Security Vulnerabilities - CVEs Published In May 2023
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.
CVSS Score
5.4
EPSS Score
0.005
Published
2023-05-09
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-05-09
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.
CVSS Score
5.4
EPSS Score
0.005
Published
2023-05-09
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the resource sequencing parameters.
CVSS Score
4.8
EPSS Score
0.003
Published
2023-05-09
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.
CVSS Score
5.4
EPSS Score
0.005
Published
2023-05-09
Cross Site Scripting vulnerability found in Phodal CMD v.1.0 allows a local attacker to execute arbitrary code via the EMBED SRC function.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-05-09
Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.
CVSS Score
7.1
EPSS Score
0.004
Published
2023-05-09
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests.
CVSS Score
7.1
EPSS Score
0.0
Published
2023-05-09
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-05-09
mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have editor permissions. Version 0.8.72 contains a fix for this issue.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-05-09