Security Vulnerabilities - CVEs Published In April 2023
An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Data loading jobs in gsql_server, created by any user with designer permissions, can read sensitive data from arbitrary locations.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-04-13
AM Presencia v3.7.3 was discovered to contain a SQL injection vulnerability via the user parameter in the login form.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-04-13
Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. NOTE: Some third parties have indicated the fix in 3.5 does not adequately address the vulnerability. The argument is that the proposed patch prevents dmidecode from writing to an existing file. However, there are multiple attack vectors that would not require overwriting an existing file that would provide the same level of unauthorized privilege escalation (e.g. creating a new file in /etc/cron.hourly).
CVSS Score
7.1
EPSS Score
0.0
Published
2023-04-13
bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function.
CVSS Score
9.1
EPSS Score
0.004
Published
2023-04-13
bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-04-13
lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-04-13
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-04-13
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.
CVSS Score
5.8
EPSS Score
0.001
Published
2023-04-13
Auth. (admin+) Stored Cross-Site Scripting') vulnerability in Zephilou Cyklodev WP Notify plugin <= 1.2.1 versions.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-04-13
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power.
Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option.
CVSS Score
8.0
EPSS Score
0.01
Published
2023-04-13