Security Vulnerabilities - CVEs Published In February 2022
Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0).
CVSS Score
5.4
EPSS Score
0.003
Published
2022-02-21
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Survey Maker WordPress plugin (versions <= 2.0.6).
CVSS Score
4.7
EPSS Score
0.013
Published
2022-02-21
"Sametime Android PathTraversal Vulnerability"
CVSS Score
5.5
EPSS Score
0.001
Published
2022-02-21
"Sametime Android potential path traversal vulnerability when using File class"
CVSS Score
5.5
EPSS Score
0.001
Published
2022-02-21
A vulnerability in Brocade Fabric OS versions before Brocade Fabric OS v8.0.1b, v7.4.1d could allow an authenticated attacker within the restricted shell environment (rbash) as either the “user” or “factory” account, to read the contents of any file on the filesystem utilizing one of a few available binaries.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-02-21
Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all versions of Brocade Fabric OS v8.0.x and v7.x contain documented hard-coded credentials, which could allow attackers to gain access to the system.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-02-21
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-02-21
Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-02-21
A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.
The affected URI is /internal_forms_authentication/ the response time of the form is longer if the supplied user does not exists and shorter if the user exists.
CVSS Score
5.3
EPSS Score
0.005
Published
2022-02-21
Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure.
CVSS Score
4.3
EPSS Score
0.004
Published
2022-02-21