Security Vulnerabilities - CVEs Published In July 2022
OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-07-06
A insecure configuration for certificate verification (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) may lead to verification bypass in Red Hat CloudForms 5.x.
CVSS Score
9.1
EPSS Score
0.001
Published
2022-07-06
EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via maliciously crafted SGF input.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-07-06
custom-content-type-manager Wordpress plugin can be used by an administrator to achieve arbitrary PHP remote code execution.
CVSS Score
7.2
EPSS Score
0.124
Published
2022-07-06
HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or redirect a user to another site.
CVSS Score
5.4
EPSS Score
0.005
Published
2022-07-06
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-07-06
OTFCC v0.10.4 was discovered to contain a heap buffer overflow after free via otfccbuild.c.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-07-06
Frontier is Substrate's Ethereum compatibility layer. In affected versions the truncation done when converting between EVM balance type and Substrate balance type was incorrectly implemented. This leads to possible discrepancy between appeared EVM transfer value and actual Substrate value transferred. It is recommended that an emergency upgrade to be planned and EVM execution temporarily paused in the mean time. The issue is patched in Frontier master branch commit fed5e0a9577c10bea021721e8c2c5c378e16bf66 and polkadot-v0.9.22 branch commit e3e427fa2e5d1200a784679f8015d4774cedc934. This vulnerability affects only EVM internal states, but not Substrate balance states or node. You can temporarily pause EVM execution (by setting up a Substrate `CallFilter` that disables `pallet-evm` and `pallet-ethereum` calls before the patch can be applied.
CVSS Score
5.3
EPSS Score
0.006
Published
2022-07-06
openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions prior to 0.0.6 if a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker able to modify the declared length of a key's sensitive field can thus expose the raw value of that field. Users are advised to upgrade to version 0.0.6, which no longer includes the raw field value in the error message. There are no known workarounds for this issue.
CVSS Score
7.7
EPSS Score
0.004
Published
2022-07-06
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
10.0
EPSS Score
0.129
Published
2022-07-06