Security Vulnerabilities - CVEs Published In April 2023
An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-04-24
A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).
CVSS Score
9.6
EPSS Score
0.01
Published
2023-04-24
CloverDX before 5.17.3 writes passwords to the audit log in certain situations, if the audit log is enabled and single sign-on is not employed. The fixed versions are 5.15.4, 5.16.2, 5.17.3, and 6.0.x.
CVSS Score
9.1
EPSS Score
0.001
Published
2023-04-24
Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.
CVSS Score
7.5
EPSS Score
0.866
Published
2023-04-24
Repetier Server through 1.4.10 executes as SYSTEM. This can be leveraged in conjunction with CVE-2023-31059 for full compromise.
CVSS Score
9.8
EPSS Score
0.008
Published
2023-04-24
Repetier Server through 1.4.10 does not have CSRF protection.
CVSS Score
8.8
EPSS Score
0.006
Published
2023-04-24
The 'Visforms Base Package for Joomla 3' extension is vulnerable to SQL Injection as concatenation is used to construct an SQL Query. An attacker can interact with the database and could be able to read, modify and delete data on it.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-04-23
EnterpriseDB EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0.
CVSS Score
7.5
EPSS Score
0.0
Published
2023-04-23
A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. This vulnerability affects unknown code of the file admin/ajax.php?action=save_settings. The manipulation of the argument img leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227236.
CVSS Score
6.3
EPSS Score
0.012
Published
2023-04-23
Cross-Site Request Forgery (CSRF) vulnerability in Paramveer Singh for Arete IT Private Limited Activity Reactions For Buddypress plugin <= 1.0.22 versions.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-04-23