Security Vulnerabilities - CVEs Published In April 2022
In Bender/ebee Charge Controllers in multiple versions are prone to an RFID leak. The RFID of the last charge event can be read without authentication via the web interface.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-04-27
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. This issue is fixed in versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1. There are currently no known workarounds.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-04-27
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1.
CVSS Score
2.4
EPSS Score
0.001
Published
2022-04-27
Due to build misconfiguration in openssl dependency, LINE for Windows before 7.8 is vulnerable to DLL injection that could lead to privilege escalation.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-04-27
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.
CVSS Score
2.2
EPSS Score
0.001
Published
2022-04-27
Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-04-27
In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-04-27
In ControlUp Real-Time Agent before 8.6, an unquoted path can result in privilege escalation. An attacker would require write permissions to the root level of the OS drive (C:\) to exploit this.
CVSS Score
7.2
EPSS Score
0.004
Published
2022-04-27
Apifox through 2.1.6 is vulnerable to Cross Site Scripting (XSS) which can lead to remote code execution.
CVSS Score
9.0
EPSS Score
0.011
Published
2022-04-27
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.1, users can bypass a lock on the Nextcloud app on an Android device by repeatedly reopening the app. Version 3.19.1 contains a fix for the problem. There are currently no known workarounds.
CVSS Score
2.0
EPSS Score
0.001
Published
2022-04-27