Security Vulnerabilities - CVEs Published In July 2023
An authenticated attacker is able to create alerts that trigger a stored XSS attack.
POC
* go to the alert manager
* open the ITSM tab
* add a webhook with the URL/service token value
' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters)
* click add
* click apply
* create a test alert
* The test alert will run the command
“id | tee /tmp/ttttttddddssss” as root.
* after the test alert inspect
/tmp/ttttttddddssss it'll contain the ids of the root user.
CVSS Score
9.1
EPSS Score
0.001
Published
2023-07-10
SmartSoft SmartBPM.NET has a vulnerability of using hard-coded machine key. An unauthenticated remote attacker can use the machine key to send serialized payload to the server to execute arbitrary code and disrupt service.
CVSS Score
9.8
EPSS Score
0.026
Published
2023-07-10
SmartBPM.NET has a vulnerability of using hard-coded authentication key. An unauthenticated remote attacker can exploit this vulnerability to access system with regular user privilege to read application data, and execute submission and approval processes.
CVSS Score
9.1
EPSS Score
0.003
Published
2023-07-10
SmartBPM.NET component has a vulnerability of path traversal within its file download function. An unauthenticated remote attacker can exploit this vulnerability to access arbitrary system files.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-07-10
Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVSS Score
7.6
EPSS Score
0.002
Published
2023-07-08
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVSS Score
5.3
EPSS Score
0.005
Published
2023-07-08
Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVSS Score
9.1
EPSS Score
0.002
Published
2023-07-08
A Cross-Site Scripting (XSS) vulnerability found in UniFi Network (Version 7.3.83 and earlier) allows a malicious actor with Site Administrator credentials to escalate privileges by persuading an Administrator to visit a malicious web page.
CVSS Score
4.8
EPSS Score
0.003
Published
2023-07-08
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
CVSS Score
2.0
EPSS Score
0.009
Published
2023-07-07
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.
CVSS Score
7.6
EPSS Score
0.592
Published
2023-07-07