Security Vulnerabilities - CVEs Published In November 2023
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
CVSS Score
6.5
EPSS Score
0.002
Published
2023-11-30
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0.
Users are recommended to upgrade to version 2.3.0, which fixes the issue.
CVSS Score
9.8
EPSS Score
0.006
Published
2023-11-30
Memory Corruption in SIM management while USIMPhase2init
CVSS Score
7.2
EPSS Score
0.001
Published
2023-11-30
nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2.
CVSS Score
8.6
EPSS Score
0.003
Published
2023-11-30
Memory Corruption in IMS while calling VoLTE Streamingmedia Interface
CVSS Score
6.7
EPSS Score
0.001
Published
2023-11-30
Security best practices violations, a string operation in Streamingmedia will write past the end of fixed-size destination buffer if the source buffer is too large.
CVSS Score
6.7
EPSS Score
0.001
Published
2023-11-30
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.
CVSS Score
8.8
EPSS Score
0.217
Published
2023-11-30
Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11.
CVSS Score
8.3
EPSS Score
0.004
Published
2023-11-30
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
CVSS Score
7.2
EPSS Score
0.002
Published
2023-11-30
xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13.
CVSS Score
6.8
EPSS Score
0.002
Published
2023-11-30