Security Vulnerabilities - CVEs Published In April 2022
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-26
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher role via &wpt_test_page_submit_button_caption parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-26
A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation. When the .xzip archive file is decompressed, an arbitrary file can be d in the parent path by using the path traversal pattern ‘..\’.
CVSS Score
8.8
EPSS Score
0.018
Published
2022-04-26
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-26
Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.
CVSS Score
4.7
EPSS Score
0.003
Published
2022-04-26
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-04-26
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-04-26
Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.
CVSS Score
8.1
EPSS Score
0.003
Published
2022-04-26
An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).
CVSS Score
5.5
EPSS Score
0.001
Published
2022-04-26
stored xss in GitHub repository getgrav/grav prior to 1.7.33.
CVSS Score
8.2
EPSS Score
0.003
Published
2022-04-26