Security Vulnerabilities - CVEs Published In February 2022
AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php.
CVSS Score
9.8
EPSS Score
0.651
Published
2022-02-01
Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx.
CVSS Score
6.1
EPSS Score
0.015
Published
2022-02-01
UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior, UNIVERGE DT 930 V2.4.0.0 and prior, IP Phone Manager V8.9.1 and prior, Data Maintenance Tool for DT900 Series V5.3.0.0 and prior, Data Maintenance Tool for DT800 Series V4.2.0.0 and prior allows a remote attacker who can access to the internal network, the configuration information may be obtained.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-02-01
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-02-01
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.
CVSS Score
9.8
EPSS Score
0.678
Published
2022-02-01
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.
CVSS Score
6.5
EPSS Score
0.753
Published
2022-02-01
Path Traversal in NPM w-zip prior to 1.0.12.
CVSS Score
9.4
EPSS Score
0.007
Published
2022-02-01
Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.
CVSS Score
8.4
EPSS Score
0.003
Published
2022-02-01
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.
CVSS Score
8.1
EPSS Score
0.002
Published
2022-02-01
The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-02-01