Security Vulnerabilities - CVEs Published In June 2023
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in gVectors Display Custom Fields – wpView plugin <= 1.3.0 versions.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-06-19
Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-06-19
Unauth. SQL Injection (SQLi) vulnerability in Themefic Ultimate Addons for Contact Form 7 plugin <= 3.1.23 versions.
CVSS Score
8.2
EPSS Score
0.001
Published
2023-06-19
CVE-2023-27992
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
Known exploited
CVSS Score
9.8
EPSS Score
0.864
Published
2023-06-19
A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.
CVSS Score
5.9
EPSS Score
0.0
Published
2023-06-19
Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-06-19
Memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 114.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-06-19
The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations.
CVSS Score
8.8
EPSS Score
0.042
Published
2023-06-19
The QuBot WordPress plugin before 1.1.6 doesn't filter user input on chat, leading to bad code inserted on it be reflected on the user dashboard.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-06-19
The QuBot WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Score
4.8
EPSS Score
0.001
Published
2023-06-19