Security Vulnerabilities - CVEs Published In October 2022
Boodskap IoT Platform v4.4.9-02 contains a cross-site scripting (XSS) vulnerability.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-10-13
Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges via a crafted request sent to /api/user/upsert/<uuid>.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-10-13
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
CVSS Score
6.1
EPSS Score
0.0
Published
2022-10-13
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.
CVSS Score
6.2
EPSS Score
0.0
Published
2022-10-13
node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to node-saml version 4.0.0-beta5 or newer. Disabling SAML authentication may be done as a workaround.
CVSS Score
7.7
EPSS Score
0.0
Published
2022-10-13
iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-10-13
ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the pkg_url parameter at /manager/index.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-10-13
Online Diagnostic Lab Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-10-13
Online Diagnostic Lab Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /php_action/createOrder.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-10-13
ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-10-13