Security Vulnerabilities - CVEs Published In December 2023
An Open Redirection vulnerability exists in Uffizio's GPS Tracker all versions allows an attacker to construct a URL within the application that causes a redirection to an arbitrary external domain.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-12-16
A Remote Code Execution vulnerability exist in Uffizio's GPS Tracker all versions. The web server can be compromised by uploading and executing a web/reverse shell. An attacker could then run commands, browse system files, and browse local resources
CVSS Score
9.8
EPSS Score
0.003
Published
2023-12-16
An issue was discovered in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior. The application allows a client to provide a malicious connection string that could allow an adversary to port scan the LAN, depending on the hosts' responses.
CVSS Score
5.3
EPSS Score
0.005
Published
2023-12-16
An issue was discovered in ExecuteCommand() in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior that allows unauthenticated arbitrary commands to be executed.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-12-16
Path traversal vulnerability in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior allows an unauthenticated user to steal the Windows access token of the user account configured for accessing external DB resources.
CVSS Score
7.5
EPSS Score
0.004
Published
2023-12-16
ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a
vulnerability which will cause all SAS-attached FIPS 140-2 drives to
become unlocked after a system reboot or power cycle or a single
SAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This
could lead to disclosure of sensitive information to an attacker with
physical access to the unlocked drives.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-12-15
HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.
CVSS Score
3.5
EPSS Score
0.004
Published
2023-12-15
octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.
CVSS Score
5.4
EPSS Score
0.007
Published
2023-12-15
Bazarr manages and downloads subtitles. In version 1.2.4, the proxy method in bazarr/bazarr/app/ui.py does not validate the user-controlled protocol and url variables and passes them to requests.get() without any sanitization, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting GET requests to internal and external resources on behalf of the server. 1.3.1 contains a partial fix, which limits the vulnerability to HTTP/HTTPS protocols.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-12-15
Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 was discovered to contain a buffer overflow via the ApCliEncrypType parameter at /apply.cgi.
CVSS Score
9.8
EPSS Score
0.101
Published
2023-12-15