Security Vulnerabilities - CVEs Published In November 2023
Docker Machine through 0.16.2 allows an attacker, who has control of a worker node, to provide crafted version data, which might potentially trick an administrator into performing an unsafe action (via escape sequence injection), or might have a data size that causes a denial of service to a bastion node. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Score
6.5
EPSS Score
0.004
Published
2023-11-07
XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. This has been patched in XWiki 14.10.9 and XWiki 15.3-rc-1. A workaround is to modify the page `XWiki.LiveTableResultsMacros` following the patch.
CVSS Score
4.3
EPSS Score
0.004
Published
2023-11-07
Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 2023.Q1.1223.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-11-07
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-11-07
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVSS Score
6.5
EPSS Score
0.018
Published
2023-11-07
Microsoft OneNote Spoofing Vulnerability
CVSS Score
4.6
EPSS Score
0.001
Published
2023-11-06
Buffer Overflow vulnerability in Redis RedisGraph v.2.x through v.2.12.8 and fixed in v.2.12.9 allows an attacker to execute arbitrary code via the code logic after valid authentication.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-11-06
Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-11-06
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
CVSS Score
4.8
EPSS Score
0.015
Published
2023-11-06
The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.
CVSS Score
9.8
EPSS Score
0.008
Published
2023-11-06