Security Vulnerabilities - CVEs Published In November 2023
A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability
exists that could cause compromise of a user’s browser when an attacker with admin privileges
has modified system values.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-11-15
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input
attackers can cause the software’s web application to redirect to the chosen domain after a
successful login is performed.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-11-15
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
vulnerability that could cause a vulnerability leading to a cross site scripting condition where
attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing
the injected payload.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-11-15
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability exists that could cause a file system enumeration and file download when an
attacker navigates to the Network Management Card via HTTPS.
CVSS Score
5.3
EPSS Score
0.002
Published
2023-11-15
An improper access control vulnerability exists in RT-AC87U all versions. An attacker may read or write files that are not intended to be accessed by connecting to a target device via tftp.
CVSS Score
9.1
EPSS Score
0.001
Published
2023-11-15
ETS Soft ybc_blog before v4.4.0 was discovered to contain a SQL injection vulnerability via the component Ybc_blogBlogModuleFrontController::getPosts().
CVSS Score
9.8
EPSS Score
0.001
Published
2023-11-15
In the module "Newsletter Popup PRO with Voucher/Coupon code" (newsletterpop) before version 2.6.1 from Active Design for PrestaShop, a guest can perform SQL injection in affected versions. The method `NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-11-15
Nukium nkmgls before version 3.0.2 is vulnerable to Cross Site Scripting (XSS) via NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-11-15
Link following in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-11-15
Improper privilege management in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-11-15