Security Vulnerabilities - CVEs Published In March 2023
The Akuvox E11 libvoice library provides unauthenticated access to the camera capture for image and video. This could allow an attacker to view and record image and video from the camera.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-03-13
Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-03-13
The Akuvox E11 web server backend library allows command injection in the device phone-book contacts functionality. This could allow an attacker to upload files with executable command instructions.
CVSS Score
8.8
EPSS Score
0.006
Published
2023-03-13
The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default.
CVSS Score
9.1
EPSS Score
0.001
Published
2023-03-13
Akuvox E11 uses a weak encryption algorithm for stored passwords and uses a hard-coded password for decryption which could allow the encrypted passwords to be decrypted from the configuration file.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-03-13
The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs.
CVSS Score
9.1
EPSS Score
0.001
Published
2023-03-13
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0.
CVSS Score
7.5
EPSS Score
0.012
Published
2023-03-13
Akuvox E11 uses a hard-coded cryptographic key, which could allow an attacker to decrypt sensitive information.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-03-13
PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection via dpdfrance/ajax.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-03-13
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue.
CVSS Score
7.5
EPSS Score
0.013
Published
2023-03-13