Security Vulnerabilities - CVEs Published In 2022
An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. This issue is fixed in iOS 16. An app may be able to disclose kernel memory.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-12-15
Cross site scripting vulnerability in 188Jianzhan 2.10 allows attackers to execute arbitrary code via the username parameter to /admin/reg.php.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-12-15
Cross Site Scripting (XSS) vulnerability in Users.php in eyoucms 1.5.4 allows remote attackers to run arbitrary code and gain escalated privilege via the filename for edit_users_head_pic.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-15
RSFirewall tries to identify the original IP address by looking at different HTTP headers. A bypass is possible due to the way it is implemented.
CVSS Score
9.8
EPSS Score
0.0
Published
2022-12-15
Memory corruption in Core due to improper configuration in boot remapper.
CVSS Score
8.4
EPSS Score
0.011
Published
2022-12-15
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-12-15
Tendermint is a high-performance blockchain consensus engine for Byzantine fault tolerant applications. Versions prior to 0.28.0 contain a potential attack via Improper Verification of Cryptographic Signature, affecting anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes). The light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client. The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks. This issue is patched in version 0.28.0. There are no workarounds.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-15
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.
CVSS Score
5.3
EPSS Score
0.0
Published
2022-12-15
File upload vulnerability in function upload in action/Core.class.php in zhimengzhe iBarn 1.5 allows remote attackers to run arbitrary code via avatar upload to index.php.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-12-15
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-12-15