Security Vulnerabilities - CVEs Published In March 2024
In the Windows installer in Atos Eviden CardOS API before 5.5.5.2811, Local Privilege Escalation can occur.(from a regular user to SYSTEM).
CVSS Score
7.8
EPSS Score
0.0
Published
2024-03-22
The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle."
CVSS Score
5.4
EPSS Score
0.001
Published
2024-03-22
Logpoint before 7.1.0 allows Self-XSS on the LDAP authentication page via the username to the LDAP login form.
CVSS Score
5.4
EPSS Score
0.005
Published
2024-03-22
Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-03-22
Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-03-22
HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-03-22
Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.
CVSS Score
4.1
EPSS Score
0.0
Published
2024-03-22
A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.
CVSS Score
7.5
EPSS Score
0.064
Published
2024-03-22
SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-03-22
SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
CVSS Score
9.8
EPSS Score
0.0
Published
2024-03-22