Security Vulnerabilities - CVEs Published In December 2023
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.
CVSS Score
8.8
EPSS Score
0.265
Published
2023-12-28
An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 allows attackers to read any file via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-12-28
An issue in the export component AdSdkH5Activity of com.sdjictec.qdmetro v4.2.2 allows attackers to open a crafted URL without any filtering or checking.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-12-28
A vulnerability, which was classified as problematic, was found in code-projects E-Commerce Site 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument keyword with the input <video/src=x onerror=alert(document.cookie)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249096.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-12-28
Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-12-28
A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracking System 1.0. This issue affects some unknown processing of the file /classes/Master.php? f=save_medicine. The manipulation of the argument id/name/description leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249095.
CVSS Score
6.3
EPSS Score
0.0
Published
2023-12-28
Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().
CVSS Score
9.0
EPSS Score
0.002
Published
2023-12-27
Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be leveraged by an attacker with physical access to the device.
CVSS Score
4.6
EPSS Score
0.001
Published
2023-12-27
An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. NOTE: this is disputed by the vendor, who indicates that ArtisBrowser 34 does not support CSS3.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-27
An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-27