Security Vulnerabilities - CVEs Published In November 2023
Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-11-03
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-11-03
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-11-03
An issue was discovered in phpFox before 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.
CVSS Score
9.8
EPSS Score
0.008
Published
2023-11-03
Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-11-03
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
CVSS Score
7.5
EPSS Score
0.004
Published
2023-11-03
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-11-03
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-11-03
Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. A remote attacker with regular user privilege can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-11-03
ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system, or terminate services.
CVSS Score
8.8
EPSS Score
0.012
Published
2023-11-03