Security Vulnerabilities - CVEs Published In October 2023
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
CVSS Score
6.1
EPSS Score
0.005
Published
2023-10-09
gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second decomposition for `a+r` (where `r` is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined. Upgrading to version 0.9.0 should fix the issue without needing to change the calls to value comparison methods.
CVSS Score
7.1
EPSS Score
0.0
Published
2023-10-09
Modification of Assumed-Immutable Data (MAID) in RDT400 in SICK APU allows an
unprivileged remote attacker to make the site unable to load necessary strings via changing file paths
using HTTP requests.
CVSS Score
6.5
EPSS Score
0.004
Published
2023-10-09
Improper Neutralization of Input During Web Page Generation (’Cross-site Scripting’) in RDT400 in SICK APU allows an unprivileged remote attacker to run arbitrary code in the clients
browser via injecting code into the website.
CVSS Score
7.1
EPSS Score
0.001
Published
2023-10-09
Cleartext Transmission of Sensitive Information in RDT400 in SICK APU allows an
unprivileged remote attacker to retrieve potentially sensitive information via intercepting network traffic
that is not encrypted.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-10-09
Files or Directories Accessible to External Parties in RDT400 in SICK APU allows an
unprivileged remote attacker to download various files from the server via HTTP requests.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-10-09
Insufficient Control Flow Management in RDT400 in SICK APU allows an unprivileged remote attacker to potentially enable hidden functionality via HTTP requests.
CVSS Score
5.3
EPSS Score
0.002
Published
2023-10-09
Improper Restriction of Rendered UI Layers or Frames in RDT400 in SICK APU allows an unprivileged remote attacker to potentially reveal sensitive information via tricking a user into
clicking on an actionable item using an iframe.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-10-09
Improper Access Control in SICK APU allows an unprivileged remote attacker to
download as well as upload arbitrary files via anonymous access to the FTP server.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-10-09
Improper Restriction of Excessive Authentication Attempts in RDT400 in SICK APU
allows an unprivileged remote attacker to guess the password via trial-and-error as the login attempts
are not limited.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-10-09