CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33363
https://notcve.org/view.php?id=CVE-2023-33363
An authentication bypass vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated users to access some functionality on BioStar 2 servers. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33363 https://kb.supremainc.com/knowledge/doku.php?id=en:release_note_291 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33364
https://notcve.org/view.php?id=CVE-2023-33364
An OS Command injection vulnerability exists in Suprema BioStar 2 before V2.9.1, which allows authenticated users to execute arbitrary OS commands on the BioStar 2 server. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33364 https://kb.supremainc.com/knowledge/doku.php?id=en:release_note_291 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33366
https://notcve.org/view.php?id=CVE-2023-33366
A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows authenticated users to inject arbitrary SQL directives into an SQL statement and execute arbitrary SQL commands. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33366 https://kb.supremainc.com/knowledge/doku.php?id=en:release_note_291 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33365
https://notcve.org/view.php?id=CVE-2023-33365
A path traversal vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated attackers to fetch arbitrary files from the server's web server. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33365 https://kb.supremainc.com/knowledge/doku.php?id=en:release_note_291 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31923
https://notcve.org/view.php?id=CVE-2023-31923
Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system. • https://nobugescapes.com/blog/creating-a-new-user-with-admin-privilege • CWE-281: Improper Preservation of Permissions •