Security Vulnerabilities - CVEs Published In December 2023
The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-12-18
The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code
CVSS Score
5.3
EPSS Score
0.463
Published
2023-12-18
The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected
CVSS Score
6.5
EPSS Score
0.003
Published
2023-12-18
The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request
CVSS Score
7.5
EPSS Score
0.008
Published
2023-12-18
IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks
CVSS Score
7.2
EPSS Score
0.004
Published
2023-12-18
The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.
CVSS Score
9.8
EPSS Score
0.004
Published
2023-12-18
The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens.
CVSS Score
4.3
EPSS Score
0.028
Published
2023-12-18
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-12-18
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
CVSS Score
6.5
EPSS Score
0.095
Published
2023-12-18
Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code injection vulnerability that could allow an attacker to perform remote code execution and gain root privileges.
CVSS Score
7.8
EPSS Score
0.002
Published
2023-12-18