Security Vulnerabilities - CVEs Published In August 2022
HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-08-17
Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.
CVSS Score
7.8
EPSS Score
0.005
Published
2022-08-17
Ampere Altra before SRP 1.08b and Altra Max before SRP 2.05 allow information disclosure of power telemetry via HWmon.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-08-17
Ampere Altra devices before 1.08g and Ampere Altra Max devices before 2.05a allow attackers to control the predictions for return addresses and potentially hijack code flow to execute arbitrary code via a side-channel attack, aka a "Retbleed" issue.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-08-17
Cross-site Scripting (XSS) - Stored in GitHub repository notrinos/notrinoserp prior to 0.7.
CVSS Score
4.6
EPSS Score
0.002
Published
2022-08-17
An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions.
CVSS Score
9.1
EPSS Score
0.004
Published
2022-08-17
Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00.
CVSS Score
7.1
EPSS Score
0.004
Published
2022-08-17
Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00.
CVSS Score
6.9
EPSS Score
0.058
Published
2022-08-17
OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions.
CVSS Score
8.0
EPSS Score
0.014
Published
2022-08-17
IPESA e-Flow 3.3.6 allows path traversal for reading any file within the web root directory via the lib/js/build/STEResource.res path and the R query parameter.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-08-16