Security Vulnerabilities - CVEs Published In October 2022
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-10-10
Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-10-10
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 through 7.0.3 allows attacker to execute privileged commands on a linked FortiSwitch via diagnostic CLI commands.
CVSS Score
9.0
EPSS Score
0.003
Published
2022-10-10
An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path.
CVSS Score
3.7
EPSS Score
0.002
Published
2022-10-10
A vulnerability was found in Crealogix EBICS 7.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /ebics-server/ebics.aspx. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-210374 is the identifier assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.001
Published
2022-10-10
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.
CVSS Score
5.7
EPSS Score
0.003
Published
2022-10-10
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
CVSS Score
4.3
EPSS Score
0.001
Published
2022-10-10
Warpinator through 1.2.14 allows access outside of an intended directory, as demonstrated by symbolic directory links.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-10-10
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-10-10
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-10-10