Security Vulnerabilities - CVEs Published In June 2022
IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 is vulnerable to reverse tabnabbing where it could allow a page linked to from within IBM Spectrum Copy Data Management to rewrite it. An administrator could enter a link to a malicious URL that another administrator could then click. Once clicked, that malicious URL could then rewrite the original page with a phishing page. IBM X-Force ID: 227363.
CVSS Score
4.4
EPSS Score
0.001
Published
2022-06-10
There is an assertion failure in SingleComponentLSScan::ParseMCU in singlecomponentlsscan.cpp in libjpeg before 1.64 via an empty JPEG-LS scan.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-06-10
A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.
CVSS Score
8.8
EPSS Score
0.006
Published
2022-06-10
A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-06-10
RealVNC VNC Server 6.9.0 through 5.1.0 for Windows allows local privilege escalation because an installer repair operation executes %TEMP% files as SYSTEM.
CVSS Score
7.8
EPSS Score
0.004
Published
2022-06-10
IdeaLMS 2022 allows SQL injection via the IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID= pathname.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-06-10
An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-06-10
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SafeNet KeySecure allows an authenticated user to read arbitrary files from the underlying system on which the product is deployed.
CVSS Score
3.3
EPSS Score
0.002
Published
2022-06-10
A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown processing of the file /lists/index.php of the component Edit Subscription. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
CVSS Score
7.3
EPSS Score
0.018
Published
2022-06-10
A vulnerability was found in PHPList 3.2.6. It has been classified as critical. Affected is an unknown function of the file /lists/admin/ of the component Sending Campain. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
CVSS Score
4.7
EPSS Score
0.003
Published
2022-06-10