Security Vulnerabilities - CVEs Published In February 2022
Maxsite CMS v108 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the parameter f_tags at /admin/page_edit/3.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-28
A Remote Code Execution (RCE) vulnerability exists in DataRobot through 2021-10-28 because it allows submission of a Docker environment or Java driver.
CVSS Score
9.8
EPSS Score
0.026
Published
2022-02-28
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.
CVSS Score
6.4
EPSS Score
0.002
Published
2022-02-28
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.
CVSS Score
8.1
EPSS Score
0.002
Published
2022-02-28
Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-02-28
Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session credentials via user interaction with a crafted link.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-28
A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-28
Audio File commit 004065d was discovered to contain a heap-buffer overflow in the function fouBytesToInt():AudioFile.h.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-02-28
Dropbox Lepton v1.2.1-185-g2a08b77 was discovered to contain a heap-buffer-overflow in the function aligned_dealloc():src/lepton/bitops.cc:108.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-02-28
qrcp through 0.8.4, in receive mode, allows ../ Directory Traversal via the file name specified by the uploader.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-02-28