Security Vulnerabilities - CVEs Published In December 2023
An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.
CVSS Score
6.8
EPSS Score
0.004
Published
2023-12-12
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.
CVSS Score
7.7
EPSS Score
0.001
Published
2023-12-12
An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.
CVSS Score
6.8
EPSS Score
0.005
Published
2023-12-12
Microsoft Power Platform Connector Spoofing Vulnerability
CVSS Score
9.6
EPSS Score
0.011
Published
2023-12-12
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS Score
7.6
EPSS Score
0.001
Published
2023-12-12
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVSS Score
7.8
EPSS Score
0.016
Published
2023-12-12
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVSS Score
7.8
EPSS Score
0.001
Published
2023-12-12
main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution.
CVSS Score
9.8
EPSS Score
0.296
Published
2023-12-12
Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue.
CVSS Score
4.3
EPSS Score
0.006
Published
2023-12-12
Windows Telephony Server Elevation of Privilege Vulnerability
CVSS Score
7.5
EPSS Score
0.088
Published
2023-12-12