Security Vulnerabilities - CVEs Published In January 2023
Weak access control in NexusPHP before 1.7.33 allows a remote authenticated user to edit any post in the forum (this is caused by a lack of checks performed by the /forums.php?action=post page).
CVSS Score
4.3
EPSS Score
0.003
Published
2023-01-19
PopojiCMS v2.0.1 backend plugin function has a file upload vulnerability.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-01-19
Multiple SQL injection vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to execute arbitrary SQL commands via the conuser[] parameter in takeconfirm.php; the delcheater parameter in cheaterbox.php; or the usernw parameter in nowarn.php.
CVSS Score
9.8
EPSS Score
0.188
Published
2023-01-19
Multiple reflective cross-site scripting (XSS) vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to inject arbitrary web script or HTML via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php.
CVSS Score
6.1
EPSS Score
0.163
Published
2023-01-19
ZenTao 16.4 to 18.0.beta1 is vulnerable to SQL injection. After logging in with any user, you can complete SQL injection by constructing a special request and sending it to function importNotice.
CVSS Score
8.8
EPSS Score
0.018
Published
2023-01-19
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-01-19
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user.
CVSS Score
9.0
EPSS Score
0.005
Published
2023-01-19
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post.
CVSS Score
9.0
EPSS Score
0.002
Published
2023-01-19
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.
CVSS Score
9.0
EPSS Score
0.012
Published
2023-01-19
Seltmann GmbH Content Management System 6 is vulnerable to SQL Injection via /index.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-01-19