Security Vulnerabilities - CVEs Published In June 2023
Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
CVSS Score
3.1
EPSS Score
0.003
Published
2023-06-23
A Cross-Site Request Forgery (CSRF) in POS Codekop v2.0 allows attackers to escalate privileges.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-06-23
POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php.
CVSS Score
6.1
EPSS Score
0.062
Published
2023-06-23
POS Codekop v2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the filename parameter.
CVSS Score
8.8
EPSS Score
0.042
Published
2023-06-23
A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
CVSS Score
4.4
EPSS Score
0.0
Published
2023-06-23
A maliciously crafted DLL file can be forced to write beyond allocated boundaries in the Autodesk installer when parsing the DLL files and could lead to a Privilege Escalation vulnerability.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-06-23
Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role within the admin profile. An attack could occur over the public Internet in some cases.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-06-23
Elenos ETG150 FM transmitter running on version 3.12 was discovered to be leaking SMTP credentials and other sensitive information by exploiting the publicly accessible Memcached service. The attack can occur over the public Internet in some cases.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-06-23
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `<xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `<xwiki-host>` is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.
CVSS Score
8.8
EPSS Score
0.341
Published
2023-06-23
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
CVSS Score
9.6
EPSS Score
0.093
Published
2023-06-23