Security Vulnerabilities - CVEs Published In August 2023
If certain App Transport Security (ATS) settings are set in a certain manner, insecure loading of web content can be achieved.
CVSS Score
3.5
EPSS Score
0.002
Published
2023-08-11
A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-08-11
An NTLM Hash Disclosure was discovered in ArchiMate Archi before 5.1.0. When parsing the XMLNS value of an ArchiMate project file, if the namespace does not match the expected ArchiMate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept a guest account, the host will try to authenticate on the share by using the current user's session. NOTE: this issue occurs because Archi uses an unsafe configuration of the Eclipse Modeling Framework.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-08-10
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
CVSS Score
6.1
EPSS Score
0.069
Published
2023-08-10
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
CVSS Score
7.2
EPSS Score
0.0
Published
2023-08-10
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-08-10
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.
Thanks to a Researcher at Tenable for finding and reporting.
Fixed in version 6.4.1.
CVSS Score
8.8
EPSS Score
0.919
Published
2023-08-10
A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1.
CVSS Score
7.1
EPSS Score
0.001
Published
2023-08-10
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.
CVSS Score
6.8
EPSS Score
0.273
Published
2023-08-10
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
CVSS Score
8.8
EPSS Score
0.925
Published
2023-08-10