Security Vulnerabilities - CVEs Published In April 2023
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
CVSS Score
4.2
EPSS Score
0.003
Published
2023-04-26
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-04-26
Medicine Tracker System in PHP 1.0.0 is vulnerable to SQL Injection.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-04-26
CLTPHP <=6.0 is vulnerable to Directory Traversal.
CVSS Score
6.5
EPSS Score
0.003
Published
2023-04-26
CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-04-26
CLTPHP <=6.0 is vulnerable to Cross Site Scripting (XSS) via application/home/controller/Changyan.php.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-04-26
CLTPHP <=6.0 is vulnerable to Improper Input Validation via application/admin/controller/Template.php.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-04-26
Password vulnerability found in Vinga WR-AC1200 81.102.1.4370 and before allows a remote attacker to execute arbitrary code via the password parameter at the /goform/sysTools and /adm/systools.asp endpoints.
CVSS Score
9.8
EPSS Score
0.045
Published
2023-04-26
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to remote code execution as a database administrator of one database may execute code or read/write files from another database within the same instance. IBM X-Force ID: 252011.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-04-26
IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX runtime services library to execute arbitrary commands. IBM X-Force ID: 248421.
CVSS Score
8.4
EPSS Score
0.0
Published
2023-04-26