Security Vulnerabilities - CVEs Published In June 2022
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /cgi-bin endpoint. The URL parameters are not correctly sanitized, leading to reflected XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-06-02
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.
CVSS Score
9.8
EPSS Score
0.911
Published
2022-06-02
An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.
CVSS Score
5.9
EPSS Score
0.012
Published
2022-06-02
Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site Scripting (XSS).
CVSS Score
6.5
EPSS Score
0.003
Published
2022-06-02
ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture via UNC. By specifying the UNC file path of an external SMB share when uploading a file, an attacker can induce the victim server to disclose the username and password hash of the user executing the ACEweb Online software.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-06-02
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in DIGI address processing for VHF KISS packets allows a remote attacker to cause a denial of service (daemon crash) via a malicious AX.25 packet over the air. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
7.5
EPSS Score
0.009
Published
2022-06-02
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in national.txt processing allows a local attacker to cause a denial of service or possibly achieve code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
7.8
EPSS Score
0.001
Published
2022-06-02
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in the VHF KISS TNC component allows a remote attacker to achieve remote code execution via malicious AX.25 packets over the air. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
9.8
EPSS Score
0.401
Published
2022-06-02
E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users.
CVSS Score
4.4
EPSS Score
0.001
Published
2022-06-02
E-Series SANtricity OS Controller Software 11.x versions through 11.70.2 are vulnerable to host header injection attacks that could allow an attacker to redirect users to malicious websites.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-06-02