Security Vulnerabilities - CVEs Published In February 2023
A vulnerability was found in SourceCodester Dental Clinic Appointment Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /APR/login.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221795.
CVSS Score
7.3
EPSS Score
0.001
Published
2023-02-26
A vulnerability, which was classified as problematic, was found in dro.pm. This affects an unknown part of the file web/fileman.php. The manipulation of the argument secret/key leads to cross site scripting. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named fa73c3a42bc5c246a1b8f815699ea241aef154bb. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221763.
CVSS Score
3.5
EPSS Score
0.001
Published
2023-02-26
Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack
CVSS Score
9.6
EPSS Score
0.001
Published
2023-02-26
The frp_form_answers (aka Forms Export) extension before 3.1.2, and 4.x before 4.0.2, for TYPO3 allows XSS via saved emails.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-02-26
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
CVSS Score
8.8
EPSS Score
0.013
Published
2023-02-25
A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-02-25
A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been classified as critical. Affected is an unknown function of the file update_user.php. The manipulation of the argument user_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-221784.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-02-25
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
CVSS Score
9.8
EPSS Score
0.438
Published
2023-02-25
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-02-25
All versions of the package lite-web-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-02-25