CVE-2023-3848
published 2023-07-23CVE-2023-3848: A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file…
PriorityP340medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.68%
88.3th percentile
A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-235199. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | >= 2.9.2 < 2.12.1 | 2.12.1 |
| moosocial | moodating | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
ghsa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLflow has a Local File Read/Path Traversal bypass
ghsa·2024-05-16·CVSS 7.5
CVE-2024-3848 [HIGH] CWE-22 MLflow has a Local File Read/Path Traversal bypass
MLflow has a Local File Read/Path Traversal bypass
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitra
GHSA
GHSA-m57c-3p8p-vmhq: A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1
ghsa_unreviewed·2023-07-23
CVE-2023-3848 [MEDIUM] CWE-79 GHSA-m57c-3p8p-vmhq: A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1
A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-235199. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
No detection rules found.
Exploit-DB
mooDating 1.2 - Reflected Cross-site scripting (XSS)
exploitdb·2023-07-28·CVSS 3.5
CVE-2023-3849 [LOW] mooDating 1.2 - Reflected Cross-site scripting (XSS)
mooDating 1.2 - Reflected Cross-site scripting (XSS)
---
# Exploit Title: mooDating 1.2 - Reflected Cross-site scripting (XSS)
# Exploit Author: CraCkEr aka (skalvin)
# Date: 22/07/2023
# Vendor: mooSocial
# Vendor Homepage: https://moodatingscript.com/
# Software Link: https://demo.moodatingscript.com/home
# Version: 1.2
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-3849, CVE-2023-3848, CVE-2023-3847, CVE-2023-3846, CVE-2023-3843, CVE-2023-3845, CVE-2023-3844
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of a
Nuclei
MooDating 1.2 - Cross-site scripting
nuclei·CVSS 6.1
CVE-2023-3848 [MEDIUM] MooDating 1.2 - Cross-site scripting
MooDating 1.2 - Cross-site scripting
A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely.
Template:
id: CVE-2023-3848
info:
name: MooDating 1.2 - Cross-site scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely.
impact: |
Unauthenticated attackers can inject malicious JavaScript throug
Nuclei
Mlflow < 2.11.0 - Path Traversal
nuclei·CVSS 7.5
CVE-2024-3848 [HIGH] Mlflow < 2.11.0 - Path Traversal
Mlflow < 2.11.0 - Path Traversal
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read throu
No writeups or analysis indexed.
2023-07-23
Published