Security Vulnerabilities - CVEs Published In September 2023
Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS.
Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-09-03
StarTrinity Softswitch version 2023-02-16 - Multiple CSRF (CWE-352)
CVSS Score
8.1
EPSS Score
0.001
Published
2023-09-03
A Hyundai model (2017) - CWE-294: Authentication Bypass by Capture-replay.
CVSS Score
7.4
EPSS Score
0.0
Published
2023-09-03
ForeScout NAC SecureConnector version 11.2 - CWE-427: Uncontrolled Search Path Element
CVSS Score
7.8
EPSS Score
0.001
Published
2023-09-03
Proscend Advice ICR Series routers FW version 1.76 - CWE-1392: Use of Default Credentials
CVSS Score
10.0
EPSS Score
0.001
Published
2023-09-03
StarTrinity Softswitch version 2023-02-16 - Multiple Reflected XSS (CWE-79)
CVSS Score
8.8
EPSS Score
0.001
Published
2023-09-03
StarTrinity Softswitch version 2023-02-16 - Persistent XSS (CWE-79)
CVSS Score
8.8
EPSS Score
0.001
Published
2023-09-03
StarTrinity Softswitch version 2023-02-16 - Open Redirect (CWE-601)
CVSS Score
8.8
EPSS Score
0.001
Published
2023-09-03
Farsight Tech Nordic AB ProVide version 14.5 - Multiple XSS vulnerabilities (CWE-79) can be exploited by a user with administrator privilege.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-09-03
7Twenty BOT - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
CVSS Score
8.8
EPSS Score
0.001
Published
2023-09-03