CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43791 – Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
https://notcve.org/view.php?id=CVE-2023-43791
An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. • https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b https://github.com/HumanSignal/label-studio/pull/4690 https://github.com/HumanSignal/label-studio/releases/tag/1.8.2 https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47683 – WordPress Social Login, Social Sharing by miniOrange plugin <= 7.6.6 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-47683
This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator. • https://patchstack.com/database/vulnerability/miniorange-login-openid/wordpress-social-login-social-sharing-by-miniorange-plugin-7-6-6-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3282 – Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine
https://notcve.org/view.php?id=CVE-2023-3282
A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system enables a local attacker to execute programs with elevated privileges if the attacker has shell access to the engine. • https://security.paloaltonetworks.com/CVE-2023-3282 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5760 – Time-of-check to time-of-use (TOCTOU) bug leads to full local privilege escalation.
https://notcve.org/view.php?id=CVE-2023-5760
This TOCTOU bug leads to an out-of-bounds write vulnerability which can be further exploited, allowing an attacker to gain full local privilege escalation on the system.This issue affects Avast/Avg Antivirus: 23.8. • https://support.norton.com/sp/static/external/tools/security-advisories.html • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33480
https://notcve.org/view.php?id=CVE-2023-33480
RemoteClinic 2.0 contains a critical vulnerability chain that can be exploited by a remote attacker with low-privileged user credentials to create admin users, escalate privileges, and execute arbitrary code on the target system via a PHP shell. ... By sending a series of specially crafted requests to the RemoteClinic application, an attacker can create admin users with more privileges than their own, upload a PHP file containing arbitrary code, and execute arbitrary commands via the PHP shell. • https://github.com/remoteclinic/RemoteClinic/issues/24 • CWE-434: Unrestricted Upload of File with Dangerous Type •