Security Vulnerabilities - CVEs Published In March 2023
Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.
CVSS Score
7.5
EPSS Score
0.008
Published
2023-03-28
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-03-28
Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system access with www-data permissions.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-03-28
Osprey Pump Controller version 1.01 allows users to perform certain actions via HTTP requests without performing any checks to verify the requests. This may allow an attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website.
CVSS Score
7.1
EPSS Score
0.001
Published
2023-03-28
The ShipStation.com plugin 1.0 for CS-Cart allows remote attackers to obtain sensitive information (via action=export) because a typo results in a successful comparison of a blank password and NULL.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-03-28
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.
CVSS Score
8.2
EPSS Score
0.009
Published
2023-03-28
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-03-28
RoboDK versions 5.5.3 and prior contain an insecure permission
assignment to critical directories vulnerability, which could allow a
local user to escalate privileges and write files to the RoboDK process
and achieve code execution.
CVSS Score
7.9
EPSS Score
0.0
Published
2023-03-28
CP Plus KVMS Pro versions 2.01.0.T.190521 and prior are vulnerable to
sensitive credentials being leaked because they are insufficiently
protected.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-03-28
A vulnerability was found in SourceCodester School Registration and Fee System 1.0 and classified as critical. This issue affects some unknown processing of the file /bilal final/login.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224231.
CVSS Score
7.3
EPSS Score
0.001
Published
2023-03-28