Security Vulnerabilities - CVEs Published In August 2023
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-08-20
Missing Authorization in GitHub repository hamza417/inure prior to build88.
CVSS Score
5.1
EPSS Score
0.0
Published
2023-08-20
Improper Input Validation in GitHub repository hamza417/inure prior to build88.
CVSS Score
7.7
EPSS Score
0.001
Published
2023-08-20
Veilid before 0.1.9 does not check the size of uncompressed data during decompression upon an envelope receipt, which allows remote attackers to cause a denial of service (out-of-memory abort) via crafted packet data, as exploited in the wild in August 2023.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-08-20
Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-08-19
Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>".
This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
CVSS Score
7.4
EPSS Score
0.003
Published
2023-08-19
DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
CVSS Score
8.6
EPSS Score
0.493
Published
2023-08-19
DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.
CVSS Score
8.6
EPSS Score
0.001
Published
2023-08-19
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.
CVSS Score
8.2
EPSS Score
0.001
Published
2023-08-19
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
CVSS Score
8.3
EPSS Score
0.003
Published
2023-08-19