Security Vulnerabilities - CVEs Published In March 2024
Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker.
Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.
CVSS Score
4.6
EPSS Score
0.001
Published
2024-03-18
Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.
Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.
CVSS Score
6.4
EPSS Score
0.001
Published
2024-03-18
Cross-site scripting vulnerability exists in FitNesse all releases, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-03-18
Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-03-18
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-03-18
danielmiessler fabric through 1.3.0 allows installer/client/gui/static/js/index.js XSS because of innerHTML mishandling, such as in htmlToPlainText.
CVSS Score
7.4
EPSS Score
0.001
Published
2024-03-18
flusity CMS through 2.45 allows tools/addons_model.php Gallery Name XSS. The reporter indicates that this product "ceased its development as of February 2024."
CVSS Score
6.1
EPSS Score
0.001
Published
2024-03-18
Siklu TG Terragraph devices before 2.1.1 allow attackers to discover valid, randomly generated credentials via GetCredentials.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-03-18
FusionPBX before 5.2.0 does not validate a session.
CVSS Score
5.3
EPSS Score
0.0
Published
2024-03-18
A vulnerability has been found in SourceCodester Employee Task Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /update-employee.php. The manipulation of the argument admin_id leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257080.
CVSS Score
7.3
EPSS Score
0.0
Published
2024-03-18