CVE-2022-26279
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
Source: CVE-2022-26279
CVE-2022-26279
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
Source: CVE-2022-26279
CVE-2022-26301
TuziCMS v2.0.6 was discovered to contain a SQL injection vulnerability via the component AppManageControllerZhuantiController.class.php.
Source: CVE-2022-26301
CVE-2022-24782
Discourse is an open source discussion platform. Versions 2.8.2 and prior in the `stable` branch, 2.9.0.beta3 and prior in the `beta` branch, and 2.9.0.beta3 and prior in the `tests-passed` branch are vulnerable to a data leak. Users can request an export of their own activity. Sometimes, due to category settings, they may have category membership for a secure category. The name of this secure category is shown to the user in the export. The same thing occurs when the user’s post has been moved to a secure category. A patch for this issue is available in the `main` branch of Discourse’s GitHub repository and is anticipated to be part of future releases.
Source: CVE-2022-24782
CVE-2022-24781
Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists.
Source: CVE-2022-24781
CVE-2022-25571
Bluedon Information Security Technologies Co.,Ltd Internet Access Detector v1.0 was discovered to contain an information leak which allows attackers to access the contents of the password file via unspecified vectors.
Source: CVE-2022-25571
CVE-2022-24769
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container’s bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container’s bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
Source: CVE-2022-24769
CVE-2022-24776
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. Flask-AppBuilder contains an open redirect vulnerability when using database authentication login page on versions below 3.4.5. This issue is fixed in version 3.4.5. There are currently no known workarounds.
Source: CVE-2022-24776
CVE-2021-43085
An Insecure Permissions vulnerability exists in the OpenSSL Project 3.0 due to an error in the implementation of the CMAC_Final() function.
Source: CVE-2021-43085
CVE-2022-22374
The BMC (IBM Power 9 AC922 OP910, OP920, OP930, and OP940) may be subject to downgrade attack which may affect its ability to operate its host. IBM X-Force ID: 221442.
Source: CVE-2022-22374
CVE-2021-43666
A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password’s length is 0.
Source: CVE-2021-43666