Security Vulnerabilities - CVEs Published In May 2023
Incorrect access control in Videogo v6.8.1 allows attackers to access images from other devices via modification of the Device Id parameter.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-05-16
Insecure permissions in luowice 3.5.18 allow attackers to view information for other alarm devices via modification of the eseeid parameter.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-05-16
Incorrect access control in Videogo v6.8.1 allows attackers to bind shared devices after the connection has been ended.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-05-16
A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-05-16
IDURAR ERP/CRM v1 was discovered to contain a SQL injection vulnerability via the component /api/login.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-05-16
Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network" Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the program’s role-based access controls.
CVSS Score
4.3
EPSS Score
0.0
Published
2023-05-16
Prestashop posstaticblocks <= 1.0.0 is vulnerable to SQL Injection via posstaticblocks::getPosCurrentHook().
CVSS Score
9.8
EPSS Score
0.001
Published
2023-05-16
Insecure permissions vulnerability was discovered, due to a lack of permissions’s control in scquickaccounting before v3.7.3 from Store Commander for PrestaShop, a guest can access exports from the module which can lead to leak of personnal informations from ps_customer table sush as name / surname / email
CVSS Score
6.5
EPSS Score
0.001
Published
2023-05-16
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).
CVSS Score
5.4
EPSS Score
0.001
Published
2023-05-16
Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files.
CVSS Score
4.9
EPSS Score
0.001
Published
2023-05-16