Security Vulnerabilities - CVEs Published In 2022
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) mishandles reject messages.
CVSS Score
8.6
EPSS Score
0.002
Published
2022-12-19
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic
loading to cause a denial-of-service condition in Rockwell Automation Logix controllers resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload
the user project file to bring the device back online and continue normal operation.
CVSS Score
8.6
EPSS Score
0.003
Published
2022-12-19
pdftojson commit 94204bb was discovered to contain a stack overflow via the component Object::copy(Object*):Object.cc.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-12-19
pdftojson commit 94204bb was discovered to contain a stack overflow via the component Stream::makeFilter(char*, Stream*, Object*, int).
CVSS Score
9.8
EPSS Score
0.001
Published
2022-12-19
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) is unresponsive with ConReqTimeoutZero.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-12-19
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) allows attackers to bypass passkey entry in legacy pairing.
CVSS Score
5.4
EPSS Score
0.0
Published
2022-12-19
Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-12-19
Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc.
CVSS Score
9.1
EPSS Score
0.001
Published
2022-12-19
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.
CVSS Score
6.5
EPSS Score
0.004
Published
2022-12-19
Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.
CVSS Score
6.3
EPSS Score
0.001
Published
2022-12-19