Security Vulnerabilities - CVEs Published In December 2022
A network misconfiguration is present in versions prior to 1.0.9.90 of the NETGEAR RAX30 AX2400 series of routers. IPv6 is enabled for the WAN interface by default on these devices. While there are firewall restrictions in place that define access restrictions for IPv4 traffic, these restrictions do not appear to be applied to the WAN interface for IPv6. This allows arbitrary access to any services running on the device that may be inadvertently listening via IPv6, such as the SSH and Telnet servers spawned on ports 22 and 23 by default. This misconfiguration could allow an attacker to interact with services only intended to be accessible by clients on the local network.
CVSS Score
10.0
EPSS Score
0.001
Published
2022-12-09
Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.
CVSS Score
9.1
EPSS Score
0.002
Published
2022-12-09
IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214.
CVSS Score
4.4
EPSS Score
0.002
Published
2022-12-09
The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.
CVSS Score
9.8
EPSS Score
0.02
Published
2022-12-09
In BAOTA linux panel there exists a stored xss vulnerability attackers can use to obtain sensitive information via the log analysis feature.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-09
Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.
CVSS Score
7.4
EPSS Score
0.001
Published
2022-12-09
Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows
CVSS Score
6.3
EPSS Score
0.001
Published
2022-12-09
An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column).
CVSS Score
5.4
EPSS Score
0.009
Published
2022-12-09
An authenticated user can embed malicious content with XSS into the admin group policy page.
CVSS Score
5.4
EPSS Score
0.021
Published
2022-12-09
Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-12-09