Security Vulnerabilities - CVEs Published In April 2022
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 209691.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-04-22
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings. IBM X-Force ID: 209693.
CVSS Score
4.6
EPSS Score
0.003
Published
2022-04-22
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow an authenticated user to view report pages that they should not have access to. IBM X-Force ID: 209697.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-04-22
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.
CVSS Score
5.4
EPSS Score
0.007
Published
2022-04-22
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
CVSS Score
6.3
EPSS Score
0.342
Published
2022-04-22
In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.
CVSS Score
7.0
EPSS Score
0.001
Published
2022-04-22
service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory. NOTE: this finding could not be reproduced by its original reporter or by others.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-04-22
There is a pointer double free vulnerability in Some MIUI Services. When a function is called, the memory pointer is copied to two function modules, and an attacker can cause the pointer to be repeatedly released through malicious operations, resulting in the affected module crashing and affecting normal functionality, and if successfully exploited the vulnerability can cause elevation of privileges.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-04-22
An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker.
CVSS Score
7.1
EPSS Score
0.002
Published
2022-04-22
All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-04-22