Security Vulnerabilities - CVEs Published In December 2023
A vulnerability, which was classified as critical, was found in code-projects Library Management System 2.0. Affected is an unknown function of the file index.php. The manipulation of the argument category leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249006 is the identifier assigned to this vulnerability.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-12-26
OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference, daemon crash, and Captive Portal outage) via a GET request to /opennds_auth/ that lacks a custom query string parameter and client-token.
CVSS Score
7.5
EPSS Score
0.0
Published
2023-12-25
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint.
CVSS Score
9.8
EPSS Score
0.739
Published
2023-12-25
An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-12-25
There is broken access control during authentication in Jamf Pro Server before 10.46.1.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-25
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.
CVSS Score
7.2
EPSS Score
0.007
Published
2023-12-25
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.
CVSS Score
7.2
EPSS Score
0.007
Published
2023-12-25
A Cross Site Scripting (XSS) vulnerability exists in Follet Learning Solutions Destiny through 20.0_1U. via the handlewpesearchform.do. searchString.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-12-25
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-12-25
An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root.
CVSS Score
7.2
EPSS Score
0.015
Published
2023-12-25