CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48699 – fastbots Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-48699
21 Nov 2023 — fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above. fastbots es una librería para el desarrollo rápido de robots... • https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6248 – Data leakage and arbitrary remote code execution in Syrus cloud devices
https://notcve.org/view.php?id=CVE-2023-6248
21 Nov 2023 — The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations: * Get location data of the vehicle the device is connected to * Send CAN bus messages via the EC... • https://www.digitalcomtech.com/product/syrus-4g-iot-telematics-gateway • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48226 – OpenReplay HTML Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-48226
21 Nov 2023 — OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to phishing actions for example. Email is really send from OpenReplay, but bad actors can add there HTML code injected (content spoofing). Please notice that during Registration steps for FullName looks like is validated correct - can not typ... • https://bugcrowd.com/vulnerability-rating-taxonomy • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6235 – Arbitrary code execution in Duet Display
https://notcve.org/view.php?id=CVE-2023-6235
21 Nov 2023 — An uncontrolled search path element vulnerability has been found in the Duet Display product, affecting version 2.5.9.1. An attacker could place an arbitrary libusk.dll file in the C:\Users\user\AppData\Local\Microsoft\WindowsApps\ directory, which could lead to the execution and persistence of arbitrary code. Se ha encontrado una vulnerabilidad de elemento de ruta de búsqueda no controlada en el producto Duet Display, que afecta a la versión 2.5.9.1. Un atacante podría colocar un archivo libusk.dll arbitra... • https://www.incibe.es/en/incibe-cert/notices/aviso/arbitrary-code-execution-duet-display • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6045 – Arkruntime has a type confusion vulnerability
https://notcve.org/view.php?id=CVE-2023-6045
20 Nov 2023 — in OpenHarmony v3.2.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through type confusion. • https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2023/2023-12.md • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-48192
https://notcve.org/view.php?id=CVE-2023-48192
20 Nov 2023 — An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local attacker to execute arbitrary code via the setTracerouteCfg function. Un problema en TOTOlink A3700R v.9.1.2u.6134_B20201202 permite a un atacante local ejecutar código arbitrario a través de la función setTracerouteCfg. • http://totolink.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47869 – WordPress wpForo plugin <= 2.2.5 - Broken Access Control + CSRF vulnerability
https://notcve.org/view.php?id=CVE-2023-47869
20 Nov 2023 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5. The wpForo Forum plugin for WordPress is vulnerable to unauthorized control of data due to a missing capability check on an unknown function in all versions up to, and including, 2.2.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action... • https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40809
https://notcve.org/view.php?id=CVE-2023-40809
18 Nov 2023 — OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number. OpenCRX versión 5.2.0 es vulnerable a la inyección de HTML a través de Activity Search Criteria-Activity Number. • https://www.esecforte.com/cve-2023-40809-html-injection-search • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2023-6188 – GetSimpleCMS theme-edit.php code injection
https://notcve.org/view.php?id=CVE-2023-6188
17 Nov 2023 — The manipulation leads to code injection. ... Mittels Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. • https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1352 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 19EXPL: 0CVE-2023-44351 – Adobe ColdFusion RCE Security Vulnerability
https://notcve.org/view.php?id=CVE-2023-44351
17 Nov 2023 — Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. • https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html • CWE-502: Deserialization of Untrusted Data •