Security Vulnerabilities - CVEs Published In August 2023
Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.
CVSS Score
7.5
EPSS Score
0.17
Published
2023-08-03
A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other attacks.
CVSS Score
8.1
EPSS Score
0.003
Published
2023-08-03
An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-08-03
A security defect was discovered in Foundry Issues that enabled users to create convincing phishing links by editing the request sent when creating an Issue. This defect was resolved in Frontend release 6.228.0 .
CVSS Score
5.0
EPSS Score
0.001
Published
2023-08-03
A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed.
This defect was resolved with the release of Foundry Frontend 6.225.0.
CVSS Score
4.7
EPSS Score
0.001
Published
2023-08-03
The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-08-03
A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. It is possible that an attacker could potentially escalate their privileges.
CVSS Score
8.1
EPSS Score
0.003
Published
2023-08-03
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform. An attacker could hijack a user's session and perform other attacks.
CVSS Score
8.1
EPSS Score
0.005
Published
2023-08-03
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform. An attacker could hijack a user's session and perform other attacks.
CVSS Score
8.1
EPSS Score
0.005
Published
2023-08-03
A vulnerability in the web-based management interface of Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-08-03