CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0279 – Media Library Assistant < 3.06 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2023-0279
The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. The Media Library Assistant for WordPress is vulnerable to SQL Injection via the ‘post_types’ parameter in versions up to, and including, 3.05 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for administrator-level attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://bulletin.iese.de/post/media-library-assistant_3-05_1 https://wpscan.com/vulnerability/42db1ba5-1b14-41bd-a2b3-7243a84c9d3d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31541
https://notcve.org/view.php?id=CVE-2022-31541
The lyubolp/Barry-Voice-Assistant repository through 2021-01-18 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio lyubolp/Barry-Voice-Assistant versiones hasta 18-01-2021 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 11CVE-2020-36517
https://notcve.org/view.php?id=CVE-2020-36517
An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration. Una filtrado de información en Nabu Casa Home Assistant Operating System and Home Assistant Supervised versión 2022.03, permite que un operador de DNS obtenga conocimientos sobre los recursos de la red interna por medio de la configuración del DNS embebida • https://community.home-assistant.io/t/ha-os-dns-setting-configuration-not-respected/356572 https://github.com/home-assistant/plugin-dns/issues/17 https://github.com/home-assistant/plugin-dns/issues/20 https://github.com/home-assistant/plugin-dns/issues/22 https://github.com/home-assistant/plugin-dns/issues/50 https://github.com/home-assistant/plugin-dns/issues/51 https://github.com/home-assistant/plugin-dns/issues/53 https://github.com/home-assistant/plugin-dns/issues/54 https • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3152
https://notcve.org/view.php?id=CVE-2021-3152
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor's perspective is that the vulnerability itself is in custom integrations written by third parties, not in Home Assistant; however, Home Assistant does have a security update that is worthwhile in addressing this situation ** EN DISPUTADA ** Home Assistant versiones anteriores a 2021.1.3, no presenta una capa de protección que pueda ayudar a impedir ataques de saltos de directorio contra integraciones personalizadas. NOTA: la perspectiva del proveedor es que la vulnerabilidad en sí está en integraciones personalizadas escritas por terceros, no en Home Assistant; sin embargo, Home Assistant presenta una actualización de seguridad que vale la pena para abordar esta situación • https://www.home-assistant.io/blog/2021/01/14/security-bulletin https://www.home-assistant.io/blog/2021/01/22/security-disclosure • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21019
https://notcve.org/view.php?id=CVE-2018-21019
Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py. Home Assistant versiones anteriores a 0.67.0, era vulnerable a una divulgación de información que permitía a un atacante no autenticado leer el registro de errores de la aplicación por medio del archivo components/api.py. • https://github.com/home-assistant/home-assistant/pull/13836 https://github.com/home-assistant/home-assistant/releases/tag/0.67.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •