Security Vulnerabilities - CVEs Published In June 2023
Cloudexplorer-lite is an open source cloud software stack. Weak passwords can be easily guessed and are an easy target for brute force attacks. This can lead to an authentication system failure and compromise system security. Versions of cloudexplorer-lite prior to 1.2.0 did not enforce strong passwords. This vulnerability has been fixed in version 1.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-06-27
A missing authorization check in the MacOS agent configuration endpoint of the Insider Threat Management Server enables an anonymous attacker on an adjacent network to obtain sensitive information. Successful exploitation requires an attacker to first obtain a valid agent authentication token. All versions before 7.14.3 are affected.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-06-27
A missing authorization check in multiple URL validation endpoints of the Insider Threat Management Server enables an anonymous attacker on an adjacent network to smuggle content via DNS lookups. All versions before 7.14.3 are affected.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-06-27
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
CVSS Score
7.5
EPSS Score
0.002
Published
2023-06-27
Improper Access Control in GitHub repository plantuml/plantuml prior to 1.2023.9.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-06-27
Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-06-27
An insecure filesystem permission in the Insider Threat Management Agent for Windows enables local unprivileged users to disrupt agent monitoring. All versions prior to 7.14.3 are affected. Agents for MacOS and Linux and Cloud are unaffected.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-06-27
A missing authorization check in multiple SOAP endpoints of the Insider Threat Management Server enables an attacker on an adjacent network to read and write unauthorized objects. Successful exploitation requires an attacker to first obtain a valid agent authentication token. All versions before 7.14.3 are affected.
CVSS Score
4.6
EPSS Score
0.001
Published
2023-06-27
The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator
CVSS Score
6.1
EPSS Score
0.1
Published
2023-06-27
The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings
CVSS Score
4.3
EPSS Score
0.001
Published
2023-06-27