CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 1CVE-2023-24805 – Command injection in cups-filters
https://notcve.org/view.php?id=CVE-2023-24805
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. • https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65 https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x https://lists.debian.org/debian-lts-announce/2023/05/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KL2SJMZQ5T5JIH3PMQ2CGCY5TUUE255Y https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNCGL2ZTAS2GFF23QFT55UFWIDMI4ZJK https://security.gentoo.org/glsa/202401-06 https:/ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-32305 – aiven-extras PostgreSQL Privilege Escalation Through Overloaded Search Path
https://notcve.org/view.php?id=CVE-2023-32305
And could lead to arbitrary code execution or data access on the underlying host as the `postgres` user. • https://github.com/aiven/aiven-extras/commit/8682ae01bec0791708bf25791786d776e2fb0250 https://github.com/aiven/aiven-extras/security/advisories/GHSA-7r4w-fw4h-67gp https://security.netapp.com/advisory/ntap-20230616-0006 • CWE-20: Improper Input Validation CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30130
https://notcve.org/view.php?id=CVE-2023-30130
An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. • https://craftcms.com https://tf1t.gitbook.io/mycve/craftcms/server-site-template-injection-on-craftcms-3.8.1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 20EXPL: 0CVE-2023-31165 – Improper Neutralization of Input During Web Page Generation
https://notcve.org/view.php?id=CVE-2023-31165
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. • https://selinc.com/support/security-notifications/external-reports https://www.nozominetworks.com/blog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 20EXPL: 0CVE-2023-31164 – Improper Neutralization of Input During Web Page Generation
https://notcve.org/view.php?id=CVE-2023-31164
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. • https://selinc.com/support/security-notifications/external-reports https://www.nozominetworks.com/blog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •