Security Vulnerabilities - CVEs Published In March 2023
RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. This vulnerability was fixed in version c910c4d28717fb860fbe064736641f379fab2c91. Please upgrade to this or a later version, there are no known workarounds.
CVSS Score
5.4
EPSS Score
0.008
Published
2023-03-03
CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE).
CVSS Score
9.8
EPSS Score
0.02
Published
2023-03-03
Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require authentication. Due to this, an attacker within the network could access the datastores with read/write access. IBM X-Force ID: 248737.
CVSS Score
9.1
EPSS Score
0.085
Published
2023-03-03
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.
CVSS Score
7.3
EPSS Score
0.001
Published
2023-03-03
In OpenBSD 7.2, a TCP packet with destination port 0 that matches a pf divert-to rule can crash the kernel.
CVSS Score
7.5
EPSS Score
0.004
Published
2023-03-03
ShadowsocksX-NG 1.10.0 signs with com.apple.security.get-task-allow entitlements because of CODE_SIGNING_INJECT_BASE_ENTITLEMENTS.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-03-03
Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.
CVSS Score
9.8
EPSS Score
0.004
Published
2023-03-03
The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'email', 'points', and 'date' parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Score
6.1
EPSS Score
0.14
Published
2023-03-03
Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.
CVSS Score
6.1
EPSS Score
0.006
Published
2023-03-03
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
CVSS Score
6.1
EPSS Score
0.027
Published
2023-03-03