Security Vulnerabilities - CVEs Published In May 2023
Cross Site Scripting (XSS) vulnerability in PerfreeBlog 3.1.2 allows attackers to execute arbitrary code via the Post function.
CVSS Score
5.4
EPSS Score
0.006
Published
2023-05-01
A vulnerability was found in SourceCodester Online DJ Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/bookings/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-227795.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-05-01
Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.
CVSS Score
9.1
EPSS Score
0.001
Published
2023-05-01
A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure.
CVSS Score
6.2
EPSS Score
0.001
Published
2023-05-01
A directory permissions management vulnerability in Lenovo System Update may allow elevation of privileges.
CVSS Score
7.0
EPSS Score
0.0
Published
2023-05-01
A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call.
CVSS Score
8.3
EPSS Score
0.003
Published
2023-05-01
A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API.
CVSS Score
6.3
EPSS Score
0.002
Published
2023-05-01
A potential security vulnerability has been identified in HPE ProLiant RL300 Gen11 Server. The vulnerability could result in the system being vulnerable to exploits by attackers with physical access inside the server chassis.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-05-01
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.
LDAP Injection is an attack used to exploit web based applications
that construct LDAP statements based on user input. When an
application fails to properly sanitize user input, it's possible to
modify LDAP statements through techniques similar to SQL Injection.
LDAP injection attacks could result in the granting of permissions to
unauthorized queries, and content modification inside the LDAP tree.
This risk may only occur when the user logs in with ldap, and the user
name and password login will not be affected, Users of the affected
versions should upgrade to Apache StreamPark 2.0.0 or later.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-05-01
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later
CVSS Score
9.8
EPSS Score
0.001
Published
2023-05-01