Security Vulnerabilities - CVEs Published In December 2023
TOTOLink A7000R V9.1.0u.6115_B20201022has a stack overflow vulnerability via setIpPortFilterRules.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-11
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit
document type definition (DTD) references to external entities.
This means that if a user chooses to use a malicious report definition XML file containing an external entity reference
to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.
CVSS Score
2.8
EPSS Score
0.0
Published
2023-12-11
Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins.
In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.
CVSS Score
8.3
EPSS Score
0.013
Published
2023-12-11
Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning.
In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.
CVSS Score
8.3
EPSS Score
0.011
Published
2023-12-11
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
CVSS Score
8.8
EPSS Score
0.044
Published
2023-12-11
decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-12-11
This vulnerability allows an remote attacker with low privileges to misuse Improper Control of Generation of Code ('Code Injection') to gain full control of the affected device.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-12-11
Missing Permission checks resulting in unauthorized access and Manipulation in KeyChainActivity Application
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-11
U-Boot shell vulnerability resulting in Privilege escalation in a production device
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-11
U-Boot vulnerability resulting in persistent Code ExecutionÂ
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-11