CVSS: 7.8EPSS: 8%CPEs: 3EXPL: 0CVE-2023-39456 – Apache Traffic Server: Malformed http/2 frames can cause an abort
https://notcve.org/view.php?id=CVE-2023-39456
17 Oct 2023 — Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Traffic Server con frames HTTP/2 con formato incorrecto. Este problema afecta a Apache Traffic Server: desde 9.0.0 hasta 9.2.2. Se recomienda a los usuarios actualizar a la versión 9.2.3, que soluciona el problema. • https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 1%CPEs: 4EXPL: 0CVE-2023-41752 – Apache Traffic Server: s3_auth plugin problem with hash calculation
https://notcve.org/view.php?id=CVE-2023-41752
17 Oct 2023 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue. Vulnerabilidad de Exposición de Información Confidencial de Actor No Autorizado en Apache Traffic Server. Este problema afecta a Apache Traffic Server: desde 8.0.0 hasta 8.1.8, desde 9.0.0 hasta 9.2.2. Se recomienda a los usuarios actual... • https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.0EPSS: 1%CPEs: 4EXPL: 0CVE-2023-45143 – Undici's cookie header not cleared on cross-origin redirect in fetch
https://notcve.org/view.php?id=CVE-2023-45143
12 Oct 2023 — Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to a... • https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 1%CPEs: 25EXPL: 1CVE-2023-39999 – WordPress < 6.3.2 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2023-39999
12 Oct 2023 — Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26... • https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5475 – Gentoo Linux Security Advisory 202311-11
https://notcve.org/view.php?id=CVE-2023-5475
11 Oct 2023 — Inappropriate implementation in DevTools in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium) La implementación inadecuada de DevTools en Google Chrome anterior a 118.0.5993.70 permitió a un atacante que convenció a un usuario de instalar una extensión maliciosa para evitar el control de acceso discrecional a través de una extensión de Chrom... • https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5484 – Gentoo Linux Security Advisory 202311-11
https://notcve.org/view.php?id=CVE-2023-5484
11 Oct 2023 — Inappropriate implementation in Navigation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium) La implementación inadecuada de la navegación en Google Chrome anterior a 118.0.5993.70 permitió a un atacante remoto falsificar la interfaz de usuario de seguridad a través de una página HTML manipulada. (Severidad de seguridad de Chromium: Media) Multiple vulnerabilities have been discovered in Chromium and its deriv... • https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5487 – Gentoo Linux Security Advisory 202311-11
https://notcve.org/view.php?id=CVE-2023-5487
11 Oct 2023 — Inappropriate implementation in Fullscreen in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) La implementación inadecuada de Fullscreen en Google Chrome anterior a 118.0.5993.70 permitió a un atacante convencer a un usuario de instalar una extensión maliciosa para evitar las restricciones de navegación a través de una extensión de Chrome manip... • https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html •
CVSS: 10.0EPSS: 1%CPEs: 5EXPL: 0CVE-2023-5218 – Gentoo Linux Security Advisory 202311-11
https://notcve.org/view.php?id=CVE-2023-5218
11 Oct 2023 — Use after free in Site Isolation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) Use after free de Site Isolation en Google Chrome anterior a 118.0.5993.70 permitía a un atacante remoto explotar potencialmente la corrupción del montón a través de una página HTML manipulada. (Severidad de seguridad de Chromium: Crítica) Multiple vulnerabilities have been discovered in Chromium and its deri... • https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html • CWE-416: Use After Free •
CVSS: 7.8EPSS: 36%CPEs: 8EXPL: 0CVE-2023-39325 – HTTP/2 rapid reset can cause excessive work in net/http
https://notcve.org/view.php?id=CVE-2023-39325
11 Oct 2023 — A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). N... • https://go.dev/cl/534215 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-5535 – Use After Free in vim/vim
https://notcve.org/view.php?id=CVE-2023-5535
11 Oct 2023 — Use After Free in GitHub repository vim/vim prior to v9.0.2010. Use After Free en el repositorio de GitHub vim/vim anterior a la versión 9.0.2010. • https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d • CWE-416: Use After Free •