Security Vulnerabilities - CVEs Published In January 2024
There is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of health data with no additional execution privileges needed.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-01-02
SQL Injection vulnerability discovered in Gila CMS 1.15.4 and earlier allows a remote attacker to execute arbitrary web scripts via the Area parameter under the Administration>Widget tab after the login portal.
CVSS Score
3.8
EPSS Score
0.003
Published
2024-01-02
A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the ID parameter after the login portal.
CVSS Score
3.8
EPSS Score
0.003
Published
2024-01-02
A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the 'user_id' parameter after the login portal.
CVSS Score
3.8
EPSS Score
0.002
Published
2024-01-02
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability.
CVSS Score
6.3
EPSS Score
0.92
Published
2024-01-02
OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. Commit db560de0b56476c87a2f967466407939196dd254 contains a fix for this issue.
CVSS Score
9.8
EPSS Score
0.018
Published
2024-01-02
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
CVSS Score
8.1
EPSS Score
0.009
Published
2024-01-02
An issue in A-WORLD OIRASE BEER_waiting Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-01-02
An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.
CVSS Score
7.5
EPSS Score
0.01
Published
2024-01-02
An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.
CVSS Score
7.5
EPSS Score
0.01
Published
2024-01-02