Security Vulnerabilities - CVEs Published In March 2024
This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability.
CVSS Score
6.3
EPSS Score
0.113
Published
2024-03-14
This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
CVSS Score
6.5
EPSS Score
0.092
Published
2024-03-14
Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-03-14
SQL injection vulnerability in SunnyToo stproductcomments module for PrestaShop v.1.0.5 and before, allows a remote attacker to escalate privileges and obtain sensitive information via the StProductCommentClass::getListcomments method.
CVSS Score
9.8
EPSS Score
0.003
Published
2024-03-14
This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. An attacker must already have authenticated admin access and knowledge of both an internal system identifier and details of another valid user to exploit this.
CVSS Score
7.2
EPSS Score
0.042
Published
2024-03-14
In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authentication is enabled), the encryption key of RabbitMQ queue messages, and session cookies.
CVSS Score
6.7
EPSS Score
0.0
Published
2024-03-14
User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint.
CVSS Score
5.3
EPSS Score
0.004
Published
2024-03-14
In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users through information obtained from the Custom Legacy Report functionality.
CVSS Score
7.6
EPSS Score
0.003
Published
2024-03-14
This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut NG/MF API calls.
CVSS Score
8.6
EPSS Score
0.022
Published
2024-03-14
This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.
CVSS Score
4.8
EPSS Score
0.001
Published
2024-03-14