Security Vulnerabilities - CVEs Published In March 2022
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.
CVSS Score
4.6
EPSS Score
0.008
Published
2022-03-09
Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms.
CVSS Score
6.3
EPSS Score
0.001
Published
2022-03-09
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
CVSS Score
3.7
EPSS Score
0.009
Published
2022-03-09
An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
CVSS Score
3.7
EPSS Score
0.01
Published
2022-03-09
An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
CVSS Score
3.7
EPSS Score
0.009
Published
2022-03-09
Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to take advantage of this weakness and can acquire those hashes if they are able to gain access to the PAN-OS software configuration. Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. This issue does not impact Prisma Access firewalls. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; All versions of PAN-OS 9.0; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7.
CVSS Score
4.1
EPSS Score
0.0
Published
2022-03-09
Azure Site Recovery Elevation of Privilege Vulnerability
CVSS Score
6.5
EPSS Score
0.099
Published
2022-03-09
Azure Site Recovery Remote Code Execution Vulnerability
CVSS Score
7.2
EPSS Score
0.071
Published
2022-03-09
Skype Extension for Chrome Information Disclosure Vulnerability
CVSS Score
6.5
EPSS Score
0.025
Published
2022-03-09
Windows Update Stack Elevation of Privilege Vulnerability
CVSS Score
7.0
EPSS Score
0.001
Published
2022-03-09