Security Vulnerabilities - CVEs Published In December 2023
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
CVSS Score
6.3
EPSS Score
0.004
Published
2023-12-13
Encrypted folders created by PRIMX ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission) or ZONECENTRAL for Windows before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger outbound network traffic from computers on which folders are opened.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-12-13
By default, .ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; and ZED! for Windows, Mac, Linux before 2023.5 include an encrypted version of sensitive user information, which could allow an unauthenticated attacker to obtain it via brute force.
CVSS Score
7.5
EPSS Score
0.004
Published
2023-12-13
A vulnerability has been found in CodeAstro POS and Inventory Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /accounts_con/register_account of the component User Creation Handler. The manipulation of the argument account_type with the input Admin leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247909 was assigned to this vulnerability.
CVSS Score
4.3
EPSS Score
0.0
Published
2023-12-13
An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-12-13
An OS command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-12-13
A DOM-Based cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to execute a JavaScript payload in the context of an administrator’s browser when they view a specifically crafted link to the PAN-OS web interface.
CVSS Score
8.8
EPSS Score
0.002
Published
2023-12-13
A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface.
CVSS Score
4.9
EPSS Score
0.001
Published
2023-12-13
An OS command injection vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated API user to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.
CVSS Score
5.5
EPSS Score
0.002
Published
2023-12-13
An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.
CVSS Score
2.7
EPSS Score
0.0
Published
2023-12-13