#ExploitObserverAlert
CVE-2023-37070
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37070. Code Projects Hospital Information System 1.0 is vulnerable to Cross Site Scripting (XSS)
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 1.7
CVE-2023-37070
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37070. Code Projects Hospital Information System 1.0 is vulnerable to Cross Site Scripting (XSS)
FIRST-EPSS: 0.000510000
NVD-IS: 2.7
NVD-ES: 1.7
#ExploitObserverAlert
CVE-2023-50256
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-50256. Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.
CVE-2023-50256
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-50256. Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.
#ExploitObserverAlert
CVE-2023-46742
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46742. CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
CVE-2023-46742
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46742. CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
#ExploitObserverAlert
CVE-2022-41049
DESCRIPTION: Exploit Observer has 5 entries related to CVE-2022-41049. Windows Mark of the Web Security Feature Bypass Vulnerability
FIRST-EPSS: 0.002150000
NVD-IS: 2.5
NVD-ES: 2.8
CVE-2022-41049
DESCRIPTION: Exploit Observer has 5 entries related to CVE-2022-41049. Windows Mark of the Web Security Feature Bypass Vulnerability
FIRST-EPSS: 0.002150000
NVD-IS: 2.5
NVD-ES: 2.8
#ExploitObserverAlert
CVE-2023-52310
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-52310. PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
CVE-2023-52310
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-52310. PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
#ExploitObserverAlert
CVE-2023-51784
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51784. Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329
CVE-2023-51784
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51784. Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329
#ExploitObserverAlert
CVE-2023-37608
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37608. An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials.
CVE-2023-37608
DESCRIPTION: Exploit Observer has 3 entries related to CVE-2023-37608. An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials.
#ExploitObserverAlert
CVE-2023-50253
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-50253. Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.
CVE-2023-50253
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-50253. Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.
#ExploitObserverAlert
CVE-2023-51785
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51785. Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331
CVE-2023-51785
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-51785. Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331
#ExploitObserverAlert
CVE-2023-50921
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-50921. An issue was discovered on GL.iNet devices through 4.5.0. Attackers can invoke the add_user interface in the system module to gain root privileges. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
CVE-2023-50921
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-50921. An issue was discovered on GL.iNet devices through 4.5.0. Attackers can invoke the add_user interface in the system module to gain root privileges. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
#ExploitObserverAlert
CVE-2023-5880
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-5880. When the Genie Company Aladdin Connect garage door opener (Retrofit-Kit Model ALDCM) is placed into configuration mode the web servers “Garage Door Control Module Setup” page is vulnerable to XSS via a broadcast SSID name containing malicious code with client side Java Script and/or HTML. This allows the attacker to inject malicious code with client side Java Script and/or HTML into the users' web browser.
CVE-2023-5880
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-5880. When the Genie Company Aladdin Connect garage door opener (Retrofit-Kit Model ALDCM) is placed into configuration mode the web servers “Garage Door Control Module Setup” page is vulnerable to XSS via a broadcast SSID name containing malicious code with client side Java Script and/or HTML. This allows the attacker to inject malicious code with client side Java Script and/or HTML into the users' web browser.
#ExploitObserverAlert
CVE-2023-46741
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46741. CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob store. The attacker can either be an internal user with limited privileges to read the log, or they can be an external user who has escalated privileges sufficiently to access the logs. The vulnerability has been patched in v3.3.1. There is no other mitigation than upgrading.
CVE-2023-46741
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46741. CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob store. The attacker can either be an internal user with limited privileges to read the log, or they can be an external user who has escalated privileges sufficiently to access the logs. The vulnerability has been patched in v3.3.1. There is no other mitigation than upgrading.
#ExploitObserverAlert
CVE-2023-46739
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46739. CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.
CVE-2023-46739
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46739. CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.
#ExploitObserverAlert
CVE-2023-46738
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46738. CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory that the machine had available, and the attacker could exhaust memory by way of a single malicious request. An attacker would need to be authenticated in order to invoke the vulnerable code with their malicious request and have permissions to delete objects. In addition, the attacker would need to know the names of existing buckets of the CubeFS deployment - otherwise the request would be rejected before it reached the vulnerable code. As such, the most likely attacker is an inside user or an attacker that has breached the account of an existing user in the cluster. The issue has been patched in v3.3.1. There is no other mitigation besides upgrading.
CVE-2023-46738
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-46738. CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory that the machine had available, and the attacker could exhaust memory by way of a single malicious request. An attacker would need to be authenticated in order to invoke the vulnerable code with their malicious request and have permissions to delete objects. In addition, the attacker would need to know the names of existing buckets of the CubeFS deployment - otherwise the request would be rejected before it reached the vulnerable code. As such, the most likely attacker is an inside user or an attacker that has breached the account of an existing user in the cluster. The issue has been patched in v3.3.1. There is no other mitigation besides upgrading.
#ExploitObserverAlert
CVE-2023-49442
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-49442. Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request.
CVE-2023-49442
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-49442. Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request.
#ExploitObserverAlert
CVE-2023-6621
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-6621. The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2023-6621
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-6621. The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
#ExploitObserverAlert
CVE-2023-52303
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-52303. Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52303
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-52303. Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
#ExploitObserverAlert
CVE-2023-38674
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-38674. FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-38674
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-38674. FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
#ExploitObserverAlert
CVE-2023-6540
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-6540. A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information.
CVE-2023-6540
DESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-6540. A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information.
#ExploitObserverAlert
CVE-2023-50093
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-50093. APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection.
CVE-2023-50093
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-50093. APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection.
#ExploitObserverAlert
CVE-2023-5138
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-5138. Glitch detection is not enabled by default for the CortexM33 core in Silicon Labs secure vault high parts EFx32xG2xB, except EFR32xG21B.
CVE-2023-5138
DESCRIPTION: Exploit Observer has 2 entries related to CVE-2023-5138. Glitch detection is not enabled by default for the CortexM33 core in Silicon Labs secure vault high parts EFx32xG2xB, except EFR32xG21B.