Security Vulnerabilities - CVEs Published In January 2024
A vulnerability has been found in Blood Bank & Donor Management 5.6 and classified as critical. This vulnerability affects unknown code of the file /admin/request-received-bydonar.php. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250564.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-01-12
A vulnerability was found in code-projects Faculty Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/pages/student-print.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250565 was assigned to this vulnerability.
CVSS Score
6.3
EPSS Score
0.001
Published
2024-01-12
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-01-12
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save content parameter, which allows remote attackers to inject arbitrary web script or HTML.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-01-12
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save mobile parameter, which allows remote attackers to inject arbitrary web script or HTML.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-01-12
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware.
Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
CVSS Score
4.0
EPSS Score
0.0
Published
2024-01-12
The Real-Time Streaming Protocol implementation in the MIB3 infotainment incorrectly handles requests to /logs URI, when the id parameter equals to zero. This issue allows an attacker connected to the in-vehicle Wi-Fi network to cause denial-of-service of the infotainment system, when the certain preconditions are met.
Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
CVSS Score
5.3
EPSS Score
0.0
Published
2024-01-12
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-01-12
The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated one. If the logged in user has administrative privileges, it is possible to use webadmin service configuration commands to create a new admin user with a chosen password.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-01-12
It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-01-12