{"vulnerability": "CVE-2023-3267", "sightings": [{"uuid": "87c4faf9-d32c-444c-a8ba-c9d350745c87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32671", "type": "seen", "source": "https://t.me/cibsecurity/71504", "content": "\u203c CVE-2023-32671 \u203c\n\nA stored XSS vulnerability has been found on BuddyBoss Platform affecting version 2.2.9. This vulnerability allows an attacker to store a malicious javascript payload via POST request when sending an invitation.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-03T18:23:47.000000Z"}, {"uuid": "4b1b99ed-3f0c-4856-b17d-b5cf9fc459b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-3267", "type": "seen", "source": "https://t.me/KomunitiSiber/643", "content": "Multiple Flaws in CyberPower and Dataprobe Products Put Data Centers at Risk\nhttps://thehackernews.com/2023/08/multiple-flaws-in-cyberpower-and.html\n\nMultiple security vulnerabilities impacting CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe's iBoot Power Distribution Unit (PDU) could be potentially exploited to gain unauthenticated access to these systems and inflict catastrophic damage in target environments.\nThe nine vulnerabilities, from CVE-2023-3259 through CVE-2023-3267, carry", "creation_timestamp": "2023-08-13T00:44:59.000000Z"}, {"uuid": "604bfbf4-722b-495b-98f2-ffb09526ca98", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-3267", "type": "seen", "source": "Telegram/VpXAGUF4cO1Mu_YFhAZ5lmwu7ffPJ7a-da7Q0woxSdA5mg", "content": "", "creation_timestamp": "2023-08-13T00:35:05.000000Z"}, {"uuid": "3e4e306b-920c-4416-8f1b-4450ede33b56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32678", "type": "seen", "source": "https://t.me/cibsecurity/69211", "content": "\u203c CVE-2023-32678 \u203c\n\nZulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-26T00:14:23.000000Z"}, {"uuid": "b806a3b2-4394-410e-b50f-b2cbdf81c864", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32677", "type": "seen", "source": "https://t.me/cibsecurity/64474", "content": "\u203c CVE-2023-32677 \u203c\n\nZulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-20T00:38:25.000000Z"}, {"uuid": "8919dbe5-e77d-48a6-8fe4-1184d349d795", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32679", "type": "seen", "source": "https://t.me/cibsecurity/64473", "content": "\u203c CVE-2023-32679 \u203c\n\nCraft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-20T00:38:25.000000Z"}, {"uuid": "6ba68ef8-b339-4915-a4b3-38350336e61e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32675", "type": "seen", "source": "https://t.me/cibsecurity/64472", "content": "\u203c CVE-2023-32675 \u203c\n\nVyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-20T00:38:24.000000Z"}, {"uuid": "2dcffb20-c0b8-4d40-a55f-50e99f5ce51b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-3267", "type": "seen", "source": "https://t.me/cibsecurity/68424", "content": "\u203c CVE-2023-3267 \u203c\n\nWhen adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field. The username is passed without sanitization into CMD running as NT/Authority System. An authenticated attacker can leverage this vulnerability to execute arbitrary code with system-level access to the CyberPower PowerPanel Enterprise server.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-14T12:19:10.000000Z"}, {"uuid": "aaa54921-5fae-4588-b07c-aa69101b319d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2023-32679", "type": "published-proof-of-concept", "source": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c", "content": "", "creation_timestamp": "2023-05-19T02:51:52.000000Z"}]}