In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 07-08, 2023.
During this period, The National Vulnerability Database published 142, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 6
High: 9
Medium: 22
Low: 0
Severity Not Assigned: 105
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-5761
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to 1.5.0 (pro) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2976467%40burst-statistics&new=2976467%40burst-statistics&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/30f8419c-c7b9-4c68-a845-26c0308d76f3?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2022-45362
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Server-Side Request Forgery (SSRF) vulnerability in Paytm Paytm Payment Gateway.This issue affects Paytm Payment Gateway: from n/a through 2.7.0.
References: https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-41804
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 4.7
Description: Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4.
References: https://patchstack.com/database/vulnerability/astra-sites/wordpress-starter-templates-plugin-3-2-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-35039
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.
References: https://patchstack.com/database/vulnerability/bdvs-password-reset/wordpress-password-reset-with-code-for-wordpress-rest-api-plugin-0-0-15-privilege-escalation-due-to-weak-pin-generation-vulnerability?_s_id=cve
CWE-ID: CWE-307
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-39167
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.
References: https://seclists.org/fulldisclosure/2023/Nov/5
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-39172
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.
References: https://seclists.org/fulldisclosure/2023/Nov/4
CWE-ID: CWE-319
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-39169
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The affected devices use publicly available default credentials with administrative privileges.
References: https://seclists.org/fulldisclosure/2023/Nov/3
CWE-ID: CWE-1188
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-39171
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.
References: https://seclists.org/fulldisclosure/2023/Nov/2
CWE-ID: CWE-668
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-6333
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 5.3
Description:
The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-05
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-4486
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to version 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
CWE-ID: CWE-400
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-35618
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35618
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-6578
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. By just clicking CANCEL you will be redirected to the directory. If you visited /invoke/wm.server/connect, you'll be able to see details like internal IPs, ports, and versions. In some cases if access to /assets/ is refused, you may enter /assets/x as a wrong value, then come back to /assets/ which we will show the requested data. It appears that insufficient access control is depending on referrer header data. VDB-247158 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://vuldb.com/?ctiid.247158
https://vuldb.com/?id.247158
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-6579
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://vuldb.com/?ctiid.247160
https://vuldb.com/?id.247160
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-6580
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, was found in D-Link DIR-846 FW100A53DBR. This affects an unknown part of the file /HNAP1/ of the component QoS POST Handler. The manipulation of the argument smartqos_express_devices/smartqos_normal_devices leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247161 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/c2dc/cve-reported/blob/main/CVE-2023-6580/CVE-2023-6580.md
https://vuldb.com/?ctiid.247161
https://vuldb.com/?id.247161
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-4122
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Student Information System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'photo' parameter of my-profile page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.
References: https://fluidattacks.com/advisories/rubinstein/
https://www.kashipara.com/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 07-08, 2023.
During this period, The National Vulnerability Database published 142, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 6
High: 9
Medium: 22
Low: 0
Severity Not Assigned: 105
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-5761
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to 1.5.0 (pro) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2976467%40burst-statistics&new=2976467%40burst-statistics&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/30f8419c-c7b9-4c68-a845-26c0308d76f3?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2022-45362
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Server-Side Request Forgery (SSRF) vulnerability in Paytm Paytm Payment Gateway.This issue affects Paytm Payment Gateway: from n/a through 2.7.0.
References: https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-41804
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 4.7
Description: Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4.
References: https://patchstack.com/database/vulnerability/astra-sites/wordpress-starter-templates-plugin-3-2-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-35039
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.
References: https://patchstack.com/database/vulnerability/bdvs-password-reset/wordpress-password-reset-with-code-for-wordpress-rest-api-plugin-0-0-15-privilege-escalation-due-to-weak-pin-generation-vulnerability?_s_id=cve
CWE-ID: CWE-307
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-39167
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.
References: https://seclists.org/fulldisclosure/2023/Nov/5
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-39172
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.
References: https://seclists.org/fulldisclosure/2023/Nov/4
CWE-ID: CWE-319
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-39169
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The affected devices use publicly available default credentials with administrative privileges.
References: https://seclists.org/fulldisclosure/2023/Nov/3
CWE-ID: CWE-1188
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-39171
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.
References: https://seclists.org/fulldisclosure/2023/Nov/2
CWE-ID: CWE-668
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-6333
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 5.3
Description:
The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-05
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-4486
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to version 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
CWE-ID: CWE-400
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-35618
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35618
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-6578
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. By just clicking CANCEL you will be redirected to the directory. If you visited /invoke/wm.server/connect, you'll be able to see details like internal IPs, ports, and versions. In some cases if access to /assets/ is refused, you may enter /assets/x as a wrong value, then come back to /assets/ which we will show the requested data. It appears that insufficient access control is depending on referrer header data. VDB-247158 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://vuldb.com/?ctiid.247158
https://vuldb.com/?id.247158
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-6579
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://vuldb.com/?ctiid.247160
https://vuldb.com/?id.247160
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
14. CVE-2023-6580
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability, which was classified as critical, was found in D-Link DIR-846 FW100A53DBR. This affects an unknown part of the file /HNAP1/ of the component QoS POST Handler. The manipulation of the argument smartqos_express_devices/smartqos_normal_devices leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247161 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/c2dc/cve-reported/blob/main/CVE-2023-6580/CVE-2023-6580.md
https://vuldb.com/?ctiid.247161
https://vuldb.com/?id.247161
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-4122
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Student Information System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'photo' parameter of my-profile page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.
References: https://fluidattacks.com/advisories/rubinstein/
https://www.kashipara.com/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found