Security Vulnerabilities - CVEs Published In May 2022
Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/admin/cargo_types/manage_cargo_type.php?id=.
CVSS Score
7.2
EPSS Score
0.003
Published
2022-05-13
Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/admin/?page=transactions/manage_transaction&id=.
CVSS Score
7.2
EPSS Score
0.003
Published
2022-05-13
Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker to upload malicious JSP files.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-05-13
Certain Anaconda3 2021.05 are affected by OS command injection. When a user installs Anaconda, an attacker can create a new file and write something in usercustomize.py. When the user opens the terminal or activates Anaconda, the command will be executed.
CVSS Score
8.8
EPSS Score
0.051
Published
2022-05-13
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
CVSS Score
8.6
EPSS Score
0.007
Published
2022-05-13
EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the `transfer` function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the `std::string memo` parameter.
CVSS Score
7.5
EPSS Score
0.032
Published
2022-05-13
RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious package. The bug has been patched, and is believed to have never been exploited, based on an extensive review of logs and existing gems by rubygems. The easiest way to ensure that an application has not been exploited by this vulnerability is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database. RubyGems.org has been patched and is no longer vulnerable to this issue.
CVSS Score
7.7
EPSS Score
0.003
Published
2022-05-13
This vulnerability allows users to execute a clickjacking attack in the meeting's chat.
CVSS Score
4.2
EPSS Score
0.001
Published
2022-05-12
XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-05-12
Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login.
CVSS Score
6.3
EPSS Score
0.001
Published
2022-05-12