Security Vulnerabilities - CVEs Published In May 2023
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-05-04
Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.
CVSS Score
8.8
EPSS Score
0.008
Published
2023-05-04
Improper access control vulnerability in ThemeManager prior to SMR May-2023 Release 1 allows local attackers to write arbitrary files with system privilege.
CVSS Score
8.5
EPSS Score
0.0
Published
2023-05-04
CVE-2023-21492
Kernel pointers are printed in the log file prior to SMR May-2023 Release 1 allows a privileged local attacker to bypass ASLR.
Known exploited
CVSS Score
4.4
EPSS Score
0.004
Published
2023-05-04
Improper access control vulnerability in SemShareFileProvider prior to SMR May-2023 Release 1 allows local attackers to access protected data.
CVSS Score
6.8
EPSS Score
0.001
Published
2023-05-04
Potential buffer overflow vulnerability in auth api in mm_Authentication.c in Shannon baseband prior to SMR May-2023 Release 1 allows remote attackers to cause invalid memory access.
CVSS Score
5.6
EPSS Score
0.01
Published
2023-05-04
Improper access control vulnerability in Knox Enrollment Service prior to SMR May-2023 Release 1 allow attacker install KSP app when device admin is set.
CVSS Score
4.0
EPSS Score
0.0
Published
2023-05-04
Active Debug Code vulnerability in ActivityManagerService prior to SMR May-2023 Release 1 allows attacker to use debug function via setting debug level.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-05-04
Use of externally-controlled format string vulnerability in mPOS TUI trustlet prior to SMR May-2023 Release 1 allows local attackers to access the memory address.
CVSS Score
4.4
EPSS Score
0.0
Published
2023-05-04
Improper input validation vulnerability in setPartnerTAInfo in mPOS TUI trustlet prior to SMR May-2023 Release 1 allows local attackers to overwrite the trustlet memory.
CVSS Score
6.0
EPSS Score
0.0
Published
2023-05-04