xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:0582-1 advisory.

  - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and     therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed     in the xterm default configurations of some Linux distributions. (CVE-2022-45063)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:0221-1 advisory.

  - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and     therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed     in the xterm default configurations of some Linux distributions. (CVE-2022-45063)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:0173-1 advisory.

  - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and     therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed     in the xterm default configurations of some Linux distributions. (CVE-2022-45063)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This Solaris system is missing necessary patches to address critical security updates :

  - Vulnerability in the Oracle Communications Session     Border Controller product of Oracle Communications     (component: Routing (glibc)). Supported versions that     are affected are 8.4, 9.0 and 9.1. Difficult to exploit     vulnerability allows unauthenticated attacker with     network access via HTTP to compromise Oracle     Communications Session Border Controller. Successful     attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Communications Session Border     Controller as well as unauthorized update, insert or     delete access to some of Oracle Communications Session     Border Controller accessible data and unauthorized read     access to a subset of Oracle Communications Session     Border Controller accessible data. CVSS 3.1 Base Score     7.0 (Confidentiality, Integrity and Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
    (CVE-2022-23219)

  - Vulnerability in the Oracle Communications Cloud Native     Core Unified Data Repository product of Oracle     Communications (component: Signaling (glibc)). The     supported version that is affected is 22.1.1. Easily     exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise     Oracle Communications Cloud Native Core Unified Data     Repository. Successful attacks of this vulnerability can     result in takeover of Oracle Communications Cloud Native     Core Unified Data Repository. CVSS 3.1 Base Score 9.8     (Confidentiality, Integrity and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2022-23218)

  - Vulnerability in the Oracle Communications Cloud Native     Core Policy product of Oracle Communications (component:
    Policy (GNU Libtasn1)). Supported versions that are     affected are 22.4.0-22.4.4 and 23.1.0-23.1.1. Easily     exploitable vulnerability allows unauthenticated     attacker with network access via HTTPS to compromise     Oracle Communications Cloud Native Core Policy.
    Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access     to all Oracle Communications Cloud Native Core Policy     accessible data and unauthorized ability to cause a hang     or frequently repeatable crash (complete DOS) of Oracle     Communications Cloud Native Core Policy. CVSS 3.1 Base     Score 9.1 (Confidentiality and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
    (CVE-2021-46848)

  - Vulnerability in the Oracle Text (LibExpat) component of     Oracle Database Server. Supported versions that are     affected are 19.3-19.19 and 21.3-21.10. Easily     exploitable vulnerability allows low privileged attacker     having Create Session, Create Index privilege with     network access via Oracle Net to compromise Oracle Text     (LibExpat). Successful attacks of this vulnerability can     result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Oracle     Text (LibExpat). CVSS 3.1 Base Score 6.5 (Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-43680)

  - Vulnerability in the PeopleSoft Enterprise PeopleTools     product of Oracle PeopleSoft (component: Porting     (Python)). Supported versions that are affected are 8.59     and 8.60. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise PeopleSoft Enterprise PeopleTools. Successful     attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash     (complete DOS) of PeopleSoft Enterprise PeopleTools.
    CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS     Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-45061)

  - Vulnerability in the Oracle Solaris product of Oracle     Systems (component: NSSwitch). Supported versions that     are affected are 10 and 11. Difficult to exploit     vulnerability allows high privileged attacker with     network access via multiple protocols to compromise     Oracle Solaris. Successful attacks require human     interaction from a person other than the attacker and     while the vulnerability is in Oracle Solaris, attacks     may significantly impact additional products (scope     change). Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access     to some of Oracle Solaris accessible data and     unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Solaris. CVSS 3.1 Base     Score 4.0 (Integrity and Availability impacts). CVSS     Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L).
    (CVE-2023-21900)

The remote Fedora 35 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-8cf76a9ceb advisory.

  - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and     therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed     in the xterm default configurations of some Linux distributions. (CVE-2022-45063)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-681bbe67b6 advisory.

  - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and     therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed     in the xterm default configurations of some Linux distributions. (CVE-2022-45063)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202211-09 (xterm: Arbitrary Code Execution)

  - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and     therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed     in the xterm default configurations of some Linux distributions. (CVE-2022-45063)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
172023	SUSE SLES12 Security Update : xterm (SUSE-SU-2023:0582-1)	Nessus	SuSE Local Security Checks	critical
170951	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xterm (SUSE-SU-2023:0221-1)	Nessus	SuSE Local Security Checks	critical
170711	SUSE SLES15 Security Update : xterm (SUSE-SU-2023:0173-1)	Nessus	SuSE Local Security Checks	critical
170171	Oracle Solaris Critical Patch Update : jan2023_SRU11_4_53_132_2	Nessus	Solaris Local Security Checks	critical
169249	Fedora 35 : xterm (2022-8cf76a9ceb)	Nessus	Fedora Local Security Checks	critical
169137	Fedora 36 : xterm (2022-681bbe67b6)	Nessus	Fedora Local Security Checks	critical
168060	GLSA-202211-09 : xterm: Arbitrary Code Execution	Nessus	Gentoo Local Security Checks	critical

Detections

Analytics

CVE-2022-45063

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical