Security Vulnerabilities - CVEs Published In February 2022
NULL Pointer Dereference in Homebrew mruby prior to 3.2.
CVSS Score
5.5
EPSS Score
0.003
Published
2022-02-19
Out-of-bounds Read in Homebrew mruby prior to 3.2.
CVSS Score
7.1
EPSS Score
0.003
Published
2022-02-19
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
CVSS Score
6.5
EPSS Score
0.009
Published
2022-02-19
Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2.
CVSS Score
7.2
EPSS Score
0.002
Published
2022-02-19
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-02-19
An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to.
CVSS Score
7.5
EPSS Score
0.009
Published
2022-02-19
An issue was discovered in the Varnishcache extension before 2.0.1 for TYPO3. The Edge Site Includes (ESI) content element renderer component does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct object reference (IDOR), with the potential of exposing internal content elements.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-02-19
Cryptomator through 1.6.5 allows DYLIB injection because, although it has the flag 0x1000 for Hardened Runtime, it has the com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables entitlements. An attacker can exploit this by creating a malicious .dylib file that can be executed via the DYLD_INSERT_LIBRARIES environment variable.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-02-19
Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774.
CVSS Score
7.8
EPSS Score
0.019
Published
2022-02-19
SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfs_request_backlabel_list and saspfs_request_backurl_list. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing the button, e.g., a malicious web page. In addition, the second parameter executes JavaScript, which means XSS is possible by adding a javascript: URL.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-02-19