Security Vulnerabilities - CVEs Published In July 2023
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.
A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal.
This issue affects Apache Johnzon: through 1.2.20.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-07-07
Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root
This issue affects openSUSE Tumbleweed.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-07-07
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security, caused by the improper encoding in a local configuration file. IBM X-Force ID: 258637.
CVSS Score
5.1
EPSS Score
0.0
Published
2023-07-07
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1.
CVSS Score
8.5
EPSS Score
0.001
Published
2023-07-07
Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.
CVSS Score
7.5
EPSS Score
0.0
Published
2023-07-07
PiiGAB M-Bus does not validate identification strings before processing, which could make it vulnerable to cross-site scripting attacks.
CVSS Score
8.0
EPSS Score
0.001
Published
2023-07-07
PiiGAB M-Bus stores passwords using a weak hash algorithm.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-07-07
There are no requirements for setting a complex password for PiiGAB M-Bus, which could contribute to a successful brute force attack if the password is inline with recommended password guidelines.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-07-07
PiiGAB M-Bus is vulnerable to cross-site request forgery. An attacker who wants to execute a certain command could send a phishing mail to the owner of the device and hope that the owner clicks on the link. If the owner of the device has a cookie stored that allows the owner to be logged in, then the device could execute the GET or POST link request.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-07-07
PiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-07-07