Security Vulnerabilities - CVEs Published In May 2023
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
CVSS Score
9.8
EPSS Score
0.004
Published
2023-05-25
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
CVSS Score
9.8
EPSS Score
0.005
Published
2023-05-25
ZLMediaKit 4.0 is vulnerable to Directory Traversal.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-05-25
IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-05-25
The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.3.19 via deserialization of untrusted input from the 'go_pricing' shortcode 'data' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-05-25
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods.
CVSS Score
8.0
EPSS Score
0.005
Published
2023-05-24
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.
CVSS Score
4.3
EPSS Score
0.002
Published
2023-05-24
Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing). Commands at these frequencies are essentially never spoken by authorized actors, but a substantial fraction of the commands are successful.
CVSS Score
7.6
EPSS Score
0.001
Published
2023-05-24
A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts.
CVSS Score
7.4
EPSS Score
0.003
Published
2023-05-24
SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-05-24