Security Vulnerabilities - CVEs Published In April 2023
Nokia OneNDS 17r2 has Insecure Permissions vulnerability that allows for privilege escalation.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-04-25
A vulnerability in the Wi-Fi file transfer module of Shanling M5S Portable Music Player with Shanling MTouch OS v4.3 and Shanling M2X Portable Music Player with Shanling MTouch OS v3.3 allows attackers to arbitrarily read, delete, or modify any critical system files via directory traversal.
CVSS Score
9.8
EPSS Score
0.004
Published
2023-04-25
Sengled Dimmer Switch V0.0.9 contains a denial of service (DOS) vulnerability, which allows a remote attacker to send malicious Zigbee messages to a vulnerable device and cause crashes. After receiving the malicious command, the device will keep reporting its status and finally drain its battery after receiving the 'Set_short_poll_interval' command.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-04-25
When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.
CVSS Score
3.1
EPSS Score
0.003
Published
2023-04-25
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in.
CVSS Score
6.5
EPSS Score
0.004
Published
2023-04-25
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.
CVSS Score
5.4
EPSS Score
0.126
Published
2023-04-25
A cross-site scripting (XSS) vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-04-25
x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause the hypervisor to access an arbitrary pointer partially under guest control.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-04-25
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.
CVSS Score
6.1
EPSS Score
0.089
Published
2023-04-25
A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php.
CVSS Score
5.4
EPSS Score
0.003
Published
2023-04-25