Security Vulnerabilities - CVEs Published In February 2022
Multiple Cross Site Scripting (XSS) vulnerabilities exists in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) file parameter and (2) type parameter in an edit action in index.php.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-24
Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. (6) meta_charset, (7) default_group, and (8) page group parameters in the settings mode in admin/index.php.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-02-24
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be installed by a superadmin, and therefore the security model is not violated by this finding.
CVSS Score
8.8
EPSS Score
0.683
Published
2022-02-24
A Directory Traversal vulnerability exists in WeBankPartners wecube-platform 3.2.1 via the file variable in PluginPackageController.java.
CVSS Score
7.5
EPSS Score
0.006
Published
2022-02-24
A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS through 4.2.1 in the Create Page functionality of the admin Account via a SGV file.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-02-24
An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-02-24
A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php.
CVSS Score
7.5
EPSS Score
0.798
Published
2022-02-24
LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-02-24
Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4.
CVSS Score
6.8
EPSS Score
0.003
Published
2022-02-24
Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. The affected versions are before version 4.21.0.
CVSS Score
4.8
EPSS Score
0.005
Published
2022-02-24