Security Vulnerabilities - CVEs Published In July 2022
Operation restriction bypass in multiple applications of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to alter the file information and/or delete the files.
CVSS Score
8.1
EPSS Score
0.004
Published
2022-07-11
Browsing restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data of Bulletin.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-07-11
Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.53.3.
CVSS Score
4.0
EPSS Score
0.002
Published
2022-07-10
In Joomla component 'Joomlatools - DOCman 3.5.13 (and likely most versions below)' are affected to an reflected Cross-Site Scripting (XSS) in an image upload function
CVSS Score
6.1
EPSS Score
0.005
Published
2022-07-10
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.
CVSS Score
6.3
EPSS Score
0.001
Published
2022-07-09
Use After Free in GitHub repository vim/vim prior to 9.0.0046.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-07-08
Digital Guardian Agent 7.7.4.0042 allows an administrator (who ordinarily does not have a supported way to uninstall the product) to disable some of the agent functionality and then exfiltrate files to an external USB device.
CVSS Score
5.1
EPSS Score
0.001
Published
2022-07-08
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
10.0
EPSS Score
0.94
Published
2022-07-08
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-07-08
Webswing before 22.1.3 allows X-Forwarded-For header injection. The client IP address is associated with a variable in the configuration page. The {clientIp} variable can be used as an application startup argument. The X-Forwarded-For header can be manipulated by a client to store an arbitrary value that is used to replace the clientIp variable (without sanitization). A client can thus inject multiple arguments into the session startup. Systems that do not use the clientIP variable in the configuration are not vulnerable. The vulnerability is fixed in these versions: 20.1.16, 20.2.19, 21.1.8, 21.2.12, and 22.1.3.
CVSS Score
9.8
EPSS Score
0.009
Published
2022-07-08