Security Vulnerabilities - CVEs Published In September 2023
An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote authenticated users to execute commands via susceptible QNAP devices.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2376 build 20230421 and later
QTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.1.2376 build 20230421 and later
QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.1.2374 and later
CVSS Score
8.8
EPSS Score
0.004
Published
2023-09-22
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
CVSS Score
7.5
EPSS Score
0.252
Published
2023-09-22
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
CVSS Score
7.5
EPSS Score
0.099
Published
2023-09-22
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
CVSS Score
9.8
EPSS Score
0.599
Published
2023-09-22
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
CVSS Score
7.5
EPSS Score
0.309
Published
2023-09-22
Delta Electronics DIAScreen may write past the end of an allocated
buffer while parsing a specially crafted input file. This could allow an
attacker to execute code in the context of the current process.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-09-21
D-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of HTTP_ST parameters.
CVSS Score
9.8
EPSS Score
0.011
Published
2023-09-21
Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.
CVSS Score
7.0
EPSS Score
0.0
Published
2023-09-21
A reflected cross-site scripting (XSS) vulnerability in the Search Student function of Student Management System v1.2.3 and before allows attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-09-21
A stored cross-site scripting (XSS) vulnerability in the Add Animal Details function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description of Animal parameter.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-09-21