Security Vulnerabilities - CVEs Published In 2022
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked which could execute arbitrary JavaScript code in the victim’s browser.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-12-29
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-12-29
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-12-29
There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-12-29
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.1 allow users to upload a file, but do not validate the file name, which may lead to upload file to any path. The vulnerability has been fixed in v2.5.1. There are no workarounds.
CVSS Score
7.4
EPSS Score
0.001
Published
2022-12-29
Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-12-29
NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.8.2.
CVSS Score
4.4
EPSS Score
0.0
Published
2022-12-29
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-12-29
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
CVSS Score
6.7
EPSS Score
0.0
Published
2022-12-29
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
CVSS Score
6.3
EPSS Score
0.0
Published
2022-12-29