Security Vulnerabilities - CVEs Published In July 2022
IBM CICS TX Standard and Advanced 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229432.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-07-08
IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 229435.
CVSS Score
5.4
EPSS Score
0.004
Published
2022-07-08
A URL disclosure issue was discovered in Burp Suite before 2022.6. If a user views a crafted response in the Repeater or Intruder, it may be incorrectly interpreted as a redirect.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-07-08
Security vulnerabilities in HPE IceWall SSO 10.0 certd could be exploited remotely to allow SQL injection or unauthorized data injection. HPE has provided the following updated modules to resolve these vulnerabilities. HPE IceWall SSO version 10.0 certd library Patch 9 for RHEL and HPE IceWall SSO version 10.0 certd library Patch 9 for HP-UX.
CVSS Score
9.8
EPSS Score
0.006
Published
2022-07-08
A potential security vulnerability has been identified in certain HPE FlexNetwork and FlexFabric switch products. The vulnerability could be remotely exploited to allow cross site scripting (XSS). HPE has made the following software updates to resolve the vulnerability. HPE FlexNetwork 5130EL_7.10.R3507P02 and HPE FlexFabric 5945_7.10.R6635.
CVSS Score
4.8
EPSS Score
0.005
Published
2022-07-08
Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).
CVSS Score
4.3
EPSS Score
0.002
Published
2022-07-08
A cross-site scripting (XSS) vulnerability in Known v1.2.2+2020061101 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Your Name text field.
CVSS Score
5.4
EPSS Score
0.004
Published
2022-07-08
An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file.
CVSS Score
6.1
EPSS Score
0.008
Published
2022-07-08
Known v1.3.1+2020120201 was discovered to allow attackers to perform an account takeover via a host header injection attack.
CVSS Score
8.8
EPSS Score
0.005
Published
2022-07-08
In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.
CVSS Score
10.0
EPSS Score
0.005
Published
2022-07-08