Security Vulnerabilities - CVEs Published In August 2022
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution.
CVSS Score
6.1
EPSS Score
0.006
Published
2022-08-16
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
CVSS Score
6.7
EPSS Score
0.0
Published
2022-08-16
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-08-16
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
CVSS Score
8.8
EPSS Score
0.007
Published
2022-08-16
The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the flash filesystem and carrying out arbitrary file and directory read, write, and delete operations.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-08-16
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-08-16
Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.
CVSS Score
9.8
EPSS Score
0.179
Published
2022-08-16
An issue was discovered in rageframe2 2.6.37. There is a XSS vulnerability in the user agent related parameters of the info.php page.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-08-16
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-08-16
Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-08-16