Security Vulnerabilities - CVEs Published In February 2022
A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
CVSS Score
4.7
EPSS Score
0.0
Published
2022-02-18
ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.
CVSS Score
9.8
EPSS Score
0.006
Published
2022-02-18
ZEROF Web Server 2.0 allows /admin.back XSS.
CVSS Score
6.1
EPSS Score
0.082
Published
2022-02-18
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
CVSS Score
7.6
EPSS Score
0.214
Published
2022-02-18
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-02-18
Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-02-18
Heap-based Buffer Overflow in Homebrew mruby prior to 3.2.
CVSS Score
5.9
EPSS Score
0.003
Published
2022-02-18
Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-02-18
Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown editor is vulnerable to a XSS attack when using uppercase letters.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-18
This affects the package sprinfall/webcc before 0.3.0. It is possible to traverse directories to fetch arbitrary files from the server.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-02-18