Security Vulnerabilities - CVEs Published In March 2023
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiDeceptor 3.1.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
CVSS Score
3.7
EPSS Score
0.15
Published
2023-03-09
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.
CVSS Score
4.8
EPSS Score
0.0
Published
2023-03-09
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akinsoft Wolvox. This issue affects Wolvox: before 8.02.03.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-03-09
emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90.
CVSS Score
7.8
EPSS Score
0.002
Published
2023-03-09
emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90
CVSS Score
7.8
EPSS Score
0.001
Published
2023-03-09
All versions of the package node-bluetooth-serial-port are vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation.
CVSS Score
7.3
EPSS Score
0.004
Published
2023-03-09
All versions of the package node-bluetooth are vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation.
CVSS Score
7.3
EPSS Score
0.002
Published
2023-03-09
onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/file/download.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-03-09
Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on page load" is not enabled by default.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-03-09
Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches, e.g., a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor's position is that "Auto-fill on page load" is not enabled by default.
CVSS Score
7.5
EPSS Score
0.004
Published
2023-03-09