Security Vulnerabilities - CVEs Published In November 2022
Cross-site Scripting (XSS) vulnerability in BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks.
CVSS Score
3.3
EPSS Score
0.003
Published
2022-11-15
Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).
CVSS Score
4.0
EPSS Score
0.002
Published
2022-11-15
Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application.
CVSS Score
2.3
EPSS Score
0.002
Published
2022-11-15
The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-11-15
Users with write permissions to a repository can delete arbitrary directories.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-11-15
If anonymous read enabled, it's possible to read the database file directly without logging in.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-11-15
A remote, unauthenticated attacker could cause a denial-of-service of PHOENIX CONTACT FL MGUARD and TC MGUARD devices below version 8.9.0 by sending a larger number of unauthenticated HTTPS connections originating from different source IP’s. Configuring firewall limits for incoming connections cannot prevent the issue.
CVSS Score
7.5
EPSS Score
0.006
Published
2022-11-15
In PHOENIX CONTACT Automationworx Software Suite up to version 1.89 memory can be read beyond the intended scope due to insufficient validation of input data. Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-11-15
In PHOENIX CONTACT Automationworx Software Suite up to version 1.89 manipulated PC Worx or Config+ files could lead to a heap buffer overflow and a read access violation. Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-11-15
Denial of service in WLAN due to potential null pointer dereference while accessing the memory location in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
CVSS Score
7.5
EPSS Score
0.002
Published
2022-11-15