Mozilla has released critical security updates for Firefox, Firefox ESR, and Thunderbird, addressing multiple vulnerabilities. Most severe of discovered vulnerabilities could lead to memory corruption and arbitrary code execution on successful exploitation.

SAP released twenty new and updated Security Notes on its December Patch Day, including the notes that were released or updated since last Patch Tuesday. This includes five Hot-News Notes and five High Priority Notes. The remaining security notes that SAP announced on December 2022 Security Patch Day deal with medium-severity vulnerabilities in Disclosure Management, NetWeaver, Solutions Manager, BusinessObjects, Sourcing, and Contract Lifecycle Management.

Cisco disclosed a high-severity vulnerability, tracked as CVE-2022-20968, impacting its IP Phone 7800 and 8800 Series. A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. 

This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. 

A vulnerability found in Fortinet FortiOS and FortiProxy. CVE-2022-35843 tracked as, authentication bypass was identified in the SSH login component of FortiOS. The bug can only be triggered when Radius authentication is used. The manipulation with an unknown input leads to a authentication bypass by assumed-immutable data vulnerability. CWE is classifying the issue as CWE-302. The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. 

Google has released a security update for its chrome browser used in windows, Mac and Linux remediating 28 vulnerabilities among which 8 are rated as high and 20 are medium by Chrome security severity, these vulnerabilities are related to memory safety bugs, including one out-of-bound write issue. 

A new vulnerability related to chromium-based browser has been released by google, which is vulnerable to arbitrary code execution or escape the browser’s security sandbox. The exploit for this vulnerability CVE-2022-4262 is already exist and widely in use. 

Google has released an emergency update to fix the actively exploited zeroday vulnerability in its Chrome web browser. The exploited vulnerability is (CVE2022-4135) described as a heap buffer overflow in the GPU component.

The vulnerability allows remote attacker to potentially perform a sandbox escape via a crafted HTML page. This means, malicious contents can bypass sandboxed environments to execute arbitrary commands on the victim machine. 

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices. Below are the addressed vulnerabilities:

CVE-2022-41622: A Cross-Site request forgery (CSRF) vulnerability through iControl SOAP, leading to unauthenticated remote code execution. Successful exploitation allow attacker to gain persistent root access to the device management interface. As per F5, if exploited, the vulnerability can compromise the complete system.

There are two Zero-Day exploitable vulnerabilities in Microsoft Exchange, CVE-2022-41040 is an elevation of privilege vulnerability and CVE-2022-41082 is allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Successful exploitation may give privilege to attacker to execute commands which may allow exfiltration of data and lateral movement to internal systems. 

An Integer Overflow vulnerability has been discovered in the SQLite database library. The vulnerability is identified as CVE-2022-35737 and rated with high severity. 

On exploitation of the vulnerability, the attacker can execute arbitrary code and/or Denial of Service attack on vulnerable systems. Mainly 64-bit systems are impacted by this vulnerability.