Security Vulnerabilities - CVEs Published In February 2022
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
CVSS Score
5.7
EPSS Score
0.002
Published
2022-02-08
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVSS Score
7.7
EPSS Score
0.002
Published
2022-02-08
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
CVSS Score
8.8
EPSS Score
0.005
Published
2022-02-08
Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`.
CVSS Score
8.1
EPSS Score
0.004
Published
2022-02-07
Frourio-express is a minimal full stack framework, for TypeScript. Frourio-express users who uses frourio-express version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`.
CVSS Score
8.1
EPSS Score
0.004
Published
2022-02-07
Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf
CVSS Score
8.2
EPSS Score
0.001
Published
2022-02-07
The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj
CVSS Score
8.2
EPSS Score
0.0
Published
2022-02-07
QuickBox Pro v2.4.8 contains a cross-site scripting (XSS) vulnerability at "adminuseredit.php?usertoedit=XSS", as the user supplied input for the value of this parameter is not properly sanitized.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-07
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-02-07
xrdp is an open source remote desktop protocol (RDP) server. In affected versions an integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is able to locally access a sesman server to execute code as root. This vulnerability has been patched in version 0.9.18.1 and above. Users are advised to upgrade. There are no known workarounds.
CVSS Score
7.8
EPSS Score
0.004
Published
2022-02-07