Released 27 November 2023 CVE (Common Vulnerabilities and Exposures)

OwnCast

• CVE-2023-46480Type: Remote Code ExecutionDetails: An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function.

Bl Modules for PrestaShop

• CVE-2023-46355Type: Information DisclosureDetails: In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1, a guest can download personal information without restriction, leading to leaks of personal information from ps_customer / ps_order table.
• CVE-2023-46349Type: SQL InjectionDetails: In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts) < 3.8.5, a guest can perform SQL injection through sensitive SQL calls in the productsUpdateModel::getExportIds()?method.

BusyBox

• CVE-2023-42366Type: Heap Buffer OverflowDetails: A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
• CVE-2023-42365Type: Use-After-FreeDetails: A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
• CVE-2023-42364Type: Use-After-FreeDetails: A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
• CVE-2023-42363Type: Use-After-FreeDetails: A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.

FFS Colibri

• CVE-2023-5885Type: Unauthorized File AccessDetails: The discontinued FFS Colibri product allows a remote user to access files on the system, including files containing login credentials for other users.

OroPlatform

• CVE-2023-32062Type: Access Control BypassDetails: OroPlatform allows back-office users to access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks.
• CVE-2022-41951Type: Path TraversalDetails: OroPlatform is vulnerable to path traversal in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName, allowing an attacker to write content to a new file during script execution.

Tenda AX1803

• CVE-2023-49044Type: Stack OverflowDetails: Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the ssid parameter in the function form_fast_setting_wifi_set.

32ns KLive

• CVE-2023-49030Type: SQL InjectionDetails: SQL Injection vulnerability in 32ns KLive v.2019-1-19 and before allows a remote attacker to obtain sensitive information via a crafted script to the web/user.php component.

Acer Wireless Keyboard SK-9662

• CVE-2023-48034Type: Key InjectionDetails: An issue discovered in Acer Wireless Keyboard SK-9662 allows an attacker in physical proximity to both decrypt wireless keystrokes and inject arbitrary keystrokes via weak encryption.

phpseclib

• CVE-2023-49316Type: Denial of ServiceDetails: In Math/BinaryField.php in phpseclib before 3.0.34, excessively large degrees can lead to a denial of service.

Control iD iDSecure

• CVE-2023-6329Type: Authentication BypassDetails: An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0, allowing an unauthenticated attacker to compute valid credentials and bypass authentication.

WPB Show Core WordPress Plugin

• CVE-2023-5974Type: Server-Side Request Forgery (SSRF)Details: The WPB Show Core WordPress plugin through 2.2 is vulnerable to server-side request forgery (SSRF) via the path?parameter.

POST SMTP Mailer WordPress Plugin

• CVE-2023-5958Type: Cross-Site Scripting (XSS)Details: The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.

Medialist WordPress Plugin

• CVE-2023-5942Type: Stored Cross-Site Scripting (XSS)Details: The Medialist WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post, allowing users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Job Manager & Career WordPress Plugin

• CVE-2023-5906Type: Unauthorized File AccessDetails: The Job Manager & Career WordPress plugin before 1.4.4 contains a vulnerability in the Directory Listings system, allowing an unauthorized user to view and download private files of other users.

Simple Social Media Share Buttons WordPress Plugin

• CVE-2023-5845Type: Information DisclosureDetails: The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags.

WordPress Backup & Migration Plugin

• CVE-2023-5738Type: Cross-Site Scripting (XSS)Details: The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitize and escape some parameters, allowing users with a role as low as Subscriber to perform XSS attacks.
• CVE-2023-5737Type: Authorization BypassDetails: The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.

WassUp Real Time Analytics Plugin

• CVE-2023-5653Type: Stored Cross-Site Scripting (XSS)Details: The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP addresses provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged-in admins.

Martins Free & Easy SEO BackLink Link Building Network Plugin

• CVE-2023-5641Type: Reflected Cross-Site Scripting (XSS)Details: The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin before 1.2.30 does not sanitize and escape a parameter before outputting it back on the page, leading to a Reflected Cross-Site Scripting that could be used against high privilege users such as admin.

Web Push Notifications Plugin

• CVE-2023-5620Type: Stored Cross-Site Scripting (XSS)Details: The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks.

Seraphinite Accelerator Plugin

• CVE-2023-5611Type: Authorization BypassDetails: The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorization and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them.

Asgaros Forum Plugin

• CVE-2023-5604Type: Insecure ConfigurationDetails: The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configurations that allow unauthenticated users to upload dangerous files (e.g., .php, .phtml), potentially leading to remote code execution.

WP-UserOnline Plugin

• CVE-2023-5560Type: Cross-Site Scripting (XSS)Details: The WP-UserOnline WordPress plugin before 2.88.3 does not sanitize and escape the X-Forwarded-For header before outputting its content on the page, allowing unauthenticated users to perform XSS attacks.

10Web Booster Plugin

• CVE-2023-5559Type: Denial of ServiceDetails: The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

Limit Login Attempts Reloaded Plugin

• CVE-2023-5525Type: Authorization BypassDetails: The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the toggle_auto_update?AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

Woocommerce Vietnam Checkout Plugin

• CVE-2023-5325Type: Cross-Site Scripting (XSS)Details: The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does not escape the custom shipping phone field on the checkout form, leading to XSS.

Security & Malware Scan by CleanTalk Plugin

• CVE-2023-5239Type: IP Address SpoofingDetails: The Security & Malware Scan by CleanTalk WordPress plugin before 2.121 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value and bypass brute force protection.

WordPress Online Booking and Scheduling Plugin

• CVE-2023-5209Type: Stored Cross-Site Scripting (XSS)Details: The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WPB Show Core Plugin

• CVE-2023-4922Type: Local File InclusionDetails: The WPB Show Core WordPress plugin through 2.2 is vulnerable to local file inclusion via the path?parameter.

kk Star Ratings Plugin

• CVE-2023-4642Type: Race ConditionDetails: The kk Star Ratings WordPress plugin before 5.4.6 does not implement atomic operations, allowing one user to vote multiple times on a poll due to a Race Condition.

Mmm Simple File List Plugin

• CVE-2023-4514Type: Stored Cross-Site Scripting (XSS)Details: The Mmm Simple File List WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back on a page/post where the shortcode is embedded, allowing users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
• CVE-2023-4297Type: Path TraversalDetails: The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories.

EventPrime Plugin

• CVE-2023-4252Type: Price ManipulationDetails: The EventPrime WordPress plugin through 3.2.9 specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment.

Tenda AX1803

• CVE-2023-49047Type: Stack OverflowDetails: Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parameter in the function formSetDeviceName.
• CVE-2023-49042Type: Heap OverflowDetails: Heap Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the schedStartTime parameter or the schedEndTime parameter in the function setSchedWifi.

Tenda AX1803

• CVE-2023-49040Type: Remote Code ExecutionDetails: An issue in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the adslPwd parameter in the form_fast_setting_internet_set function.
• CVE-2023-49046Type: Stack OverflowDetails: Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the devName parameter in the function formAddMacfilterRule.
• CVE-2023-49043Type: Buffer OverflowDetails: Buffer Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the wpapsk_crypto parameter in the function fromSetWirelessRepeat.
• CVE-2023-49042Type: Heap OverflowDetails: Heap Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the schedStartTime parameter or the schedEndTime parameter in the function setSchedWifi.

smpn1smg absis

• CVE-2023-49028Type: Cross-Site Scripting (XSS)Details: Cross-Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the user parameter in the lock/lock.php file.
• CVE-2023-49029Type: Cross-Site Scripting (XSS)Details: Cross-Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the nama parameter in the lock/lock.php file.

Arcserve UDP

• CVE-2023-42000Type: Path TraversalDetails: Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed.
• CVE-2023-41999Type: Authentication BypassDetails: An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication.
• CVE-2023-41998Type: File Upload and ExecutionDetails: Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files.

Foxit Reader

• CVE-2023-2707Type: Type ConfusionDetails: A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties, leading to memory corruption and arbitrary code execution.
• CVE-2023-40194Type: Arbitrary File CreationDetails: An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters, leading to arbitrary code execution.
• CVE-2023-39542Type: Code ExecutionDetails: A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. A specially crafted malformed file can create arbitrary files, leading to remote code execution.
• CVE-2023-38573Type: Use-After-FreeDetails: A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles a signature field, leading to memory corruption and arbitrary code execution.
• CVE-2023-35985Type: Arbitrary File CreationDetails: An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension, leading to arbitrary code execution.
• CVE-2023-32616Type: Use-After-FreeDetails: A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles 3D annotations, leading to memory corruption and arbitrary code execution.
• CVE-2023-41257Type:?Type ConfusionVulnerability Description:A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties.A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, leading to memory corruption.This memory corruption can result in arbitrary code execution on the affected system.

WPS Office

• CVE-2023-31275Type: Uninitialized Pointer UseDetails: An uninitialized pointer use vulnerability exists in the functionality of WPS Office 11.2.0.11537 that handles Data elements in an Excel file, leading to remote code execution.

Tribe29 Checkmk Appliance

• CVE-2023-6287Type: Sensitive Data ExposureDetails: Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows a local attacker to retrieve passwords via reading log files.

Plesk Installer

• CVE-2023-4931Type: Uncontrolled Search Path ElementDetails: Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. A local attacker could execute arbitrary code by injecting DLL files into the same folder where the application is installed, resulting in DLL hijacking.

Frhed Hex Editor

• CVE-2023-4590Type: Buffer OverflowDetails: Buffer overflow vulnerability in Frhed hex editor, affecting version 1.6.0, allows an attacker to execute arbitrary code via a long filename argument through the Structured Exception Handler (SEH) registers.

libnbd

• CVE-2023-5871Type: Denial of ServiceDetails: A flaw was found in libnbd, due to a malicious Network Block Device (NBD), allowing a malicious NBD server to cause a Denial of Service.

Knative Serving

• CVE-2023-48713Type: Denial-of-Service (DoS)Details: Knative Serving on Kubernetes is vulnerable to DoS via unbound memory allocation bug in the /metrics endpoint. Patched in version 0.39.0.

OroCommerce

• CVE-2023-32065Type: Information DisclosureDetails: OroCommerce, an open-source B2B Commerce application, allows detailed Order totals information retrieval by Order ID. Patched in version 5.0.11 and 5.1.1.
• CVE-2023-32064Type: Security BypassDetails: OroCommerce with customer portal features allows back-office users to access information about Customer and Customer User menus, bypassing ACL security restrictions. Patched in version 5.0.11 and 5.1.1.
• CVE-2023-32063Type: Security BypassDetails: OroCalendarBundle in Oro applications allows back-office users to access information from any call event, bypassing ACL security restrictions. Patched in version 5.0.4 and 5.1.1.

BookingPress Plugin for WordPress

• CVE-2023-6219Type: Arbitrary File UploadDetails: BookingPress WordPress plugin is vulnerable to arbitrary file uploads, allowing authenticated attackers to upload arbitrary files, potentially leading to remote code execution.

Zyxel Security Vulnerabilities

Zyxel USG FLEX Series, VPN Series, ATP Series, WAC500, WAX300H, WBE660S, NWA50AX

• CVE-2023-5960Type: Improper Privilege ManagementDetails: Improper privilege management vulnerability in the hotspot feature of Zyxel USG FLEX series and VPN series firmware could allow an authenticated local attacker to access system files.
• CVE-2023-5797Type: Improper Privilege ManagementDetails: Improper privilege management vulnerability in the debug CLI command of various Zyxel series firmware could allow an authenticated local attacker to access administrator’s logs.
• CVE-2023-5650Type: Improper Privilege ManagementDetails: Improper privilege management vulnerability in the ZySH of various Zyxel series firmware could allow an authenticated local attacker to modify the URL of the registration page.
• CVE-2023-4398Type: Integer OverflowDetails: Integer overflow vulnerability in the QuickSec IPSec toolkit of various Zyxel series firmware could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions via a crafted IKE packet.
• CVE-2023-4397Type: Buffer OverflowDetails: Buffer overflow vulnerability in various Zyxel series firmware could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing CLI commands with crafted strings.
• CVE-2023-47503Type: Arbitrary Code ExecutionDetails: An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp component in the template management module.
• CVE-2023-37926Type: Buffer OverflowDetails: Buffer overflow vulnerability in various Zyxel series firmware could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing CLI commands to dump system logs.
• CVE-2023-37925Type: Improper Privilege ManagementDetails: Improper privilege management vulnerability in the debug CLI command of various Zyxel series firmware could allow an authenticated local attacker to access system files.

Zyxel ATP Series, USG FLEX Series, USG FLEX 50(W) Series, USG20(W)-VPN Series, VPN Series

• CVE-2023-35139Type: Cross-Site Scripting (XSS)Details: Cross-Site Scripting vulnerability in the CGI program of various Zyxel series firmware could allow an unauthenticated LAN-based attacker to store malicious scripts.

Zyxel ATP Series, USG FLEX Series, USG FLEX 50(W) Series, USG20(W)-VPN Series, VPN Series

• CVE-2023-35136Type: Improper Input ValidationDetails: Improper input validation vulnerability in the “Quagga” package of various Zyxel series firmware could allow an authenticated local attacker to access configuration files.

Node.js (.msi version) Installation

• CVE-2023-30585Type: Path TraversalDetails: Vulnerability in Node.js (.msi version) installation process on Windows allows unprivileged users to manipulate the %USERPROFILE% environment variable, potentially leading to arbitrary folder creation.

Pachno 1.0.6

• CVE-2023-47437Type: Cross-Site Scripting (XSS)Details: A vulnerability in Pachno 1.0.6 allows an authenticated attacker to execute a cross-site scripting (XSS) attack by injecting malicious JavaScript.

Sentrifugo 3.5

• CVE-2023-29770Type: Arbitrary File UploadDetails: In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.

Apache NiFi

• CVE-2023-49145Type: Cross-Site Scripting (XSS)Details: Apache NiFi 0.7.0 through 1.23.2 includes the JoltTransformJSON Processor, vulnerable to DOM-based cross-site scripting, allowing arbitrary JavaScript code execution within the session context of an authenticated user.

PrestaShop opartdevis

• CVE-2023-48188Type: SQL InjectionDetails: SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4.6.12 allows a remote attacker to execute arbitrary code via a crafted script to the getModuleTranslation function.

TACC ePO Extension

• CVE-2023-5607Type: Path TraversalDetails: Improper limitation of a path name to a restricted directory (path traversal) vulnerability in the TACC ePO extension could lead to an authorized administrator executing arbitrary code through uploading a specially crafted GTI reputation file. Patched in version 8.4.0.

Apache Superset

• CVE-2023-43701Type: Code ExecutionDetails: Improper payload validation and REST API response type in Apache Superset versions prior to 2.1.2 allow an authenticated malicious actor to store malicious code into Chart's metadata, potentially leading to code execution.
• CVE-2023-42501Type: Information DisclosureDetails: Unnecessary read permissions within the Gamma role in Apache Superset before 2.1.2 allow authenticated users to read configured CSS templates and annotations.
• CVE-2023-40610Type: Privilege EscalationDetails: Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection, an attacker could change data on the metadata database.

OTRS

• CVE-2023-6254Type: Information DisclosureDetails: Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords sent back to the client in the server response. Affects OTRS from 8.0.X through 8.0.37.

Mattermost

• CVE-2023-6202Type: Information DisclosureDetails: Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint, allowing a guest user to get information about another user.
• CVE-2023-48369Type: Denial-of-Service (DoS)Details: Mattermost fails to limit the log size of server logs, potentially allowing an attacker to overflow the log.
• CVE-2023-48268Type: Denial-of-Service (DoS)Details: Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards, allowing an attacker to consume excessive resources, possibly leading to DoS.
• CVE-2023-47168Type: Open RedirectDetails: Mattermost fails to properly check a redirect URL parameter, allowing an open redirect when the user clicks "Back to Mattermost" after providing an invalid custom URL scheme.
• CVE-2023-45223Type: Information DisclosureDetails: Mattermost fails to properly validate the "Show Full Name" option in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.
• CVE-2023-43754Type: Information DisclosureDetails: Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the setting is disabled.
• CVE-2023-40703Type: Denial-of-Service (DoS)Details: Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards, allowing an attacker to consume excessive resources, possibly leading to DoS.
• CVE-2023-35075Type: HTML InjectionDetails: Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page.
• CVE-2023-47865Type: Privilege EscalationDetails: Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if Hardened Mode setting was enabled.

NAVER WHALE BROWSER MOBILE APP

• CVE-2023-25632Type: Authentication BypassDetails: The Android Mobile Whale browser app before 3.0.1.2 allows the attacker to bypass its browser unlock function via 'Open in Whale' feature.

Apache

• CVE-2023-49068Type: Information DisclosureDetails: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. Affects Apache DolphinScheduler before 3.2.1.