Security Vulnerabilities - CVEs Published In October 2022
An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.
CVSS Score
5.8
EPSS Score
0.002
Published
2022-10-27
Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.
CVSS Score
5.1
EPSS Score
0.001
Published
2022-10-27
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-10-27
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-10-27
An attacker can use the unrestricted LDAP queries to determine configuration entries
CVSS Score
7.1
EPSS Score
0.001
Published
2022-10-27
The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-10-27
Pimcore is an open source data and experience management platform. Prior to version 10.5.9, the user controlled twig templates rendering in `Pimcore/Mail` & `ClassDefinition\Layout\Text` is vulnerable to server-side template injection, which could lead to remote code execution. Version 10.5.9 contains a patch for this issue. As a workaround, one may apply the patch manually.
CVSS Score
9.8
EPSS Score
0.0
Published
2022-10-27
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`.
CVSS Score
4.0
EPSS Score
0.001
Published
2022-10-27
A stored cross-site scripting (XSS) vulnerability in Simple Online Public Access Catalog v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Account Full Name field.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-10-27
Password Storage Application v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Setup page.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-10-27