Security Vulnerabilities - CVEs Published In July 2022
The Awin Data Feed WordPress plugin before 1.8 does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings
CVSS Score
5.4
EPSS Score
0.007
Published
2022-07-11
The core plugin for kitestudio WordPress plugin before 2.3.1 does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-07-11
The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-07-11
Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-07-11
In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-07-11
In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-07-11
Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-07-11
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced.
CVSS Score
9.8
EPSS Score
0.022
Published
2022-07-11
H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnlang cookie XSS.
CVSS Score
6.1
EPSS Score
0.067
Published
2022-07-11
softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-07-11