In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 07-08, 2024.
During this period, The National Vulnerability Database published 34, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 7
Medium: 23
Low: 4
Severity Not Assigned: 0
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-0264
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation of the argument formToken leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249820.
References: https://github.com/jmrcsnchz/ClinicQueueingSystem_RCE/
https://github.com/jmrcsnchz/ClinicQueueingSystem_RCE/blob/main/clinicx.py
https://vuldb.com/?ctiid.249820
https://vuldb.com/?id.249820
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-0267
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical was found in Kashipara Hospital Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file login.php of the component Parameter Handler. The manipulation of the argument email/password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249823.
References: https://github.com/E1CHO/cve_hub/blob/main/Hospital%20Managment%20System/Hospital%20Managment%20System%20-%20vuln%201.pdf
https://vuldb.com/?ctiid.249823
https://vuldb.com/?id.249823
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-7208
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: A vulnerability classified as critical was found in Totolink X2000R_V2 2.0.0-B20230727.10434. This vulnerability affects the function formTmultiAP of the file /bin/boa. The manipulation leads to buffer overflow. VDB-249742 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/unpWn4bL3/iot-security/blob/main/13.md
https://vuldb.com/?ctiid.249742
https://vuldb.com/?id.249742
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-0268
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in Kashipara Hospital Management System up to 1.0. Affected by this issue is some unknown functionality of the file registration.php. The manipulation of the argument name/email/pass/gender/age/city leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249824.
References: https://github.com/E1CHO/cve_hub/blob/main/Hospital%20Managment%20System/Hospital%20Managment%20System%20-%20vuln%202.pdf
https://vuldb.com/?ctiid.249824
https://vuldb.com/?id.249824
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-7209
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A vulnerability was found in Uniway Router up to 2.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /boaform/device_reset.cgi of the component Device Reset Handler. The manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249758 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://drive.google.com/file/d/1XDZA4ibiYNcxTwq60vYCr03_6M_cvJ_2/view?usp=sharing
https://vuldb.com/?ctiid.249758
https://vuldb.com/?id.249758
CWE-ID: CWE-404
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-7210
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in OneNav up to 0.9.33. It has been classified as critical. This affects an unknown part of the file /index.php?c=api of the component API. The manipulation of the argument X-Token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249765 was assigned to this vulnerability.
References: https://note.zhaoj.in/share/eRbUygGMiJcp
https://vuldb.com/?ctiid.249765
https://vuldb.com/?id.249765
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-47145
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: IBM Db2 for Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow a local user to escalate their privileges to the SYSTEM user using the MSI repair functionality. IBM X-Force ID: 270402.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/270402
https://www.ibm.com/support/pages/node/7105500
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 07-08, 2024.
During this period, The National Vulnerability Database published 34, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 7
Medium: 23
Low: 4
Severity Not Assigned: 0
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-0264
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation of the argument formToken leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249820.
References: https://github.com/jmrcsnchz/ClinicQueueingSystem_RCE/
https://github.com/jmrcsnchz/ClinicQueueingSystem_RCE/blob/main/clinicx.py
https://vuldb.com/?ctiid.249820
https://vuldb.com/?id.249820
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-0267
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical was found in Kashipara Hospital Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file login.php of the component Parameter Handler. The manipulation of the argument email/password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249823.
References: https://github.com/E1CHO/cve_hub/blob/main/Hospital%20Managment%20System/Hospital%20Managment%20System%20-%20vuln%201.pdf
https://vuldb.com/?ctiid.249823
https://vuldb.com/?id.249823
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-7208
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: A vulnerability classified as critical was found in Totolink X2000R_V2 2.0.0-B20230727.10434. This vulnerability affects the function formTmultiAP of the file /bin/boa. The manipulation leads to buffer overflow. VDB-249742 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/unpWn4bL3/iot-security/blob/main/13.md
https://vuldb.com/?ctiid.249742
https://vuldb.com/?id.249742
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-0268
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in Kashipara Hospital Management System up to 1.0. Affected by this issue is some unknown functionality of the file registration.php. The manipulation of the argument name/email/pass/gender/age/city leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249824.
References: https://github.com/E1CHO/cve_hub/blob/main/Hospital%20Managment%20System/Hospital%20Managment%20System%20-%20vuln%202.pdf
https://vuldb.com/?ctiid.249824
https://vuldb.com/?id.249824
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-7209
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A vulnerability was found in Uniway Router up to 2.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /boaform/device_reset.cgi of the component Device Reset Handler. The manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249758 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://drive.google.com/file/d/1XDZA4ibiYNcxTwq60vYCr03_6M_cvJ_2/view?usp=sharing
https://vuldb.com/?ctiid.249758
https://vuldb.com/?id.249758
CWE-ID: CWE-404
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-7210
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in OneNav up to 0.9.33. It has been classified as critical. This affects an unknown part of the file /index.php?c=api of the component API. The manipulation of the argument X-Token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249765 was assigned to this vulnerability.
References: https://note.zhaoj.in/share/eRbUygGMiJcp
https://vuldb.com/?ctiid.249765
https://vuldb.com/?id.249765
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-47145
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: IBM Db2 for Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow a local user to escalate their privileges to the SYSTEM user using the MSI repair functionality. IBM X-Force ID: 270402.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/270402
https://www.ibm.com/support/pages/node/7105500
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found