Security Vulnerabilities - CVEs Published In December 2023
An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component. NOTE: Heimdal argues that the limitation described here is a Microsoft Windows issue, not a Heimdal specific vulnerability. The USB control solution by Heimdal is meant to manage Microsoft Windows native USB restrictions. They maintain that their solution functions as a management layer over Windows settings and is not to blame for limitations in Windows' detection capabilities.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-21
An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module. NOTE: Heimdal asserts this is not a valid vulnerability. Their DNS Security for Endpoint solution includes an optional feature to provide extra information on the originating process that made a DNS request. The lack of process identification in DNS logs is therefore falsely categorized as a DoS issue.
CVSS Score
9.1
EPSS Score
0.001
Published
2023-12-21
HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-12-21
An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.21, 4.4.0 through 4.6.8, and 4.7.0. Sending a crafted ICMP packet may lead to a crash of the ASQ engine.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-12-21
An issue in LTB Self Service Password before v.1.5.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via hijack of the SMS verification code function to arbitrary phone.
CVSS Score
9.8
EPSS Score
0.024
Published
2023-12-21
journalpump is a daemon that takes log messages from journald and pumps them to a given output. A logging vulnerability was found in journalpump which logs out the configuration of a service integration in plaintext to the supplied logging pipeline, including credential information contained in the configuration if any. The problem has been patched in journalpump 2.5.0.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-12-21
An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1. It's possible to know if a specific user account exists on the SNS firewall by using remote access commands.
CVSS Score
5.3
EPSS Score
0.002
Published
2023-12-21
HCL Launch may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-12-21
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.
CVSS Score
6.5
EPSS Score
0.004
Published
2023-12-21
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the bandwidth parameter in the wifiRadioSetIndoor function.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-12-20