Security Vulnerabilities - CVEs Published In June 2023
Mailform Pro CGI 4.3.1.2 and earlier allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS Score
7.5
EPSS Score
0.005
Published
2023-06-29
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVSS Score
7.5
EPSS Score
0.015
Published
2023-06-29
Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters.
CVSS Score
6.1
EPSS Score
0.005
Published
2023-06-29
Chemex through 3.7.1 is vulnerable to arbitrary file upload.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-06-29
Traggo Server 0.3.0 is vulnerable to directory traversal via a crafted GET request.
CVSS Score
7.5
EPSS Score
0.915
Published
2023-06-29
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.
CVSS Score
9.8
EPSS Score
0.075
Published
2023-06-28
PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS).
CVSS Score
6.1
EPSS Score
0.002
Published
2023-06-28
Guantang Equipment Management System version 4.12 is vulnerable to Arbitrary File Upload.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-06-28
Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e `app.` Interactsh server used to create cname entries for `app` pointing to `projectdiscovery.github.io` as default, which intended to used for hosting interactsh web client using GitHub pages. This is a security issue with a self-hosted interactsh server in which the user may not have configured a web client but still have a CNAME entry pointing to GitHub pages, making them vulnerable to subdomain takeover. This allows a threat actor to host / run arbitrary client side code (cross-site scripting) in a user's browser when browsing the vulnerable subdomain. Version 1.0.0 fixes this issue by making CNAME optional, rather than default.
CVSS Score
8.2
EPSS Score
0.009
Published
2023-06-28
A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-06-28