Security Vulnerabilities - CVEs Published In April 2022
DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php.
CVSS Score
9.1
EPSS Score
0.003
Published
2022-04-28
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.
CVSS Score
4.9
EPSS Score
0.671
Published
2022-04-28
Elcomplus SmartPTT is vulnerable when an attacker injects JavaScript code into a specific parameter that can executed upon accessing the dashboard or the main page.
CVSS Score
9.0
EPSS Score
0.002
Published
2022-04-28
Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-04-28
Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-04-28
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-04-28
The Zoom Client for Meetings for MacOS (Standard and for IT Admin) prior to version 5.9.6 failed to properly check the package version during the update process. This could lead to a malicious actor updating an unsuspecting user’s currently installed version to a less secure version.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-04-28
The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3, and Zoom VDI Windows Meeting Clients prior to version 5.9.6; was susceptible to a local privilege escalation issue during the installer repair operation. A malicious actor could utilize this to potentially delete system level files or folders, causing integrity or availability issues on the user’s host machine.
CVSS Score
7.9
EPSS Score
0.001
Published
2022-04-28
A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected clients, which could be observed by a passive attacker.
CVSS Score
6.5
EPSS Score
0.004
Published
2022-04-28
Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-04-28