Security Vulnerabilities - CVEs Published In December 2022
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-12-06
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-12-06
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-12-06
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-12-06
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
CVSS Score
8.1
EPSS Score
0.702
Published
2022-12-06
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
CVSS Score
8.1
EPSS Score
0.433
Published
2022-12-06
Generation of Error Message Containing Sensitive Information vulnerability in Hitachi JP1/Automatic Operation allows local users to gain sensitive information.
This issue affects JP1/Automatic Operation: from 10-00 through 10-54-03, from 11-00 before 11-51-09, from 12-00 before 12-60-01.
CVSS Score
3.3
EPSS Score
0.001
Published
2022-12-06
A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.
CVSS Score
4.7
EPSS Score
0.007
Published
2022-12-06
Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in `querybook/server/app/auth/oauth_auth.py` and `querybook/server/app/auth/okta_auth.py`. This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or `unsafe-inline` is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.
CVSS Score
6.3
EPSS Score
0.003
Published
2022-12-06
An access control issue in MobaXterm before v22.1 allows attackers to make connections to the server via the SSH or SFTP protocols without authentication.
CVSS Score
8.1
EPSS Score
0.004
Published
2022-12-06