Security Vulnerabilities - CVEs Published In 2022
A vulnerability, which was classified as problematic, has been found in UBI Reader up to 0.8.0. Affected by this issue is the function ubireader_extract_files of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation leads to path traversal. The attack may be launched remotely. Upgrading to version 0.8.5 is able to address this issue. The name of the patch is d5d68e6b1b9f7070c29df5f67fc060f579ae9139. It is recommended to upgrade the affected component. VDB-216146 is the identifier assigned to this vulnerability.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-17
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-12-17
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.
CVSS Score
5.8
EPSS Score
0.001
Published
2022-12-17
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.
CVSS Score
5.8
EPSS Score
0.002
Published
2022-12-16
A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-12-16
Mutiny 7.2.0-10788 suffers from Hardcoded root password.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-12-16
A SQL injection vulnerability in Sourcecodester Online Grading System 1.0 allows remote attackers to execute arbitrary SQL commands via the uname parameter.
CVSS Score
9.8
EPSS Score
0.002
Published
2022-12-16
Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-12-16
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-12-16
PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow a root privileged attacker to install unsigned packages. The attacker must have shell access to the device and gain root privileges in order to exploit this vulnerability.
CVSS Score
6.0
EPSS Score
0.0
Published
2022-12-16