Security Vulnerabilities - CVEs Published In November 2023
Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and before, allows attackers to create a new interface in the service management function to execute JavaScript.
CVSS Score
9.8
EPSS Score
0.043
Published
2023-11-30
Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.
CVSS Score
4.3
EPSS Score
0.0
Published
2023-11-30
Improper Input Validation vulnerability in simulation function of GX Works2 allows an attacker to cause a denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the packets from within the same personal computer where the function is running.
CVSS Score
2.5
EPSS Score
0.0
Published
2023-11-30
Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via the upload API function.
CVSS Score
8.8
EPSS Score
0.643
Published
2023-11-30
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-11-30
ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.
CVSS Score
8.1
EPSS Score
0.004
Published
2023-11-30
Improper Input Validation vulnerability in simulation function of GX Works2 allows an attacker to cause a denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the packets from within the same personal computer where the function is running.
CVSS Score
2.5
EPSS Score
0.0
Published
2023-11-30
Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the gl_nas_sys authentication function.
CVSS Score
9.8
EPSS Score
0.045
Published
2023-11-30
The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the clear_log() function. This makes it possible for unauthenticated attackers to clear the debug log via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-30
Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-11-30