Security Vulnerabilities - CVEs Published In September 2023
CVE-2023-41179
A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation.
Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.
Known exploited
CVSS Score
7.2
EPSS Score
0.016
Published
2023-09-19
Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords. One account has administrative privileges, allowing for unrestricted access over the WAN interface if Remote Administration is enabled.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-09-19
Lack of device control over web requests in ekorCCP and ekorRCI, allowing an attacker to create customised requests to execute malicious actions when a user is logged in, affecting availability, privacy and integrity.
CVSS Score
8.6
EPSS Score
0.001
Published
2023-09-19
SQL injection vulnerability in Arconte Áurea, in its 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to read sensitive data from the database, modify data (insert/update/delete), perform database administration operations and, in some cases, execute commands on the operating system.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-09-19
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser.
Users should upgrade to Apache Flink Stateful Functions version 3.3.0.
CVSS Score
6.1
EPSS Score
0.014
Published
2023-09-19
Devices ekorCCP and ekorRCI are vulnerable due to access to the FTP service using default credentials. Exploitation of this vulnerability can allow an attacker to modify critical files that could allow the creation of new users, delete or modify existing users, modify configuration files, install rootkits or backdoors.
CVSS Score
9.4
EPSS Score
0.001
Published
2023-09-19
An authenticated user can see and modify the value for ‘next’ query parameter in Symantec Identity Portal 14.4
CVSS Score
5.4
EPSS Score
0.003
Published
2023-09-19
Operating system command injection in ekorCCP and ekorRCI, which could allow an authenticated attacker to execute commands, create new users with elevated privileges or set up a backdoor.
CVSS Score
9.3
EPSS Score
0.005
Published
2023-09-19
Uncontrolled resource consumption in ekorRCI, allowing an attacker with low-privileged access to the web server to send continuous legitimate web requests to a functionality that is not properly validated, in order to cause a denial of service (DoS) on the device.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-09-19
Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.
CVSS Score
6.1
EPSS Score
0.0
Published
2023-09-19