Security Vulnerabilities - CVEs Published In October 2023
Cross Site Scripting (XSS) vulnerability in Geeklog-Core geeklog v.2.2.2 allows a remote attacker to execute arbitrary code via a crafted payload to the grp_desc parameter of the admin/group.php component.
CVSS Score
4.8
EPSS Score
0.002
Published
2023-10-24
Cross Site Scripting (XSS) vulnerability in Geeklog-Core geeklog v.2.2.2 allows a remote attacker to execute arbitrary code via a crafted payload to the Service, and website URL to Ping parameters of the admin/trackback.php component.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-10-24
carRental 1.0 is vulnerable to Incorrect Access Control (Arbitrary File Read on the Back-end System).
CVSS Score
7.5
EPSS Score
0.002
Published
2023-10-23
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-10-23
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
CVSS Score
4.8
EPSS Score
0.002
Published
2023-10-23
kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-10-23
The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-10-23
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-10-23
UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the application.
CVSS Score
9.8
EPSS Score
0.088
Published
2023-10-23
A stored cross-site scripting (XSS) vulnerability in UVDesk Community Skeleton v1.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Message field when creating a ticket.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-10-23