Security Vulnerabilities - CVEs Published In May 2023
CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.
CVSS Score
9.8
EPSS Score
0.006
Published
2023-05-08
A buffer overflow in the component /proc/ftxxxx-debug of FiiO M6 Build Number v1.0.4 allows attackers to escalate privileges to root.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-05-08
A vulnerability has been found in SourceCodester Multi Language Hotel Management Software 1.0 and classified as problematic. This vulnerability affects unknown code of the file ajax.php of the component POST Parameter Handler. The manipulation of the argument complaint_type with the input <script>alert(document.cookie)</script> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-228172.
CVSS Score
3.5
EPSS Score
0.001
Published
2023-05-07
OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.
CVSS Score
10.0
EPSS Score
0.349
Published
2023-05-07
The myMail app through 14.30 for iOS sends cleartext credentials in a situation where STARTTLS is expected by a server.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-05-07
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-05-07
Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Hu-manity.Co Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.4.6 versions.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-05-07
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Samuel Marshall JCH Optimize plugin <= 3.2.2 versions.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-05-06
A vulnerability was found in jja8 NewBingGoGo up to 2023.5.5.2. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-228167.
CVSS Score
3.5
EPSS Score
0.001
Published
2023-05-06
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jeff Starr Dashboard Widgets Suite plugin <= 3.2.1 versions.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-05-06