Security Vulnerabilities - CVEs Published In September 2022
An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.
CVSS Score
5.4
EPSS Score
0.016
Published
2022-09-29
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.
CVSS Score
6.1
EPSS Score
0.017
Published
2022-09-29
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback.
CVSS Score
5.4
EPSS Score
0.015
Published
2022-09-29
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.
CVSS Score
4.8
EPSS Score
0.015
Published
2022-09-29
An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions.
CVSS Score
6.5
EPSS Score
0.011
Published
2022-09-29
An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory).
CVSS Score
6.5
EPSS Score
0.004
Published
2022-09-29
Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.
CVSS Score
8.8
EPSS Score
0.323
Published
2022-09-29
An arbitrary file read vulnerability was found in Metersphere v1.15.4, where authenticated users can read any file on the server via the file download function.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-09-29
An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands.
CVSS Score
9.8
EPSS Score
0.113
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 uses ZODB storage without authentication.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-09-29