Security Vulnerabilities - CVEs Published In November 2023
Incorrect access control in the AdHoc User creation form of EMSigner v2.8.7 allows unauthenticated attackers to arbitrarily modify usernames and privileges by using the email address of a registered user.
CVSS Score
5.9
EPSS Score
0.002
Published
2023-11-14
Incorrect access control in the Forgot Your Password function of EMSigner v2.8.7 allows unauthenticated attackers to access accounts of all registered users, including those with administrator privileges via a crafted password reset token.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-11-14
Optimizely CMS UI before v12.16.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Admin panel.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-11-14
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
CVSS Score
5.4
EPSS Score
0.483
Published
2023-11-14
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
CVSS Score
5.4
EPSS Score
0.483
Published
2023-11-14
This vulnerability potentially allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must have local write access to the C Drive. In addition, Print Archiving must be enabled or the attacker needs to encounter a misconfigured system. This vulnerability does not apply to PaperCut NG installs that have Print Archiving enabled and configured as per the recommended set up procedure. This specific flaw exists within the pc-pdl-to-image process. The process loads an executable from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM
Note: This CVE has been rescored with a "Privileges Required (PR)" rating of low, and “Attack Complexity (AC)” rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard network users on the host server.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-11-14
An issue in Golden v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-11-14
An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-11-14
An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."
CVSS Score
5.9
EPSS Score
0.004
Published
2023-11-14
An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."
CVSS Score
6.8
EPSS Score
0.004
Published
2023-11-14