Security Vulnerabilities - CVEs Published In February 2024
Cross Site Scripting vulnerability in the path parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-02-01
Cross Site Scripting vulnerability in the input parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-02-01
Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-02-01
MachineSense FeverWarn Raspberry Pi-based devices lack input sanitization, which could allow an attacker on an adjacent network to send a message running commands or could overflow the stack.
CVSS Score
8.1
EPSS Score
0.0
Published
2024-02-01
The MachineSense application programmable interface (API) is improperly protected and can be accessed without authentication. A remote attacker could retrieve and modify sensitive information without any authentication.
CVSS Score
10.0
EPSS Score
0.003
Published
2024-02-01
The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal procedures could view source code, secret credentials, and more.
CVSS Score
7.7
EPSS Score
0.001
Published
2024-02-01
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can supply a malicious configuration file by utilizing a Zip Slip vulnerability in the unpacking routine to achieve remote code execution.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-02-01
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVSS Score
6.1
EPSS Score
0.032
Published
2024-02-01
Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server.
CVSS Score
7.7
EPSS Score
0.0
Published
2024-02-01
Multiple MachineSense devices have credentials unable to be changed by the user or administrator.
CVSS Score
9.1
EPSS Score
0.001
Published
2024-02-01