Security Vulnerabilities - CVEs Published In March 2023
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5 and classified as critical. Affected by this vulnerability is the function getSyslogFile of the file mainfunction.cgi of the component Web Management Interface. The manipulation of the argument option leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222259. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Score
6.5
EPSS Score
0.009
Published
2023-03-03
A vulnerability was found in KylinSoft kylin-activation on KylinOS and classified as critical. Affected by this issue is some unknown functionality of the component File Import. The manipulation leads to improper authorization. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.11-23 and 1.30.10-5.p23 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222260.
CVSS Score
8.4
EPSS Score
0.001
Published
2023-03-03
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ASOS Information Technologies SOBIAD allows Cross-Site Scripting (XSS).This issue affects SOBIAD: before 23.02.01.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-03-03
Math/PrimeField.php in phpseclib 3.x before 3.0.19 has an infinite loop with composite primefields.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-03-03
Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series, MELSEC iQ-R Series, MELSEC-Q Series and MELSEC-L Series allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server.
CVSS Score
7.5
EPSS Score
0.019
Published
2023-03-03
Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.
CVSS Score
4.0
EPSS Score
0.001
Published
2023-03-03
A malicious actor can clone access cards used to open control cabinets secured with Rittal CMC III locks.
CVSS Score
4.6
EPSS Score
0.001
Published
2023-03-02
A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.
CVSS Score
7.5
EPSS Score
0.315
Published
2023-03-02
SonicOS SSLVPN improper restriction of excessive MFA attempts vulnerability allows an authenticated attacker to use excessive MFA codes.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-03-02
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and IBM Maximo Application Suite 8.8 and 8.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230958.
CVSS Score
6.4
EPSS Score
0.006
Published
2023-03-02