Security Vulnerabilities - CVEs Published In May 2023
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Nico Graff WP Simple Events plugin <= 1.0 versions.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-05-08
WJJ Software - InnoKB Server, InnoKB/Console 2.2.1 - Reflected cross-site scripting (RXSS) through an unspecified request.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-05-08
WJJ Software - InnoKB Server, InnoKB/Console 2.2.1 - CWE-22: Path Traversal
CVSS Score
7.5
EPSS Score
0.003
Published
2023-05-08
EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-05-08
Cybonet PineApp Mail Secure A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-05-08
A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.
CVSS Score
6.7
EPSS Score
0.0
Published
2023-05-08
A prototype pollution vulnerability exists in Strikingly CMS which can result in reflected cross-site scripting (XSS) in affected applications and sites built with Strikingly. The vulnerability exists because of Strikingly JavaScript library parsing the URL fragment allows access to the __proto__ or constructor properties and the Object prototype. By leveraging an embedded gadget like jQuery, an attacker who convinces a victim to visit a specially crafted link could achieve arbitrary javascript execution in the context of the user's browser.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-05-08
AsmBB v2.9.1 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the MiniMag.asm and bbcode.asm libraries.
CVSS Score
6.1
EPSS Score
0.003
Published
2023-05-08
`effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually.
CVSS Score
9.1
EPSS Score
0.003
Published
2023-05-08
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.
CVSS Score
6.5
EPSS Score
0.007
Published
2023-05-08