Security Vulnerabilities - CVEs Published In October 2023
Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Banner Management For WooCommerce plugin <= 2.4.2 versions.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-10-03
Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded.
CVSS Score
8.2
EPSS Score
0.001
Published
2023-10-03
A Cryptographic Issue vulnerability has been found on IBERMATICA RPS, affecting version 2019. By firstly downloading the log file, an attacker could retrieve the SQL query sent to the application in plaint text. This log file contains the password hashes coded with AES-CBC-128 bits algorithm, which can be decrypted with a .NET function, obtaining the username's password in plain text.
CVSS Score
8.2
EPSS Score
0.0
Published
2023-10-03
Cross-Site Request Forgery (CSRF) vulnerability in eMarket Design YouTube Video Gallery by YouTube Showcase plugin <= 3.3.5 versions.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-10-03
JFrog Artifactory prior to version 7.66.0 is vulnerable to specific endpoint abuse with a specially crafted payload, which can lead to unauthenticated users being able to send emails with manipulated email body.
CVSS Score
6.5
EPSS Score
0.003
Published
2023-10-03
Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-10-03
Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id).
CVSS Score
5.4
EPSS Score
0.0
Published
2023-10-03
Cross-Site Scripting vulnerability
in BuddyBoss 2.2.9 version
, which could allow a local attacker with basic privileges to execute a malicious payload through the "[name]=image.jpg" parameter, allowing to assign a persistent javascript payload that would be triggered when the associated image is loaded.
CVSS Score
9.0
EPSS Score
0.002
Published
2023-10-03
A stored XSS vulnerability has been found on BuddyBoss Platform affecting version 2.2.9. This vulnerability allows an attacker to store a malicious javascript payload via POST request when sending an invitation.
CVSS Score
6.3
EPSS Score
0.002
Published
2023-10-03
Cross-Site Scripting (XSS) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to inject a malicious JavaScript payload into the 'Full Name' field during a user edit, due to improper sanitization of the input parameter.
CVSS Score
4.6
EPSS Score
0.001
Published
2023-10-03