Security Vulnerabilities - CVEs Published In February 2023
Missing Authentication for Critical Function in SICK FX0-GENT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on TCP port 9000.
CVSS Score
9.8
EPSS Score
0.024
Published
2023-02-20
Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted menus. This issue is patched in version 0.18.1
CVSS Score
6.1
EPSS Score
0.004
Published
2023-02-20
Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition. The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one. This issue is patched in version 21.11.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-02-20
jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untrusted color names. This issue is patched in version 2.3.6.
CVSS Score
6.1
EPSS Score
0.006
Published
2023-02-20
Gnuboard 5.5.4 and 5.5.5 is vulnerable to Insecure Permissions. An attacker can change password of all users without knowing victim's original password.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-02-20
Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-02-20
A vulnerability has been found in rtcwcoop 1.0.2 and classified as problematic. Affected by this vulnerability is the function AICast_ScriptLoad of the file code/game/ai_cast_script.c of the component Team Command Handler. The manipulation leads to denial of service. The identifier of the patch is f2cd18bc2e1cbca8c4b78bee9c392272bd5f42ac. It is recommended to apply a patch to fix this issue. The identifier VDB-221485 was assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.001
Published
2023-02-20
Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions.
CVSS Score
8.0
EPSS Score
0.003
Published
2023-02-20
PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.
CVSS Score
9.1
EPSS Score
0.008
Published
2023-02-20
Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.
CVSS Score
6.8
EPSS Score
0.001
Published
2023-02-20