Security Vulnerabilities - CVEs Published In November 2023
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'export_users' function. This makes it possible for unauthenticated attackers to export the users to a csv file, granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-11-22
A maliciously crafted DLL file can be forced to install onto a non-default location, and attacker can overwrite parts of the product with malicious DLLs. These files may then have elevated privileges leading to a Privilege Escalation vulnerability.
CVSS Score
7.8
EPSS Score
0.008
Published
2023-11-22
Autodesk users who no longer have an active license for an account can still access cases for that account.
CVSS Score
5.3
EPSS Score
0.004
Published
2023-11-22
Autodesk Customer Support Portal allows cases created by users under an account to see cases created by other users on the same account.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-11-22
radare2 5.8.9 has an out-of-bounds read in r_bin_object_set_items in libr/bin/bobj.c, causing a crash in r_read_le32 in libr/include/r_endian.h.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-11-22
An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the carts of other users via sending a crafted add order request.
CVSS Score
5.3
EPSS Score
0.003
Published
2023-11-22
An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the maintenance orders of other users and access sensitive user information via unspecified vectors.
CVSS Score
5.3
EPSS Score
0.004
Published
2023-11-22
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVSS Score
7.1
EPSS Score
0.0
Published
2023-11-22
A binary hijacking vulnerability exists within the VideoLAN VLC media player before 3.0.19 on Windows. The uninstaller attempts to execute code with elevated privileges out of a standard user writable location. Standard users may use this to gain arbitrary code execution as SYSTEM.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-11-22
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 230824.
CVSS Score
4.3
EPSS Score
0.0
Published
2023-11-22