Security Vulnerabilities - CVEs Published In April 2023
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM.
CVSS Score
8.8
EPSS Score
0.002
Published
2023-04-11
An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-04-11
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI subfunction execution may corrupt SMRAM. An attacker can pass an address in the RCX save state register that overlaps SMRAM, thereby coercing an IHISI subfunction handler to overwrite private SMRAM.
CVSS Score
8.4
EPSS Score
0.002
Published
2023-04-11
An issue was discovered in the Arm Android Gralloc Module. A non-privileged user can read a small portion of the allocator process memory. This affects Bifrost r24p0 through r41p0 before r42p0, Valhall r24p0 through r41p0 before r42p0, and Avalon r41p0 before r42p0.
CVSS Score
3.3
EPSS Score
0.001
Published
2023-04-11
Microsoft ODBC and OLE DB Remote Code Execution Vulnerability
CVSS Score
7.8
EPSS Score
0.004
Published
2023-04-11
Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVSS Score
8.8
EPSS Score
0.028
Published
2023-04-11
An issue was discovered in the Arm Mali Kernel Driver. A non-privileged user can make improper GPU memory processing operations to access a limited amount outside of buffer bounds. This affects Valhall r29p0 through r41p0 before r42p0 and Avalon r41p0 before r42p0.
CVSS Score
3.3
EPSS Score
0.001
Published
2023-04-11
A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.
CVSS Score
7.0
EPSS Score
0.0
Published
2023-04-11
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVSS Score
9.8
EPSS Score
0.922
Published
2023-04-11
The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number.
CVSS Score
3.7
EPSS Score
0.001
Published
2023-04-11