Security Vulnerabilities - CVEs Published In April 2023
In the External Redirect Warning Plugin 1.3 for MyBB, the redirect URL (aka external.php?url=) is vulnerable to XSS.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-04-16
ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting.
CVSS Score
5.3
EPSS Score
0.023
Published
2023-04-16
front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter.
CVSS Score
6.5
EPSS Score
0.017
Published
2023-04-16
The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-04-16
The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.
CVSS Score
7.5
EPSS Score
0.051
Published
2023-04-16
The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.
CVSS Score
9.8
EPSS Score
0.095
Published
2023-04-16
TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.
CVSS Score
7.5
EPSS Score
0.028
Published
2023-04-16
OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-04-16
cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
CVSS Score
7.5
EPSS Score
0.017
Published
2023-04-16
Linksys AX3200 1.1.00 is vulnerable to OS command injection by authenticated users via shell metacharacters to the diagnostics traceroute page.
CVSS Score
8.8
EPSS Score
0.025
Published
2023-04-16