Security Vulnerabilities - CVEs Published In December 2022
xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).
xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. There are no known workarounds for this issue. Users are advised to upgrade.
CVSS Score
9.1
EPSS Score
0.002
Published
2022-12-09
Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /services/view_service.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-12-09
ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS).
CVSS Score
4.8
EPSS Score
0.001
Published
2022-12-09
Incorrect Privilege Assignment in M-Files Web (Classic) in M-Files before 22.8.11691.0 allows low privilege user to change some configuration.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-12-09
A vulnerability in the web server of Secomea GateManager allows a local user to impersonate as the previous user under some failed login conditions.
This issue affects:
Secomea GateManager versions from 9.4 through 9.7.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-12-09
A vulnerability was found in S-CMS 5.0 Build 20220328. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Contact Information Page. The manipulation of the argument Make a Call leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215197 was assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.001
Published
2022-12-09
A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196.
CVSS Score
6.3
EPSS Score
0.461
Published
2022-12-09
Brocade SANnav before v2.2.1 logs usernames and encoded passwords in
debug-enabled logs. The vulnerability could allow an attacker with admin
privilege to read sensitive information.
CVSS Score
5.5
EPSS Score
0.002
Published
2022-12-09
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-12-09
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-08