Security Vulnerabilities - CVEs Published In November 2022
Proofpoint Enterprise Protection before 18.8.0 allows a Bypass of a Security Control.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-11-17
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content).
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-17
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.
CVSS Score
8.2
EPSS Score
0.001
Published
2022-11-17
Red Lion Controls Crimson 3.0 versions 707.000 and prior, Crimson 3.1 versions 3126.001 and prior, and Crimson 3.2 versions 3.2.0044.0 and prior are vulnerable to path traversal. When attempting to open a file using a specific path, the user's password hash is sent to an arbitrary host. This could allow an attacker to obtain user credential hashes.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-11-17
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
CVSS Score
3.3
EPSS Score
0.0
Published
2022-11-17
An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886.
CVSS Score
6.7
EPSS Score
0.0
Published
2022-11-17
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /clients/view_client.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-11-17
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/?page=user/manage_user&id=.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-11-17
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.
CVSS Score
8.8
EPSS Score
0.199
Published
2022-11-17
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tests/view_test.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-11-17