Security Vulnerabilities - CVEs Published In July 2022
Advanced School Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the address parameter at ip/school/index.php.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-07-28
sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.
CVSS Score
10.0
EPSS Score
0.004
Published
2022-07-28
The Email Viewer in RainLoop through 1.6.0 allows XSS via a crafted email message.
CVSS Score
5.4
EPSS Score
0.007
Published
2022-07-28
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVSS Score
7.0
EPSS Score
0.017
Published
2022-07-28
Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-07-28
DPTech VPN v8.1.28.0 was discovered to contain an arbitrary file read vulnerability.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-07-28
In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-07-28
In zulip before 1.3.12, deactivated users could access messages if SSO was enabled.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-07-28
Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3.0.
CVSS Score
9.8
EPSS Score
0.002
Published
2022-07-28
WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities because it fails to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind vulnerable website or to perform otherwise restricted actions and subsequently download files with the extension mp3, mp4a, wav and ogg from anywhere the web server application has read access to the system. WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files version 1.7.6 is vulnerable; prior versions may also be affected.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-07-28