Security Vulnerabilities - CVEs Published In February 2023
Cross-site scripting (XSS) vulnerability in EyouCMS v1.6.0 allows attackers to execute arbitrary code via the home page description on the basic information page.
CVSS Score
5.4
EPSS Score
0.008
Published
2023-02-08
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk.
This issue is fixed in version 0.12.0.
CVSS Score
5.0
EPSS Score
0.0
Published
2023-02-08
IBM Infosphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245423.
CVSS Score
4.6
EPSS Score
0.002
Published
2023-02-08
Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode, or potentially add ssh authorized keys to allow the attacker access to a remote shell on the target machine. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by the Wings Daemon. This vulnerability has been resolved in version `v1.11.3` of the Wings Daemon, and has been back-ported to the 1.7 release series in `v1.7.3`. Anyone running `v1.11.x` should upgrade to `v1.11.3` and anyone running `v1.7.x` should upgrade to `v1.7.3`. There are no known workarounds for this vulnerability.
### Workarounds
None at this time.
CVSS Score
8.4
EPSS Score
0.003
Published
2023-02-08
An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent.
CVSS Score
6.0
EPSS Score
0.005
Published
2023-02-08
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-02-08
A file disclosure vulnerability in the Palo Alto Networks Cortex XSOAR server software enables an authenticated user with access to the web interface to read local files from the server.
CVSS Score
6.5
EPSS Score
0.008
Published
2023-02-08
Open Redirect in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.
CVSS Score
6.4
EPSS Score
0.003
Published
2023-02-08
Cross-Site Request Forgery (CSRF) vulnerability in SeoSamba for WordPress Webmasters plugin <= 1.0.5 versions.
CVSS Score
5.4
EPSS Score
0.0
Published
2023-02-08
Cross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-02-08