Security Vulnerabilities - CVEs Published In May 2022
A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects: SUSE Rancher Rancher versions prior to 2.5.14; Rancher versions prior to 2.6.5.
CVSS Score
6.8
EPSS Score
0.001
Published
2022-05-25
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
CVSS Score
5.3
EPSS Score
0.199
Published
2022-05-25
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
CVSS Score
6.5
EPSS Score
0.014
Published
2022-05-25
kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.
CVSS Score
6.1
EPSS Score
0.027
Published
2022-05-25
epub2txt2 v2.04 was discovered to contain an integer overflow via the function bug in _parse_special_tag at sxmlc.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted XML file.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-05-25
A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-05-25
Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project
CVSS Score
9.8
EPSS Score
0.287
Published
2022-05-25
A cross-site scripting (XSS) vulnerability in /navigation/create?ParentID=%23 of ZKEACMS v3.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ParentID parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-05-25
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-05-25
IBM Aspera Faspex 4.4.1 and 5.0.0 could allow unauthorized access due to an incorrectly computed security token. IBM X-Force ID: 226951.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-05-24