Security Vulnerabilities - CVEs Published In May 2023
OpenText Documentum Content Server before 23.2 has a flaw that allows for privilege escalation from a non-privileged Documentum user to root. The software comes prepackaged with a root owned SUID binary dm_secure_writer. The binary has security controls in place preventing creation of a file in a non-owned directory, or as the root user. However, these controls can be carefully bypassed to allow for an arbitrary file write as root.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-05-18
A vulnerability, which was classified as problematic, has been found in cnoa OA up to 5.1.1.5. Affected by this issue is some unknown functionality of the file /index.php?app=main&func=passport&action=login. The manipulation leads to use of hard-coded password. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-229376. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-05-18
A vulnerability was found in GNU cflow 1.7. It has been rated as problematic. This issue affects the function func_body/parse_variable_declaration of the file parser.c. The manipulation leads to denial of service. The exploit has been disclosed to the public and may be used. The identifier VDB-229373 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
3.5
EPSS Score
0.002
Published
2023-05-18
A vulnerability classified as problematic has been found in TOTOLINK N200RE 9.3.5u.6255_B20211224. Affected is an unknown function of the file /squashfs-root/etc_ro/custom.conf of the component Telnet Service. The manipulation leads to password in configuration file. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. VDB-229374 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
2.3
EPSS Score
0.0
Published
2023-05-18
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Don Benjamin WP Custom Fields Search plugin <= 1.2.34 versions.
CVSS Score
5.9
EPSS Score
0.0
Published
2023-05-18
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in BeRocket Brands for WooCommerce plugin <= 3.7.0.6 versions.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-05-18
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in MonsterInsights plugin <= 8.14.0 versions.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-05-18
Cross-Site Request Forgery (CSRF) vulnerability in Studio Wombat Shoppable Images plugin <= 1.2.3 versions.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-05-18
Cross-Site Request Forgery (CSRF) vulnerability in Ramon Fincken Auto Prune Posts plugin <= 1.8.0 versions.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-05-18
Cross-Site Request Forgery (CSRF) vulnerability in Ramon Fincken Mass Delete Unused Tags plugin <= 2.0.0 versions.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-05-18