Security Vulnerabilities - CVEs Published In March 2022
Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-03-10
Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-03-10
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.
CVSS Score
7.7
EPSS Score
0.012
Published
2022-03-10
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CVSS Score
7.5
EPSS Score
0.019
Published
2022-03-10
NULL Pointer Dereference in GitHub repository mruby/mruby prior to 3.2.
CVSS Score
5.5
EPSS Score
0.003
Published
2022-03-10
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-03-09
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-03-09
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds.
CVSS Score
6.3
EPSS Score
0.003
Published
2022-03-09
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.
CVSS Score
6.8
EPSS Score
0.002
Published
2022-03-09
Stripe CLI is a command-line tool for the Stripe eCommerce platform. A vulnerability in Stripe CLI exists on Windows when certain commands are run in a directory where an attacker has planted files. The commands are `stripe login`, `stripe config -e`, `stripe community`, and `stripe open`. MacOS and Linux are unaffected. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the current user. The update addresses the vulnerability by throwing an error in these situations before the code can run.Users are advised to upgrade to version 1.7.13. There are no known workarounds for this issue.
CVSS Score
7.7
EPSS Score
0.001
Published
2022-03-09