» 2023 » 4월

CVE-2023-2281

Posted on 2023년 4월 25일2023년 4월 26일 by admin

CVE-2023-2281

When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.

Source: CVE-2023-2281

CVE-2023-29779

Posted on 2023년 4월 25일2023년 4월 26일 by admin

CVE-2023-29779

Sengled Dimmer Switch V0.0.9 contains a denial of service (DOS) vulnerability, which allows a remote attacker to send malicious Zigbee messages to a vulnerable device and cause crashes. After receiving the malicious command, the device will keep reporting its status and finally drain its battery after receiving the ‘Set_short_poll_interval’ command.

Source: CVE-2023-29779

CVE-2023-26843

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-26843

A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.

Source: CVE-2023-26843

CVE-2023-30417

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-30417

A cross-site scripting (XSS) vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message.

Source: CVE-2023-30417

CVE-2023-26841

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-26841

A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user’s password except for the user that is currently logged in.

Source: CVE-2023-26841

CVE-2023-26839

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-26839

A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site.

Source: CVE-2023-26839

CVE-2023-25346

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-25346

A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.

Source: CVE-2023-25346

CVE-2023-26840

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-26840

A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator.

Source: CVE-2023-26840

CVE-2023-26058

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-26058

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Source: CVE-2023-26058

CVE-2023-26057

Posted on 2023년 4월 25일2023년 4월 25일 by admin

CVE-2023-26057

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Source: CVE-2023-26057