Security Vulnerabilities - CVEs Published In February 2023
Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-02-01
In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.
CVSS Score
5.3
EPSS Score
0.0
Published
2023-02-01
Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not valid.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-02-01
Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.
CVSS Score
5.9
EPSS Score
0.0
Published
2023-02-01
Selfwealth iOS mobile App 3.3.1 is vulnerable to Insecure App Transport Security (ATS) Settings.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-02-01
Selfwealth iOS mobile App 3.3.1 is vulnerable to Sensitive key disclosure. The application reveals hardcoded API keys.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-02-01
NOSH 4a5cfdb allows remote authenticated users to execute PHP arbitrary code via the "practice logo" upload feature. The client-side checks can be bypassed. This may allow attackers to steal Protected Health Information because the product is for health charting.
CVSS Score
8.8
EPSS Score
0.048
Published
2023-02-01
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
CVSS Score
9.8
EPSS Score
0.63
Published
2023-02-01
A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.
CVSS Score
9.8
EPSS Score
0.303
Published
2023-02-01
Last Yard 22.09.8-1 does not enforce HSTS headers
CVSS Score
9.8
EPSS Score
0.0
Published
2023-02-01