Security Vulnerabilities - CVEs Published In June 2023
IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to security misconfiguration of the Redis container which may provide elevated privileges. IBM X-Force ID: 244074.
CVSS Score
4.0
EPSS Score
0.0
Published
2023-06-27
IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to insufficient security configuration which may allow creation of namespaces within a cluster. IBM X-Force ID: 244500.
CVSS Score
5.1
EPSS Score
0.0
Published
2023-06-27
A maliciously crafted pskernel.dll file in Autodesk products is used to trigger integer overflow vulnerabilities. Exploitation of these vulnerabilities may lead to code execution.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-06-27
A maliciously crafted file consumed through pskernel.dll file could lead to memory corruption vulnerabilities. These vulnerabilities in conjunction with other vulnerabilities could lead to code execution in the context of the current process.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-06-27
Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
4.0
EPSS Score
0.003
Published
2023-06-27
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary JavaScript code via a vulnerable delete_file parameter.
CVSS Score
5.4
EPSS Score
0.014
Published
2023-06-27
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Dtltyp and ListName parameters.
CVSS Score
5.4
EPSS Score
0.016
Published
2023-06-27
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a vulnerable parameter GrpPath.
CVSS Score
5.4
EPSS Score
0.016
Published
2023-06-27
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Description parameter.
CVSS Score
5.4
EPSS Score
0.016
Published
2023-06-27
A Cross Site Request Forgery (CSRF) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows a remote attacker to gain privileges via a Custom CSRF exploit to create new user function in the application.
CVSS Score
6.8
EPSS Score
0.007
Published
2023-06-27