Security Vulnerabilities - Released 21 October 2023
- Daily New Vulnerabilities List
Tongda OA 2017
CVE-2023-5682: SQL Injection in Tongda OA 2017
Type: SQL Injection
Details: This vulnerability affects the file general/hr/training/record/delete.php. The manipulation of the argument RECORD_ID leads to SQL injection. Upgrading to version 11.10 is recommended to address this issue.
Netentsec NS-ASG Application Security Gateway 6.3
CVE-2023-5681: SQL Injection in Netentsec NS-ASG
Type: SQL Injection
Details: This vulnerability affects the file /admin/list_addr_fwresource_ip.php and allows for remote attacks.
Sitolog sitologapplicationconnect v7.8.a
CVE-2023-37824: SQL Injection in Sitolog
Type: SQL Injection
Details: This vulnerability is present in the component /activate_hook.php.
CMSmadesimple v.2.2.18
CVE-2023-43353: Cross Site Scripting in CMSmadesimple
Type: Cross Site Scripting (XSS)
Details: Allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.
CVE-2023-43354: Cross Site Scripting in CMSmadesimple
Type: Cross Site Scripting (XSS)
Details: Allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions - MicroTiny WYSIWYG editor component.
CVE-2023-43357: Cross Site Scripting in CMSmadesimple
Type: Cross Site Scripting (XSS)
Details: Allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.
CVE-2023-43356: Cross Site Scripting in CMSmadesimple
Type: Cross Site Scripting (XSS)
Details: Allows a local attacker to execute arbitrary code via a crafted script to the Global Metadata parameter in the Global Settings Menu component.
CVE-2023-43346: Cross-site scripting (XSS) in CMSmadesimple
Type: Cross-site scripting (XSS)
Details: Allows a local attacker to execute arbitrary code via a crafted script to the Backend - Dashboard parameter in the Languages Menu component.
CVE-2023-43355: Cross Site Scripting in CMSmadesimple
Type: Cross Site Scripting (XSS)
Details: Allows a local attacker to execute arbitrary code via crafted scripts in the My Preferences - Add user component.
Langchain through 0.0.155
CVE-2023-32785: Prompt Injection in Langchain
Type: Prompt Injection
Details: Allows execution of arbitrary code against the SQL service provided by the chain.
CVE-2023-32786: Prompt Injection in Langchain
Type: Prompt Injection
Details: Allows an attacker to force the service to retrieve data from an arbitrary URL, providing SSRF and potentially injecting content into downstream tasks.
SuperWebMailer 9.00.0.01710
CVE-2023-38191: XSS in SuperWebMailer
Type: Cross Site Scripting (XSS)
Details: Allows XSS via a crafted filename.
Add Custom Body Class plugin for WordPress
CVE-2023-5205: Stored Cross-Site Scripting in WordPress Plugin
Type: Stored Cross-Site Scripting
Details: Vulnerable to Stored Cross-Site Scripting in versions up to 1.4.1.
Beijing Baichuo Smart S85F Management Platform
CVE-2023-5684: OS Command Injection in Beijing Baichuo
Type: OS Command Injection
Details: Affects the file /importexport.php and allows for remote attacks.
CVE-2023-5683: OS Command Injection in Beijing Baichuo
Type: OS Command Injection
Details: Affects the file /sysmanage/importconf.php and allows remote attacks.
EventON plugin for WordPress
CVE-2023-4635: Reflected Cross-Site Scripting in EventON Plugin
Type: Reflected Cross-Site Scripting
Details: Allows unauthenticated attackers to inject arbitrary web scripts in pages.
SALESmanago plugin for WordPress
CVE-2023-4939: Log Injection in SALESmanago Plugin
Type: Log Injection
Details: Vulnerable to Log Injection in versions up to 3.2.4.
ThingNario Photon v.1.0
CVE-2023-46055: Arbitrary Code Execution in ThingNario Photon
Type: Arbitrary Code Execution
Details: Allows remote attacker to execute arbitrary code and escalate privileges via a crafted script.
CVE-2023-46054: Cross Site Scripting in WBCE CMS
Type: Cross Site Scripting (XSS)
Details: Allows a remote attacker to escalate privileges via a crafted script in the website_footer parameter.