Security Vulnerabilities - CVEs Published In December 2023
There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.
CVSS Score
4.3
EPSS Score
0.0
Published
2023-12-14
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
CVSS Score
9.8
EPSS Score
0.868
Published
2023-12-14
There is a weak folder permission vulnerability in ZTE's ZXCLOUD iRAI product. Due to weak folder permission, an attacker with ordinary user privileges could construct a fake DLL to execute command to escalate local privileges.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-12-14
There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.
CVSS Score
6.5
EPSS Score
0.003
Published
2023-12-14
PlutoSVG commit 336c02997277a1888e6ccbbbe674551a0582e5c4 and before was discovered to contain an integer overflow via the component plutosvg_load_from_memory.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-12-14
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by
a local and low-privileged attacker.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-12-14
A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a
privileged user to install an untrusted firmware.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-12-14
A CWE-601:URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists that could
cause disclosure of information through phishing attempts over HTTP.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-12-14
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-12-14
An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-12-14