Security Vulnerabilities - CVEs Published In April 2023
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVSS Score
4.7
EPSS Score
0.001
Published
2023-04-05
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-04-05
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVSS Score
7.3
EPSS Score
0.003
Published
2023-04-05
Business Logic Errors in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVSS Score
8.3
EPSS Score
0.001
Published
2023-04-05
A vulnerability in the Vector Packet Processor (VPP) of Cisco Packet Data Network Gateway (PGW) could allow an unauthenticated, remote attacker to stop ICMP traffic from being processed over an IPsec connection. This vulnerability is due to the VPP improperly handling a malformed packet. An attacker could exploit this vulnerability by sending a malformed Encapsulating Security Payload (ESP) packet over an IPsec connection. A successful exploit could allow the attacker to stop ICMP traffic over an IPsec connection and cause a denial of service (DoS).
CVSS Score
5.8
EPSS Score
0.004
Published
2023-04-05
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
CVSS Score
8.8
EPSS Score
0.002
Published
2023-04-05
Command Injection in GitHub repository microweber/microweber prior to 1.3.3.
CVSS Score
6.1
EPSS Score
0.005
Published
2023-04-05
GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
CVSS Score
3.5
EPSS Score
0.002
Published
2023-04-05
Toyota RAV4 2021 vehicles automatically trust messages from other ECUs on a CAN bus, which allows physically proximate attackers to drive a vehicle by accessing the control CAN bus after pulling the bumper away and reaching the headlight connector, and then sending forged "Key is validated" messages via CAN Injection, as exploited in the wild in (for example) July 2022.
CVSS Score
6.8
EPSS Score
0.001
Published
2023-04-05
A use-after-free vulnerability exists within the way Ichitaro Word Processor 2022, version 1.0.1.57600, processes protected documents. A specially crafted document can trigger reuse of freed memory, which can lead to further memory corruption and potentially result in arbitrary code execution. An attacker can provide a malicious document to trigger this vulnerability.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-04-05