Security Vulnerabilities - CVEs Published In April 2022
NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is capable of making the radare2 crash, thus affecting the availability of the system.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-04-18
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.8. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-04-18
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
CVSS Score
5.3
EPSS Score
0.018
Published
2022-04-16
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
CVSS Score
5.3
EPSS Score
0.018
Published
2022-04-16
Wasm3 0.5.0 has a heap-based buffer overflow in NewCodePage in m3_code.c (called indirectly from Compile_BranchTable in m3_compile.c).
CVSS Score
5.5
EPSS Score
0.001
Published
2022-04-16
Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie.
CVSS Score
9.1
EPSS Score
0.002
Published
2022-04-16
ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-04-16
Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password).
CVSS Score
4.9
EPSS Score
0.003
Published
2022-04-16
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-04-15
Notable before 1.9.0-beta.8 doesn't effectively prevent the opening of executable files when clicking on a link. There is improper validation of the file URI scheme. A hyperlink to an SMB share could lead to execution of an arbitrary program (or theft of NTLM credentials via an SMB relay attack, because the application resolves UNC paths).
CVSS Score
8.8
EPSS Score
0.003
Published
2022-04-15