Security Vulnerabilities - CVEs Published In November 2022
FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-11-28
Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds.
CVSS Score
8.4
EPSS Score
0.001
Published
2022-11-28
Cross-Site Request Forgery (CSRF) in Virgial Berveling's Manage Notification E-mails plugin <= 1.8.2 on WordPress.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-11-28
Auth. (contributor+) Arbitrary File Upload in SEO Plugin by Squirrly SEO plugin <= 12.1.10 on WordPress.
CVSS Score
7.6
EPSS Score
0.002
Published
2022-11-28
A loop with an unreachable exit condition can be triggered by passing a crafted JPEG file to the Lepton image compression tool, resulting in a denial-of-service.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-11-28
The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-11-28
IBM Maximo Mobile 8.7 and 8.8 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 237407.
CVSS Score
6.2
EPSS Score
0.0
Published
2022-11-28
Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.
CVSS Score
8.7
EPSS Score
0.002
Published
2022-11-28
Poultry Farm Management System v1.0 contains a SQL injection vulnerability via the del parameter at /Redcock-Farm/farm/category.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-11-28
An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.
CVSS Score
8.8
EPSS Score
0.0
Published
2022-11-28