Security Vulnerabilities - CVEs Published In April 2022
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
CVSS Score
9.0
EPSS Score
0.018
Published
2022-04-13
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)
CVSS Score
5.5
EPSS Score
0.002
Published
2022-04-13
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
CVSS Score
7.6
EPSS Score
0.009
Published
2022-04-13
Directory Traversal vulnerability in file cn/roothub/store/FileSystemStorageService in function store in Roothub 2.6.0 allows remote attackers with low privlege to arbitrarily upload files via /common/upload API, which could lead to remote arbitrary code execution.
CVSS Score
8.0
EPSS Score
0.02
Published
2022-04-13
An access control issue in the authentication module of wizplat PD065 v1.19 allows attackers to access sensitive data and cause a Denial of Service (DoS).
CVSS Score
7.8
EPSS Score
0.002
Published
2022-04-13
An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if CSP allows it) in manage_plugin_page.php and manage_plugin_uninstall.php when a crafted plugin is installed.
CVSS Score
6.1
EPSS Score
0.009
Published
2022-04-13
An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application.
CVSS Score
5.3
EPSS Score
0.003
Published
2022-04-13
A PHP Local File inclusion vulnerability in the Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-04-13
CMSimple 5.4 is vulnerable to Directory Traversal. The vulnerability exists when a user changes the file name to malicious file on config.php leading to remote code execution.
CVSS Score
9.8
EPSS Score
0.114
Published
2022-04-13
Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-04-13