Security Vulnerabilities - CVEs Published In September 2023
An information leak in THE_B_members card v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-09-18
Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-09-18
An information leak in Camp Style Project Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-09-18
An information leak in Cheese Cafe Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-09-18
A potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-09-18
Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.
CVSS Score
10.0
EPSS Score
0.001
Published
2023-09-18
Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-09-18
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
CVSS Score
9.8
EPSS Score
0.935
Published
2023-09-18
The absence of filters when loading some sections in the web application of the vulnerable device allows potential attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section (MAIL SERVER) where the information is displayed. Injection can be done on parameter MAIL_RCV. When a legitimate user attempts to review NOTIFICATION/MAIL SERVER, the injected code will be executed.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-09-18
Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-09-18