Security Vulnerabilities - CVEs Published In July 2022
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
CVSS Score
8.2
EPSS Score
0.008
Published
2022-07-17
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
CVSS Score
7.5
EPSS Score
0.006
Published
2022-07-17
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.
CVSS Score
7.5
EPSS Score
0.006
Published
2022-07-17
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
CVSS Score
7.5
EPSS Score
0.006
Published
2022-07-17
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
CVSS Score
7.5
EPSS Score
0.006
Published
2022-07-17
Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword.
CVSS Score
5.3
EPSS Score
0.0
Published
2022-07-17
In Montala ResourceSpace through 9.8 before r19636, csv_export_results_metadata.php allows attackers to export collection metadata via a non-NULL k value.
CVSS Score
6.5
EPSS Score
0.139
Published
2022-07-17
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-07-17
A Cross-Site Request Forgery (CSRF) in Ferdi through 5.8.1 and Ferdium through 6.0.0-nightly.98 allows attackers to read files via an uploaded file such as a settings/preferences file.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-07-17
pyenv 1.2.24 through 2.3.2 allows local users to gain privileges via a .python-version file in the current working directory. An attacker can craft a Python version string in .python-version to execute shims under their control. (Shims are executables that pass a command along to a specific version of pyenv. The version string is used to construct the path to the command, and there is no validation of whether the version specified is a valid version. Thus, relative path traversal can occur.)
CVSS Score
7.8
EPSS Score
0.0
Published
2022-07-17