Security Vulnerabilities - CVEs Published In August 2023
The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.
CVSS Score
5.7
EPSS Score
0.001
Published
2023-08-03
WebBoss.io CMS v3.7.0.1 contains a stored Cross-Site Scripting (XSS) vulnerability due to lack of input validation and output encoding.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-08-03
WebBoss.io CMS v3.7.0.1 contains a stored cross-site scripting (XSS) vulnerability.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-08-03
A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
CVSS Score
6.0
EPSS Score
0.0
Published
2023-08-03
DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE).
CVSS Score
8.8
EPSS Score
0.066
Published
2023-08-03
A File Upload vulnerability in typecho v.1.2.1 allows a remote attacker to execute arbitrary code via the upload and options-general parameters in index.php.
CVSS Score
8.8
EPSS Score
0.088
Published
2023-08-03
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.
CVSS Score
7.4
EPSS Score
0.002
Published
2023-08-03
An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-08-03
An issue was discovered in InsydeH2O. A malicious operating system can tamper with a runtime-writable EFI variable, leading to out-of-bounds memory reads and a denial of service. This is fixed in version 01.01.04.0016.
CVSS Score
7.1
EPSS Score
0.0
Published
2023-08-03
Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22317 and CVE-2023-22314.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-08-03