Security Vulnerabilities - CVEs Published In 2022
Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.
CVSS Score
9.6
EPSS Score
0.001
Published
2022-12-23
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.
CVSS Score
3.1
EPSS Score
0.001
Published
2022-12-23
nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discovered to contain an arbitrary file read vulnerability via the component /api/Index/getFileBinary.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-12-23
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-12-23
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-12-23
IO FinNet tss-lib before 2.0.0 allows a collision of hash values.
CVSS Score
9.1
EPSS Score
0.0
Published
2022-12-23
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVSS Score
5.9
EPSS Score
0.003
Published
2022-12-23
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.
CVSS Score
5.9
EPSS Score
0.001
Published
2022-12-23
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:
`/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
CVSS Score
5.3
EPSS Score
0.066
Published
2022-12-23
Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-12-22