Security Vulnerabilities - CVEs Published In August 2023
In PHP Jabbers Class Scheduling System 1.0, lack of verification when changing an email address and/or password (on the Profile Page) allows remote attackers to take over accounts.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-08-04
User enumeration is found in in PHPJabbers Class Scheduling System v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-08-04
There is a Cross Site Scripting (XSS) vulnerability in the "theme" parameter of preview.php in PHPJabbers Class Scheduling System 1.0.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-08-04
PHPJabbers Cleaning Business Software 1.0 is vulnerable to Cross Site Scripting (XSS) via the theme parameter of preview.php.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-08-04
An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code via the monitoring function of the server.
CVSS Score
7.0
EPSS Score
0.0
Published
2023-08-04
ai-dev aitable before v0.2.2 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-08-04
PHPJabbers Availability Booking Calendar 5.0 is vulnerable to Incorrect Access Control due to improper input validation of password parameter.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-08-04
Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-08-04
CVE-2023-38950
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
Known exploited
CVSS Score
7.5
EPSS Score
0.808
Published
2023-08-03
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.
CVSS Score
9.8
EPSS Score
0.102
Published
2023-08-03