CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28351
https://notcve.org/view.php?id=CVE-2023-28351
30 May 2023 — An issue was discovered in Faronics Insight 10.0.19045 on Windows. Every keystroke made by any user on a computer with the Student application installed is logged to a world-readable directory. A local attacker can trivially extract these cleartext keystrokes, potentially enabling them to obtain PII and/or to compromise personal accounts owned by the victim. • https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28348
https://notcve.org/view.php?id=CVE-2023-28348
30 May 2023 — An issue was discovered in Faronics Insight 10.0.19045 on Windows. A suitably positioned attacker could perform a man-in-the-middle attack on either a connected student or teacher, enabling them to intercept student keystrokes or modify executable files being sent from teachers to students. • https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28346
https://notcve.org/view.php?id=CVE-2023-28346
30 May 2023 — An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact with private pages on the web server, enabling them to perform privileged actions such as logging into the console and changing console settings if they have valid credentials. • https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28345
https://notcve.org/view.php?id=CVE-2023-28345
30 May 2023 — An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher's Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to the affected endpoint and obtain the teacher's password. This enables them to log into the Teacher Console and begin trivially attacking student machines. • https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28347
https://notcve.org/view.php?id=CVE-2023-28347
30 May 2023 — An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a proof-of-concept script that functions similarly to a Student Console, providing unauthenticated attackers with the ability to exploit XSS vulnerabilities within the Teacher Console application and achieve remote code execution as NT AUTHORITY/SYSTEM on all connected Student Consoles and the Teacher Console in a Zero Click manner. • https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-2984 – Path Traversal: '\..\filename' in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-2984
30 May 2023 — Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. • https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed • CWE-29: Path Traversal: '\..\filename' •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28352
https://notcve.org/view.php?id=CVE-2023-28352
30 May 2023 — An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been enabled. • https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight • CWE-863: Incorrect Authorization •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28344
https://notcve.org/view.php?id=CVE-2023-28344
30 May 2023 — An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application allows unauthenticated attackers to view constantly updated screenshots of student desktops and to submit falsified screenshots on behalf of students. Attackers are able to view screenshots of student desktops without their consent. These screenshots may potentially contain sensitive/personal data. Attackers can also rapidly submit falsified images, hiding the actual contents of student desktops from t... • https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-25738 – Gentoo Linux Security Advisory 202305-35
https://notcve.org/view.php?id=CVE-2023-25738
30 May 2023 — Members of the DEVMODEW struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would cause the browser to attempt out of bounds access to related variables.
*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1811852 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-32163 – Wacom Drivers for Windows Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-32163
26 May 2023 — Wacom Drivers for Windows Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Wacom Drivers for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Tablet Service. By creating a symbolic link, an attacker can abuse the service to create a file. • https://github.com/LucaBarile/ZDI-CAN-16857 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •