Security Vulnerabilities - CVEs Published In September 2023
An out-of-bounds write vulnerability exists in the allocate_buffer_for_jpeg_decoding functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-09-25
TOTOLINK A3700R V9.1.2u.6134_B20201202 and N600R V5.3c.5137 are vulnerable to Incorrect Access Control.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-09-25
Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-09-25
Directory Traversal vulnerability in itechyou dreamer CMS v.4.1.3 allows a remote attacker to execute arbitrary code via the themePath in the uploaded template function.
CVSS Score
8.8
EPSS Score
0.027
Published
2023-09-25
The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVSS Score
6.1
EPSS Score
0.034
Published
2023-09-25
The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.
CVSS Score
7.2
EPSS Score
0.151
Published
2023-09-25
This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
CVSS Score
5.3
EPSS Score
0.017
Published
2023-09-25
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog.
This issue affects Docker Desktop: before 4.12.0.
CVSS Score
8.0
EPSS Score
0.004
Published
2023-09-25
Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box route.
This issue affects Docker Desktop: before 4.12.0.
CVSS Score
8.0
EPSS Score
0.004
Published
2023-09-25
Docker Desktop 4.11.x allows --no-windows-containers flag bypass via IPC response spoofing which may lead to Local Privilege Escalation (LPE).This issue affects Docker Desktop: 4.11.X.
CVSS Score
6.7
EPSS Score
0.0
Published
2023-09-25