Security Vulnerabilities - CVEs Published In June 2023
File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.
CVSS Score
7.2
EPSS Score
0.01
Published
2023-06-20
Cross Site Scripting vulnerability in zrlog zrlog v.2.1.3 allows a remote attacker to execute arbitrary code via the nickame parameter of the /post/addComment function.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-06-20
Cross Site Scripting vulnerability in Typora v.0.9.79 allows a remote attacker to execute arbitrary code via the mermaid sytax.
CVSS Score
6.1
EPSS Score
0.003
Published
2023-06-20
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Flothemes Flo Forms – Easy Drag & Drop Form Builder plugin <= 1.0.40 versions.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-06-20
Craft CMS through 4.4.9 is vulnerable to HTML Injection.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-06-20
A vulnerability in Aeotec WallMote Switch firmware v2.3 allows attackers to cause a Denial of Service (DoS) via a crafted Z-Wave message.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-06-20
A vulnerability in Fibaro Motion Sensor firmware v3.4 allows attackers to cause a Denial of Service (DoS) via a crafted Z-Wave message.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-06-20
There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.
CVSS Score
5.3
EPSS Score
0.004
Published
2023-06-20
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
CVSS Score
9.8
EPSS Score
0.04
Published
2023-06-20
A vulnerability was found in PuneethReddyHC Online Shopping System Advanced 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/reg.php of the component Admin Registration. The manipulation leads to improper authentication. The attack can be launched remotely. The identifier VDB-232009 was assigned to this vulnerability.
CVSS Score
7.3
EPSS Score
0.001
Published
2023-06-20