Security Vulnerabilities - CVEs Published In May 2023
Due to improper input validation in the Alerts controller, a SQL injection vulnerability in Nozomi Networks Guardian and CMC allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-05-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Carlo Gavazzi Powersoft up to version 2.1.1.1 allows an unauthenticated, remote attacker to download any file from the affected device.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-05-04
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to
the misconfiguration of the Webhook. This component enforces validation
rules and security checks before resources are admitted into the
Kubernetes cluster.
The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected.
CVSS Score
9.9
EPSS Score
0.004
Published
2023-05-04
DELL ECS prior to 3.8.0.2 contains an improper verification of cryptographic signature vulnerability. A network attacker with an ability to intercept the request could potentially exploit this vulnerability to modify the body data of the request.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-05-04
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.
**Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
CVSS Score
5.6
EPSS Score
0.002
Published
2023-05-04
An issue in the render function of beetl v3.15.0 allows attackers to execute server-side template injection (SSTI) via a crafted payload.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-05-04
Judging Management System v1.0 by oretnom23 was discovered to vulnerable to SQL injection via /php-jms/review_result.php?mainevent_id=, mainevent_id.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-05-04
ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-05-04
SQL injection vulnerability inSpryker Commerce OS 0.9 that allows for access to sensitive data via customer/order?orderSearchForm[searchText]=
CVSS Score
8.8
EPSS Score
0.002
Published
2023-05-04
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
CVSS Score
8.8
EPSS Score
0.809
Published
2023-05-04