Security Vulnerabilities - CVEs Published In June 2022
Cross-site request forgery (CSRF) vulnerability in Easy Blog for EC-CUBE4 Ver.1.0.1 and earlier allows a remote unauthenticated attacker to hijack the authentication of the administrator and delete a blog article or a category via a specially crafted page.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-06-13
Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-06-13
Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings.
CVSS Score
7.2
EPSS Score
0.086
Published
2022-06-13
Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-06-13
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
CVSS Score
4.8
EPSS Score
0.005
Published
2022-06-13
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-06-13
Code Injection in GitHub repository nuitka/nuitka prior to 0.9.
CVSS Score
8.4
EPSS Score
0.001
Published
2022-06-12
Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory.
CVSS Score
8.4
EPSS Score
0.001
Published
2022-06-12
A cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded URL of a malicious web page / file and fileName parameter containing an arbitrary filename with the intended content-type to be rendered in the user's browser as the extension.
CVSS Score
6.1
EPSS Score
0.005
Published
2022-06-12
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.
CVSS Score
9.8
EPSS Score
0.858
Published
2022-06-12