CVE-2022-40027
SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newTask.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the shortName parameter.
Source: CVE-2022-40027
CVE-2022-40026
SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at board.php.
Source: CVE-2022-40026
CVE-2022-30577
The Web Server component of TIBCO Software Inc.’s TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.’s TIBCO EBX: versions 6.0.0 through 6.0.8.
Source: CVE-2022-30577
CVE-2022-3250
Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.
Source: CVE-2022-3250
CVE-2022-3251
Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute in GitHub repository ikus060/minarca prior to 4.2.2.
Source: CVE-2022-3251
CVE-2022-37027
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.
Source: CVE-2022-37027
CVE-2022-40616
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3 could allow a user to bypass authentication and obtain sensitive information or perform tasks they should not have access to. IBM X-Force ID: 236311.
Source: CVE-2022-40616
CVE-2022-41255
Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Source: CVE-2022-41255
CVE-2022-41244
Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.
Source: CVE-2022-41244
CVE-2022-41254
Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Source: CVE-2022-41254