CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1383
https://notcve.org/view.php?id=CVE-2023-1383
An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible. This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3. • https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 5.5EPSS: 0%CPEs: 24EXPL: 0CVE-2023-30610 – AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
https://notcve.org/view.php?id=CVE-2023-30610
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. • https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 1CVE-2023-24513 – On affected platforms running Arista CloudEOS a size check bypass issue in the Software Forwarding Engine (Sfe) may allow buffer over reads in later code. Additionally, depending on configured options this may cause a recomputation of the TCP checksum ...
https://notcve.org/view.php?id=CVE-2023-24513
On affected platforms running Arista CloudEOS an issue in the Software Forwarding Engine (Sfe) can lead to a potential denial of service attack by sending malformed packets to the switch. This causes a leak of packet buffers and if enough malformed packets are received, the switch may eventually stop forwarding traffic. • https://www.arista.com/en/support/advisories-notices/security-advisory/17240-security-advisory-0085 • CWE-125: Out-of-bounds Read CWE-126: Buffer Over-read •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0423 – WordPress Amazon S3 Plugin < 1.6 - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-0423
The WordPress Amazon S3 Plugin WordPress plugin before 1.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The "WordPress Amazon S3 Plugin" plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/73d588d7-26ae-42e2-8282-aa02bcb109b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-25806 – Time discrepancy in authentication responses in OpenSearch
https://notcve.org/view.php?id=CVE-2023-25806
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds. • https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •