Security Vulnerabilities - CVEs Published In May 2022
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.
CVSS Score
7.5
EPSS Score
0.012
Published
2022-05-20
In certain Goverlan products, the Windows Firewall is temporarily turned off upon a Goverlan agent update operation. This allows remote attackers to bypass firewall blocking rules for a time period of up to 30 seconds. This affects Goverlan Reach Console before 10.5.1, Reach Server before 3.70.1, and Reach Client Agents before 10.1.11.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-05-20
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-05-20
Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-05-20
OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages that exhaust available resources.
CVSS Score
7.5
EPSS Score
0.011
Published
2022-05-20
Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-05-20
Cross-site Scripting (XSS) - Reflected in GitHub repository rtxteam/rtx prior to checkpoint_2022-05-18.
CVSS Score
6.3
EPSS Score
0.002
Published
2022-05-20
Integer Overflow or Wraparound in GitHub repository polonel/trudesk prior to 1.2.2.
CVSS Score
8.4
EPSS Score
0.005
Published
2022-05-20
Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.
CVSS Score
9.8
EPSS Score
0.125
Published
2022-05-20
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
CVSS Score
5.3
EPSS Score
0.014
Published
2022-05-20