Security Vulnerabilities - CVEs Published In June 2023
The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including the entire installations database if a backup occurs and the deletion of the back-up files fail.
CVSS Score
5.9
EPSS Score
0.006
Published
2023-06-27
The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content.
CVSS Score
5.3
EPSS Score
0.006
Published
2023-06-27
The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permission to create.
CVSS Score
2.7
EPSS Score
0.0
Published
2023-06-27
Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well.
CVSS Score
9.8
EPSS Score
0.004
Published
2023-06-26
Affected versions Trend Micro Apex Central (on-premise) are vulnerable to potential authenticated reflected cross-site scripting (XSS) attacks due to user input validation and sanitization issues.
Please note: an attacker must first obtain authentication to Apex Central on the target system in order to exploit this vulnerability.
This is similar to, but not identical to CVE-2023-32605.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-06-26
Affected versions Trend Micro Apex Central (on-premise) are vulnerable to potential authenticated reflected cross-site scripting (XSS) attacks due to user input validation and sanitization issues.
Please note: an attacker must first obtain authentication to Apex Central on the target system in order to exploit this vulnerability.
This is similar to, but not identical to CVE-2023-32604.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-06-26
An untrusted search path vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate their privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is a similar, but not identical vulnerability as CVE-2023-34145.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-06-26
An untrusted search path vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate their privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is a similar, but not identical vulnerability as CVE-2023-34144.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-06-26
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is a similar, but not identical vulnerability as CVE-2023-34147 and CVE-2023-34148.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-06-26
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is a similar, but not identical vulnerability as CVE-2023-34146 and CVE-2023-34148.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-06-26