CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34364
https://notcve.org/view.php?id=CVE-2023-34364
A buffer overflow was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. An overly large value for certain options of a connection string may overrun the buffer allocated to process the string value. This allows an attacker to execute code of their choice on an affected host by copying carefully selected data that will be executed as code. • https://community.progress.com/s/article/Security-vulnerabilities-in-DataDirect-ODBC-Oracle-Wire-Protocol-driver-June-2023 https://progress.com • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 96%CPEs: 8EXPL: 9CVE-2023-34362 – Progress MOVEit Transfer SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-34362
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. • https://github.com/horizon3ai/CVE-2023-34362 https://github.com/Malwareman007/CVE-2023-34362 https://github.com/sfewer-r7/CVE-2023-34362 https://github.com/kenbuckler/MOVEit-CVE-2023-34362 https://github.com/toorandom/moveit-payload-decrypt-CVE-2023-34362 https://github.com/aditibv/MOVEit-CVE-2023-34362 https://github.com/Chinyemba-ck/MOVEit-CVE-2023-34362 https://github.com/glen-pearson/MoveIT-CVE-2023-34362-RCE http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection& • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23699 – WordPress Progress Bar Plugin <= 2.2.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23699
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Chris Reynolds Progress Bar plugin <= 2.2.1 versions. The Progress Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppb' shortcode in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on the user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/progress-bar/wordpress-progress-bar-plugin-2-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26100
https://notcve.org/view.php?id=CVE-2023-26100
In Progress Flowmon before 12.2.0, an application endpoint failed to sanitize user-supplied input. A threat actor could leverage a reflected XSS vulnerability to execute arbitrary code within the context of a Flowmon user's web browser. • https://support.kemptechnologies.com/hc/en-us/articles/12736934205837 https://www.flowmon.com/en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26101
https://notcve.org/view.php?id=CVE-2023-26101
In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user with access to Flowmon Packet Investigator could leverage a path-traversal vulnerability to retrieve files on the Flowmon appliance's local filesystem. • https://support.kemptechnologies.com/hc/en-us/articles/12737582619789 https://www.flowmon.com/en • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •