Security Vulnerabilities - CVEs Published In November 2022
A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Footer field.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-11-21
A cross-site scripting (XSS) vulnerability in the Overview Page settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Loop field.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-11-21
Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.
CVSS Score
8.8
EPSS Score
0.067
Published
2022-11-21
Tenda AC15 V15.03.05.18 is vulnerable to Buffer Overflow via function formSetVirtualSer.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-11-21
A cross-site scripting (XSS) vulnerability in the Modify Page module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Source field.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-11-21
A cross-site scripting (XSS) vulnerability in the Show Advanced Option module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Section Header field.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-11-21
Tenda AC15 V15.03.05.18 is avulnerable to Buffer Overflow via function formSetPPTPServer.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-11-21
Tenda AC15 V15.03.05.18 is vulnerable to Buffer Overflow via function fromSetRouteStatic..
CVSS Score
7.5
EPSS Score
0.001
Published
2022-11-21
The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..
CVSS Score
8.8
EPSS Score
0.021
Published
2022-11-21
The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.5, Booster Elite for WooCommerce WordPress plugin before 1.1.7 do not validate files to download in some of its modules, which could allow ShopManager and Admin to download arbitrary files from the server even when they are not supposed to be able to (for example in multisite)
CVSS Score
6.5
EPSS Score
0.003
Published
2022-11-21