CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 1CVE-2023-6395 – Mock: privilege escalation for users that can access mock configuration
https://notcve.org/view.php?id=CVE-2023-6395
16 Jan 2024 — The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which may be included in certain configuration parameters. While the Mock documentation advises treating users added to the mock group as privileged, certain build systems invoking mock on behalf of users might inadvert... • http://www.openwall.com/lists/oss-security/2024/01/16/1 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 3%CPEs: 7EXPL: 1CVE-2023-51766 – Debian Security Advisory 5597-1
https://notcve.org/view.php?id=CVE-2023-51766
24 Dec 2023 — Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not. Exim hasta 4.97 permite el contrabando SMTP en ciertas configuraciones. • http://www.openwall.com/lists/oss-security/2023/12/24/1 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5341 – Imagemagick: heap use-after-free in coders/bmp.c
https://notcve.org/view.php?id=CVE-2023-5341
19 Nov 2023 — A heap use-after-free flaw was found in coders/bmp.c in ImageMagick. Se encontró una falla de heap-use-after-free en coders/bmp.c en ImageMagick. handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed image files are processed. • https://access.redhat.com/security/cve/CVE-2023-5341 • CWE-416: Use After Free •
CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5543 – Moodle: duplicating a bigbluebutton activity assigns the same meeting id
https://notcve.org/view.php?id=CVE-2023-5543
09 Nov 2023 — When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. Al duplicar una actividad de BigBlueButton, el ID de la reunión original también se duplicó en lugar de utilizar un nuevo ID para la nueva actividad. Esto podría proporcionar un acceso no deseado a la reunión original. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77795 • CWE-284: Improper Access Control •
CVSS: 3.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5551 – Moodle: forum summary report shows students from other groups when in separate groups mode
https://notcve.org/view.php?id=CVE-2023-5551
09 Nov 2023 — Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. Las restricciones del modo de grupos separados no se respetaron en el informe de resumen del foro, que mostraría usuarios de otros grupos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 1%CPEs: 7EXPL: 0CVE-2023-5550 – Moodle: rce due to lfi risk in some misconfigured shared hosting environments
https://notcve.org/view.php?id=CVE-2023-5550
09 Nov 2023 — In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. En un entorno de alojamiento compartido que ha sido mal configurado para permitir el acceso al contenido de otros usuarios, un usuario de Moodle que también tiene acceso directo al servidor web fuera del root web de Moodle podría utilizar un archivo loc... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5549 – Moodle: insufficient capability checks when updating the parent of a course category
https://notcve.org/view.php?id=CVE-2023-5549
09 Nov 2023 — Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. Las comprobaciones insuficientes de la capacidad del servicio web hicieron posible mover categorías que un usuario tenía permiso para administrar a una categoría principal que no tenía la capacidad de administrar. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5548 – Moodle: cache poisoning risk with endpoint revision numbers
https://notcve.org/view.php?id=CVE-2023-5548
09 Nov 2023 — Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. Se requirieron limitaciones más estrictas en el número de revisiones en los endpoints de servicio de archivos para mejorar la protección contra el envenenamiento de la caché. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846 • CWE-345: Insufficient Verification of Data Authenticity CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5545 – Moodle: auto-populated h5p author name causes a potential information leak
https://notcve.org/view.php?id=CVE-2023-5545
09 Nov 2023 — H5P metadata automatically populated the author with the user's username, which could be sensitive information. Los metadatos de H5P completaron automáticamente al autor con el nombre de usuario del usuario, que podría ser información confidencial. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5542 – Moodle: students can view other users in "only see own membership" groups
https://notcve.org/view.php?id=CVE-2023-5542
09 Nov 2023 — Students in "Only see own membership" groups could see other students in the group, which should be hidden. Los estudiantes en los grupos "Ver solo su propia membresía" podrían ver a otros estudiantes en el grupo, que deberían estar ocultos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213 • CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere •