Security Vulnerabilities - CVEs Published In September 2022
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /employees/manage_leave_type.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-09-12
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_leave_type.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-09-12
On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-09-12
Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-09-12
An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-09-12
Broken Access Control vulnerability in Dean Oakley's Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-09-12
SLiMS Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Search function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search bar.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-09-12
SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-09-12
Cuppa CMS v1.0 was discovered to contain a cross-site scripting vulnerability at /table_manager/view/cu_user_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Add New Group function.
CVSS Score
6.1
EPSS Score
0.401
Published
2022-09-12
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
CVSS Score
9.8
EPSS Score
0.838
Published
2022-09-12