Security Vulnerabilities - CVEs Published In August 2023
A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.
This vulnerability is due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to an affected vManage instance. A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI.
CVSS Score
9.1
EPSS Score
0.002
Published
2023-08-03
A vulnerability in the scanning engines of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass a configured rule, allowing traffic onto a network that should have been blocked.
This vulnerability is due to improper detection of malicious traffic when the traffic is encoded with a specific content format. An attacker could exploit this vulnerability by using an affected device to connect to a malicious server and receiving crafted HTTP responses. A successful exploit could allow the attacker to bypass an explicit block rule and receive traffic that should have been rejected by the device.
CVSS Score
5.8
EPSS Score
0.001
Published
2023-08-03
A vulnerability in the privilege management functionality of all Cisco BroadWorks server types could allow an authenticated, local attacker to elevate privileges to root on an affected system.
This vulnerability is due to incorrect implementation of user role permissions. An attacker could exploit this vulnerability by authenticating to the application as a user with the BWORKS or BWSUPERADMIN role and issuing crafted commands on an affected system. A successful exploit could allow the attacker to execute commands beyond the sphere of their intended access level, including initiating installs or running operating system commands with elevated permissions.
There are workarounds that address this vulnerability.
CVSS Score
4.4
EPSS Score
0.0
Published
2023-08-03
A vulnerability in web-based management interface of Cisco SPA500 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to to modify a web page in the context of a user's browser.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks.
Cisco will not release software updates that address this vulnerability.
{{value}} ["%7b%7bvalue%7d%7d"])}]]
CVSS Score
5.8
EPSS Score
0.001
Published
2023-08-03
The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint
CVSS Score
6.5
EPSS Score
0.001
Published
2023-08-03
The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE).
CVSS Score
6.3
EPSS Score
0.001
Published
2023-08-03
A vulnerability in the web-based management interface of Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to conduct XSS attacks. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-08-03
ai-dev aioptimizedcombinations before v0.1.3 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-08-03
emlog v2.1.9 was discovered to contain a SQL injection vulnerability via the component /admin/user.php.
CVSS Score
7.2
EPSS Score
0.017
Published
2023-08-03
A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.
CVSS Score
7.1
EPSS Score
0.0
Published
2023-08-03