#ExploitObserverAlert
CVE-2023-0558
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-0558. The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure token check that is susceptible to type juggling in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to execute functions intended for use by users with proper API keys.
FIRST-EPSS: 0.001650000
NVD-IS: 5.9
NVD-ES: 3.9
CVE-2023-0558
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-0558. The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure token check that is susceptible to type juggling in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to execute functions intended for use by users with proper API keys.
FIRST-EPSS: 0.001650000
NVD-IS: 5.9
NVD-ES: 3.9
#ExploitObserverAlert
CVE-2023-4774
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-4774. The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 2.3
CVE-2023-4774
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-4774. The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 2.3
#ExploitObserverAlert
CVE-2023-20729
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-20729. In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573552; Issue ID: ALPS07573575.
FIRST-EPSS: 0.000420000
NVD-IS: 3.6
NVD-ES: 0.8
CVE-2023-20729
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-20729. In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573552; Issue ID: ALPS07573575.
FIRST-EPSS: 0.000420000
NVD-IS: 3.6
NVD-ES: 0.8
#ExploitObserverAlert
CVE-2023-41966
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-41966. The application suffers from a privilege escalation vulnerability. A user with read permissions can elevate privileges by sending a HTTP POST to set a parameter.
FIRST-EPSS: 0.000500000
NVD-IS: 5.9
NVD-ES: 2.8
CVE-2023-41966
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-41966. The application suffers from a privilege escalation vulnerability. A user with read permissions can elevate privileges by sending a HTTP POST to set a parameter.
FIRST-EPSS: 0.000500000
NVD-IS: 5.9
NVD-ES: 2.8
#ExploitObserverAlert
CVE-2023-43577
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-43577. A buffer overflow was reported in the ReFlash module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.
FIRST-EPSS: 0.000420000
NVD-IS: 5.9
NVD-ES: 0.8
CVE-2023-43577
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-43577. A buffer overflow was reported in the ReFlash module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.
FIRST-EPSS: 0.000420000
NVD-IS: 5.9
NVD-ES: 0.8
#ExploitObserverAlert
CVE-2023-5903
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-5903. Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
FIRST-EPSS: 0.000450000
NVD-IS: 2.7
NVD-ES: 2.3
CVE-2023-5903
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-5903. Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
FIRST-EPSS: 0.000450000
NVD-IS: 2.7
NVD-ES: 2.3
#ExploitObserverAlert
GHSA-fwfg-vprh-97ph
DESCRIPTION: Exploit Observer has 6 entries related to GHSA-FWFG-VPRH-97PH. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script through the Settings that will allow code execution during rendering of that script.
GHSS: 6.5
GHSA-fwfg-vprh-97ph
DESCRIPTION: Exploit Observer has 6 entries related to GHSA-FWFG-VPRH-97PH. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script through the Settings that will allow code execution during rendering of that script.
GHSS: 6.5
#ExploitObserverAlert
CVE-2023-2091
DESCRIPTION: Exploit Observer has 4 entries related to CVE-2023-2091. A vulnerability classified as critical was found in KylinSoft youker-assistant on KylinOS. Affected by this vulnerability is the function adjust_cpufreq_scaling_governer. The manipulation leads to os command injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.4.13 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226099.
FIRST-EPSS: 0.000650000
NVD-IS: 5.9
NVD-ES: 1.8
CVE-2023-2091
DESCRIPTION: Exploit Observer has 4 entries related to CVE-2023-2091. A vulnerability classified as critical was found in KylinSoft youker-assistant on KylinOS. Affected by this vulnerability is the function adjust_cpufreq_scaling_governer. The manipulation leads to os command injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.4.13 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226099.
FIRST-EPSS: 0.000650000
NVD-IS: 5.9
NVD-ES: 1.8
#ExploitObserverAlert
GHSA-5h3x-9wvq-w4m2
DESCRIPTION: Exploit Observer has 2 entries related to GHSA-5H3X-9WVQ-W4M2. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.
GHSS: 5.3
GHSA-5h3x-9wvq-w4m2
DESCRIPTION: Exploit Observer has 2 entries related to GHSA-5H3X-9WVQ-W4M2. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.
GHSS: 5.3
#ExploitObserverAlert
CVE-2023-24476
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-24476. An attacker with local access to the machine could record the traffic, which could allow them to resend requests without the server authenticating that the user or session are valid.
FIRST-EPSS: 0.000420000
NVD-IS: 1.4
NVD-ES: 1.8
CVE-2023-24476
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-24476. An attacker with local access to the machine could record the traffic, which could allow them to resend requests without the server authenticating that the user or session are valid.
FIRST-EPSS: 0.000420000
NVD-IS: 1.4
NVD-ES: 1.8
#ExploitObserverAlert
CVE-2023-1913
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-1913. The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
FIRST-EPSS: 0.000450000
NVD-IS: 2.7
NVD-ES: 1.7
CVE-2023-1913
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-1913. The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
FIRST-EPSS: 0.000450000
NVD-IS: 2.7
NVD-ES: 1.7
#ExploitObserverAlert
CVE-2023-23158
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-23158. A stored cross-site scripting (XSS) vulnerability in Art Gallery Management System Project v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter on the enquiry page.
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 2.3
CVE-2023-23158
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-23158. A stored cross-site scripting (XSS) vulnerability in Art Gallery Management System Project v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter on the enquiry page.
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 2.3
#ExploitObserverAlert
CVE-2023-37070
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37070. Code Projects Hospital Information System 1.0 is vulnerable to Cross Site Scripting (XSS)
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 1.7
CVE-2023-37070
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37070. Code Projects Hospital Information System 1.0 is vulnerable to Cross Site Scripting (XSS)
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 1.7
#ExploitObserverAlert
CVE-2023-50256
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-50256. Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.
CVE-2023-50256
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-50256. Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.
#ExploitObserverAlert
CVE-2023-46742
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46742. CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
CVE-2023-46742
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46742. CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
#ExploitObserverAlert
CVE-2022-41049
DESCRIPTION: Exploit Observer has 5 entries related to CVE-2022-41049. Windows Mark of the Web Security Feature Bypass Vulnerability
FIRST-EPSS: 0.002150000
NVD-IS: 2.5
NVD-ES: 2.8
CVE-2022-41049
DESCRIPTION: Exploit Observer has 5 entries related to CVE-2022-41049. Windows Mark of the Web Security Feature Bypass Vulnerability
FIRST-EPSS: 0.002150000
NVD-IS: 2.5
NVD-ES: 2.8
#ExploitObserverAlert
CVE-2023-52310
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-52310. PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
CVE-2023-52310
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-52310. PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
#ExploitObserverAlert
CVE-2023-51784
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51784. Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329
CVE-2023-51784
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51784. Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329
#ExploitObserverAlert
CVE-2023-37608
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37608. An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials.
CVE-2023-37608
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37608. An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials.
#ExploitObserverAlert
CVE-2023-50253
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-50253. Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.
CVE-2023-50253
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-50253. Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.
#ExploitObserverAlert
CVE-2023-51785
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51785. Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331
CVE-2023-51785
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51785. Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331