Security Vulnerabilities - CVEs Published In November 2022
KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.
CVSS Score
4.9
EPSS Score
0.001
Published
2022-11-16
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options `/drive`, `+drives` or `+home-drive`.
CVSS Score
4.6
EPSS Score
0.001
Published
2022-11-16
Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be possible for an attacker to infer the value of the token by performing a sophisticated timing analysis on a large number of failing requests. If successful, this would allow the attacker to impersonate the SCIM client for its abilities to read and update user accounts in the Zulip organization. Organizations where SCIM account management has not been enabled are not affected.
CVSS Score
3.7
EPSS Score
0.001
Published
2022-11-16
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-11-16
IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. IBM X-Force ID: 230424.
CVSS Score
4.0
EPSS Score
0.0
Published
2022-11-16
Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-16
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-16
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-16
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-16
SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-11-16