In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 17-18, 2023.
During this period, The National Vulnerability Database published 25, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 3
Medium: 20
Low: 1
Severity Not Assigned: 1
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6901
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in codelyfe Stupid Simple CMS up to 1.2.3. This affects an unknown part of the file /terminal/handle-command.php of the component HTTP POST Request Handler. The manipulation of the argument command with the input whoami leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248259.
References: https://github.com/g1an123/POC/blob/main/README.md
https://vuldb.com/?ctiid.248259
https://vuldb.com/?id.248259
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-50271
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description:
A potential security vulnerability has been identified with HP-UX System Management Homepage (SMH). This vulnerability could be exploited locally or remotely to disclose information.
References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbux04551en_us
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-6903
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in Netentsec NS-ASG Application Security Gateway 6.3.1. This affects an unknown part of the file /admin/singlelogin.php?submit=1. The manipulation of the argument loginId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-248265 was assigned to this vulnerability.
References: https://github.com/willchen0011/cve/blob/main/NS-ASG-sql.md
https://vuldb.com/?ctiid.248265
https://vuldb.com/?id.248265
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 17-18, 2023.
During this period, The National Vulnerability Database published 25, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 3
Medium: 20
Low: 1
Severity Not Assigned: 1
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6901
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in codelyfe Stupid Simple CMS up to 1.2.3. This affects an unknown part of the file /terminal/handle-command.php of the component HTTP POST Request Handler. The manipulation of the argument command with the input whoami leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248259.
References: https://github.com/g1an123/POC/blob/main/README.md
https://vuldb.com/?ctiid.248259
https://vuldb.com/?id.248259
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-50271
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description:
A potential security vulnerability has been identified with HP-UX System Management Homepage (SMH). This vulnerability could be exploited locally or remotely to disclose information.
References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbux04551en_us
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-6903
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in Netentsec NS-ASG Application Security Gateway 6.3.1. This affects an unknown part of the file /admin/singlelogin.php?submit=1. The manipulation of the argument loginId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-248265 was assigned to this vulnerability.
References: https://github.com/willchen0011/cve/blob/main/NS-ASG-sql.md
https://vuldb.com/?ctiid.248265
https://vuldb.com/?id.248265
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found