Security Vulnerabilities - CVEs Published In May 2022
Improper input validation vulnerability in HANDY Groupware’s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value of the vulnerable function.
CVSS Score
7.8
EPSS Score
0.004
Published
2022-05-19
Improper input validation vulnerability in Mangboard commerce package could lead to occur for abnormal request. A remote attacker can exploit this vulnerability to manipulate the total order amount into a negative number and then pay for the order.
CVSS Score
8.0
EPSS Score
0.003
Published
2022-05-19
GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modify web content and upload custom files. The backend login script does not verify and sanitize user-provided strings.
CVSS Score
9.8
EPSS Score
0.017
Published
2022-05-19
JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators.
CVSS Score
6.0
EPSS Score
0.001
Published
2022-05-19
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine to gain admin access to the software and gain access to recordings/recording locations.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-05-19
An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations.
CVSS Score
7.2
EPSS Score
0.004
Published
2022-05-19
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.
CVSS Score
6.3
EPSS Score
0.002
Published
2022-05-19
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.
CVSS Score
7.3
EPSS Score
0.0
Published
2022-05-19
On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. Affects BIND 9.18.0 -> 9.18.2 and version 9.19.0 of the BIND 9.19 development branch.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-05-19
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-05-19