Security Vulnerabilities - CVEs Published In June 2023
xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-06-07
TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the staticGw parameter at /setting/setWanIeCfg.
CVSS Score
9.8
EPSS Score
0.015
Published
2023-06-07
IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, CICS TX Advanced 10.1, and 11.1 could allow a privileged user to obtain highly sensitive information by enabling debug mode. IBM X-Force ID: 257104.
CVSS Score
4.9
EPSS Score
0.001
Published
2023-06-07
Datalogics Library APDFLThe v18.0.4PlusP1e and prior contains a stack-based buffer overflow due to documents containing corrupted fonts, which could allow an attack that causes an unhandled crash during the rendering process.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-06-07
StreamReader::ReadFromExternal in RenderDoc before 1.27 allows an Integer Overflow with a resultant Buffer Overflow. It uses uint32_t(m_BufferSize-m_InputSize) even though m_InputSize can exceed m_BufferSize.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-06-07
RenderDoc before 1.27 allows local privilege escalation via a symlink attack. It relies on the /tmp/RenderDoc directory regardless of ownership.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-06-07
SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface. This issue has been patched in commits `e3a722` and `422b4f` which have been included in the 4.0.2 release. Users are advised to upgrade. Users unable to upgrade should ensure that a username and password have been set if their instance is web accessible.
CVSS Score
8.1
EPSS Score
0.028
Published
2023-06-07
A privilege escalation allowing remote code execution was discovered in the orchestration service.
CVSS Score
9.8
EPSS Score
0.03
Published
2023-06-07
Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. A remote attacker is able to login and create a valid session. This makes it possible to make backend calls to endpoints in the application.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-06-07
Marval MSM through 14.19.0.12476 uses a static encryption key for secrets. An attacker that gains access to encrypted secrets can decrypt them by using this key.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-06-07