CVE-2021-23266

An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.

Source: CVE-2021-23266

CVE-2021-33318

An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets.

Source: CVE-2021-33318

CVE-2022-1713

SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.

Source: CVE-2022-1713

CVE-2022-30523

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder as SYSTEM which can then be used for privilege escalation on the affected machine.

Source: CVE-2022-30523

CVE-2022-1557

The ULeak Security & Monitoring WordPress plugin through 1.2.3 does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings

Source: CVE-2022-1557

CVE-2022-1721

Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.

Source: CVE-2022-1721

CVE-2022-1722

SSRF in editor’s proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses

Source: CVE-2022-1722

CVE-2022-1726

Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in GitHub repository wenzhixin/bootstrap-table prior to 1.20.2. Disclosing session cookies, disclosing secure session data, exfiltrating data to third-parties.

Source: CVE-2022-1726

CVE-2022-1560

The Amministrazione Aperta WordPress plugin through 3.7.3 does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected file generates a fatal error when accessed directly and the affected code is not reached. The issue can be exploited via the dashboard when logged in as an admin, or by making a logged in admin open a malicious link

Source: CVE-2022-1560

CVE-2022-1728

Allowing long password leads to denial of service in polonel/trudesk in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

Source: CVE-2022-1728