee367d558e3050b9b6995713
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qj86-p74r-7wp5
https://jira.xwiki.org/browse/XWIKI-21121
https://jira.xwiki.org/browse/XWIKI-21122
https://jira.xwiki.org/browse/XWIKI-21194
CWE-ID: CWE-94 CWE-95
Common Platform Enumerations (CPE): Not Found
38. CVE-2023-4020
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.5
Impact Score: 5.8
Description: An unvalidated input in a library function responsible for communicating between secure and non-secure memory in Silicon Labs TrustZone implementation allows reading/writing of memory in the secure region of memory from the non-secure region of memory.
References: https://community.silabs.com/069Vm0000004b95IAA
https://github.com/SiliconLabs/gecko_sdk/releases
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
39. CVE-2023-50264
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Bazarr manages and downloads subtitles. Prior to 1.3.1, Bazarr contains an arbitrary file read in /system/backup/download/ endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
References: https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
40. CVE-2023-50265
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
References: https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 15-16, 2023.
During this period, The National Vulnerability Database published 289, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 17
High: 23
Medium: 234
Low: 3
Severity Not Assigned: 12
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6831
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.8
Description: Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
References: https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314
CWE-ID: CWE-29
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-48371
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: ITPison OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7590-55002-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-48372
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: ITPison OMICARD EDM 's SMS-related function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database.
References: https://www.twcert.org.tw/tw/cp-132-7591-07c51-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-48373
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ITPison OMICARD EDM has a path traversal vulnerability within its parameter “FileName” in a specific function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files.
References: https://www.twcert.org.tw/tw/cp-132-7592-998bf-1.html
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-48375
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: SmartStar Software CWS is a web-based integration platform, it has a vulnerability of missing authorization and users are able to access data or perform actions that they should not be allowed to perform via commands. An authenticated with normal user privilege can execute administrator privilege, resulting in performing arbitrary system operations or disrupting service.
References: https://www.twcert.org.tw/tw/cp-132-7594-dac20-1.html
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-48376
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SmartStar Software CWS is a web-based integration platform, its file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7595-d58b1-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-48378
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Softnext Mail SQR Expert has a path traversal vulnerability within its parameter in a specific URL. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files.
References: https://www.twcert.org.tw/tw/cp-132-7596-648f3-1.html
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-6826
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The E2Pdf plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'import_action' function in versions up to, and including, 1.20.25. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/controller/e2pdf-templates.php?rev=2993824#L1488
https://plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/controller/e2pdf-templates.php?rev=2993824#L753
https://plugins.trac.wordpress.org/changeset/3009695/e2pdf#file0
https://www.wordfence.com/threat-intel/vulnerabilities/id/03faec37-2cce-4e14-92f2-d941ab1b4ce9?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-6827
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/essential-real-estate/tags/4.3.5/lib/smart-framework/core/fonts/fonts.class.php#L524
https://plugins.trac.wordpress.org/changeset/3009780/essential-real-estate
https://www.wordfence.com/threat-intel/vulnerabilities/id/8bb2ce22-077b-41dd-a2ff-cc1db9d20d38?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-48380
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 5.9
Description: Softnext Mail SQR Expert is an email management platform, it has insufficient filtering for a special character within a spcific function. A remote attacker authenticated as a localhost can exploit this vulnerability to perform command injection attacks, to execute arbitrary system command, manipulate system or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7598-37b03-1.html
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-48384
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: ArmorX Global Technology Corporation ArmorX Spam has insufficient validation for user input within a special function. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database.
References: https://www.twcert.org.tw/tw/cp-132-7601-71c94-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-48388
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Multisuns EasyLog web+ has a vulnerability of using hard-coded credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7603-b1061-1.html
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-48389
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Multisuns EasyLog web+ has a path traversal vulnerability within its parameter in a specific URL. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files.
References: https://www.twcert.org.tw/tw/cp-132-7604-ab0fd-1.html
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-48390
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operations or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7605-2d86d-1.html
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-48392
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information.
References: https://www.twcert.org.tw/tw/cp-132-7622-57e5f-1.html
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-48394
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Kaifa Technology WebITR is an online attendance system, its file uploading function does not restrict upload of file with dangerous type. A remote attacker with regular user privilege can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service.
References: https://www.twcert.org.tw/tw/cp-132-7624-d0300-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-6837
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
* An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
* A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.
Attacker should have:
* A fresh valid user account in the federated IDP that has not been used earlier.
* Knowledge of the username of a valid user in the local IDP.
When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.
References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-33217
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description:
By abusing a design flaw in the firmware upgrade mechanism of the impacted terminal it's possible to cause a permanent
denial of service for the terminal. the only way to recover the terminal is by sending back the terminal to the manufacturer
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
19. CVE-2023-6553
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L118
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L38
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L62
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L64
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3006541%40backup-backup&new=3006541%40backup-backup&sfp_email=&sfph_mail=
https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it
https://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
20. CVE-2023-33218
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
The Parameter Zone Read and Parameter Zone Write command handlers allow performing a Stack buffer overflow.
This could potentially lead to a Remote Code execution on the targeted device.
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
21. CVE-2023-33219
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
The handler of the retrofit validation command doesn't properly check the boundaries when performing certain validation
operations. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the
targeted device
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
22. CVE-2023-33220
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description:
During the retrofit validation process, the firmware doesn't properly check the boundaries while copying some attributes
to check. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted
device
References: https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
23. CVE-2023-46116
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 5.8
Description: Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.
References: https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417
https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423
https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2
https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644
https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
24. CVE-2023-49170
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in captainform Forms by CaptainForm – Form Builder for WordPress allows Reflected XSS.This issue affects Forms by CaptainForm – Form Builder for WordPress: from n/a through 2.5.3.
References: https://patchstack.com/database/vulnerability/captainform/wordpress-forms-by-captainform-form-builder-for-wordpress-plugin-2-5-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2023-49176
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution WP Pocket URLs allows Reflected XSS.This issue affects WP Pocket URLs: from n/a through 1.0.2.
References: https://patchstack.com/database/vulnerability/wp-pocket-urls/wordpress-wp-pocket-urls-plugin-1-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
26. CVE-2023-49177
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gilles Dumas which template file allows Reflected XSS.This issue affects which template file: from n/a through 4.9.0.
References: https://patchstack.com/database/vulnerability/which-template-file/wordpress-which-template-file-plugin-4-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
27. CVE-2023-49178
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player & Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player & Video Gallery): from n/a through 5.0.
References: https://patchstack.com/database/vulnerability/hdw-player-video-player-video-gallery/wordpress-hdw-player-plugin-video-player-video-gallery-plugin-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
28. CVE-2023-49182
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fabio Marzocca List all posts by Authors, nested Categories and Titles allows Reflected XSS.This issue affects List all posts by Authors, nested Categories and Titles: from n/a through 2.7.10.
References: https://patchstack.com/database/vulnerability/list-all-posts-by-authors-nested-categories-and-titles/wordpress-list-all-posts-by-authors-nested-categories-and-title-plugin-2-7-10-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
29. CVE-2023-49183
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NextScripts NextScripts: Social Networks Auto-Poster allows Reflected XSS.This issue affects NextScripts: Social Networks Auto-Poster: from n/a through 4.4.2.
References: https://patchstack.com/database/vulnerability/social-networks-auto-poster-facebook-twitter-g/wordpress-nextscripts-social-networks-auto-poster-plugin-4-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
30. CVE-2023-49185
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Doofinder Doofinder WP & WooCommerce Search allows Reflected XSS.This issue affects Doofinder WP & WooCommerce Search: from n/a through 2.1.7.
References: https://patchstack.com/database/vulnerability/doofinder-for-woocommerce/wordpress-doofinder-wp-woocommerce-search-plugin-2-0-33-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
31. CVE-2023-49187
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spoonthemes Adifier - Classified Ads WordPress Theme allows Reflected XSS.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.
References: https://patchstack.com/database/vulnerability/adifier/wordpress-adifier-classified-ads-wordpress-theme-theme-3-9-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
32. CVE-2023-49159
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Server-Side Request Forgery (SSRF) vulnerability in Elegant Digital Solutions CommentLuv.This issue affects CommentLuv: from n/a through 3.0.4.
References: https://patchstack.com/database/vulnerability/commentluv/wordpress-commentluv-plugin-3-0-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
33. CVE-2023-6680
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.2
Description: An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator.
References: https://gitlab.com/gitlab-org/gitlab/-/issues/421607
CWE-ID: CWE-295
Common Platform Enumerations (CPE): Not Found
34. CVE-2023-50719
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability.
References: https://github.com/xwiki/xwiki-platform/commit/3e5272f2ef0dff06a8f4db10afd1949b2f9e6eea
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p6cp-6r35-32mh
https://jira.xwiki.org/browse/XWIKI-21208
CWE-ID: CWE-200 CWE-359
Common Platform Enumerations (CPE): Not Found
35. CVE-2023-50721
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user. The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1. As a workaround, the patch can be applied manually applied to the page `XWiki.SearchAdmin`.
References: https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7654-vfh6-rw6x
https://jira.xwiki.org/browse/XWIKI-21200
CWE-ID: CWE-94 CWE-95
Common Platform Enumerations (CPE): Not Found
36. CVE-2023-50722
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed through a URL parameter is only executed when the user who is visiting the crafted URL has edit right on at least one configuration section. While any user of the wiki could easily create such a section, this vulnerability doesn't require the attacker to have an account or any access on the wiki. It is sufficient to trick any admin user of the XWiki installation to visit the crafted URL. This vulnerability allows full remote code execution with programming rights and thus impacts the confidentiality, integrity and availability of the whole XWiki installation. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patch can be manually applied to the document `XWiki.ConfigurableClass`.
References: https://github.com/xwiki/xwiki-platform/commit/5e14c8d08fd0c5b619833d35090b470aa4cb52b0
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cp3j-273x-3jxc
https://jira.xwiki.org/browse/XWIKI-21167
CWE-ID: CWE-352 CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2023-50723
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the `XWiki.ConfigurableClassMacros` and `XWiki.ConfigurableClass` pages.
References: https://github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6
https://github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7
https://github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240e
https://github.com/xwiki/xwiki-platform/commit/bd82be936c21b65dee367d558e3050b9b6995713
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qj86-p74r-7wp5
https://jira.xwiki.org/browse/XWIKI-21121
https://jira.xwiki.org/browse/XWIKI-21122
https://jira.xwiki.org/browse/XWIKI-21194
CWE-ID: CWE-94 CWE-95
Common Platform Enumerations (CPE): Not Found
38. CVE-2023-4020
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.5
Impact Score: 5.8
Description: An unvalidated input in a library function responsible for communicating between secure and non-secure memory in Silicon Labs TrustZone implementation allows reading/writing of memory in the secure region of memory from the non-secure region of memory.
References: https://community.silabs.com/069Vm0000004b95IAA
https://github.com/SiliconLabs/gecko_sdk/releases
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
39. CVE-2023-50264
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Bazarr manages and downloads subtitles. Prior to 1.3.1, Bazarr contains an arbitrary file read in /system/backup/download/ endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
References: https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
40. CVE-2023-50265
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
References: https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found