Security Vulnerabilities - CVEs Published In April 2022
IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-21
IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 224164.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-21
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-04-21
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
CVSS Score
7.3
EPSS Score
0.003
Published
2022-04-21
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.
CVSS Score
4.6
EPSS Score
0.003
Published
2022-04-21
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
9.3
EPSS Score
0.003
Published
2022-04-21
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
9.3
EPSS Score
0.003
Published
2022-04-21
Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.
CVSS Score
7.3
EPSS Score
0.003
Published
2022-04-21
Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0.
CVSS Score
8.1
EPSS Score
0.003
Published
2022-04-21
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.
CVSS Score
6.8
EPSS Score
0.001
Published
2022-04-21