Security Vulnerabilities - CVEs Published In December 2023
A vulnerability classified as problematic has been found in linkding 1.23.0. Affected is an unknown function. The manipulation of the argument q leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.23.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-247338 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early, responded in a very professional manner and immediately released a fixed version of the affected product.
CVSS Score
3.5
EPSS Score
0.001
Published
2023-12-09
SyncTrayzor 1.1.29 enables CEF (Chromium Embedded Framework) remote debugging, allowing a local attacker to control the application.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-12-09
In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. NOTE: although this is a vulnerability from the perspective of the Bitcoin Knots project, some others consider it "not a bug."
CVSS Score
5.3
EPSS Score
0.0
Published
2023-12-09
An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface.
CVSS Score
9.8
EPSS Score
0.025
Published
2023-12-09
The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.
CVSS Score
4.1
EPSS Score
0.001
Published
2023-12-09
Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to delete arbitrary files on the operating system by creating a symbolic link.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-12-09
Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers read the contents of arbitrary files on the operating system by creating a symbolic link.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-12-09
Insecure File Permissions in Support Assistant in NCP Secure Enterprise Client before 12.22 allow attackers to write to configuration files from low-privileged user accounts.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-12-09
Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to read registry information of the operating system by creating a symbolic link.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-12-09
An XSS issue in wiki and discussion pages in Seafile 9.0.6 allows attackers to inject JavaScript into the Markdown editor.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-12-09