Security Vulnerabilities - CVEs Published In November 2023
Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution.
CVSS Score
9.9
EPSS Score
0.004
Published
2023-11-20
The Strapi Protected Populate Plugin protects `get` endpoints from revealing too much information. Prior to version 1.3.4, users were able to bypass the field level security. Users who tried to populate something that they didn't have access to could populate those fields anyway. This issue has been patched in version 1.3.4. There are no known workarounds.
CVSS Score
5.3
EPSS Score
0.003
Published
2023-11-20
PowerShell Information Disclosure Vulnerability
CVSS Score
6.5
EPSS Score
0.025
Published
2023-11-20
The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the audio_merchant_save_settings function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-11-20
Contributor+ Stored Cross-Site Scripting (XSS) vulnerability in Slider Revolution <= 6.6.14.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-11-20
GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gf_mpd_parse_string media_tools/mpd.c:75.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-11-20
GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in extract_attributes media_tools/m3u8.c:329.
CVSS Score
7.1
EPSS Score
0.0
Published
2023-11-20
The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the function audio_merchant_add_audio_file function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-11-20
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-11-20
in OpenHarmony v3.2.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through type confusion.
CVSS Score
5.9
EPSS Score
0.0
Published
2023-11-20