Security Vulnerabilities - CVEs Published In August 2022
Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.10P1 are susceptible to a vulnerability which could allow an attacker to discover cluster, node and Active IQ Unified Manager specific information via AutoSupport telemetry data that is sent even when AutoSupport has been disabled.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-08-25
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore
CVSS Score
6.5
EPSS Score
0.002
Published
2022-08-25
A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password, can exploit this flaw to obtain and use tickets to other services.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-08-25
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-08-25
RuoYi v3.8.3 has a Weak password vulnerability in the management system.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-08-25
Claroline 13.5.7 and prior is vulnerable to Remote code execution via arbitrary file upload.
CVSS Score
9.8
EPSS Score
0.318
Published
2022-08-25
Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-08-25
Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting (XSS) via SVG file upload.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-08-25
Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting (XSS). An attacker can obtain javascript code execution by adding arbitrary javascript code in the 'Location' field of a calendar event.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-08-25
MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter.
CVSS Score
5.4
EPSS Score
0.007
Published
2022-08-25