Security Vulnerabilities - CVEs Published In November 2022
FileCloud Versions 20.2 and later allows remote attackers to potentially cause unauthorized remote code execution and access to reported API endpoints via a crafted HTTP request.
CVSS Score
7.2
EPSS Score
0.026
Published
2022-11-23
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-11-23
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
CVSS Score
4.9
EPSS Score
0.001
Published
2022-11-23
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-11-23
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
CVSS Score
8.1
EPSS Score
0.023
Published
2022-11-23
SQL Injection vulnerability in function get_user in login_manager.php in rizalafani cms-php v1.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-11-23
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Score
8.8
EPSS Score
0.015
Published
2022-11-23
immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-23
An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can gain privileges via a symlink attack on /tmp files if vmware-user-suid-wrapper is setuid root and the ChmodChownDirectory function is enabled.
CVSS Score
6.7
EPSS Score
0.0
Published
2022-11-23
An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).
CVSS Score
7.0
EPSS Score
0.0
Published
2022-11-23