Security Vulnerabilities - CVEs Published In June 2022
Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the `stable` branch and version `2.9.0.beta5` on the `beta` and `tests-passed` branches. As a workaround, disable invites or increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users.
CVSS Score
2.6
EPSS Score
0.003
Published
2022-06-07
LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php return_page XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-06-07
Virtua Cobranca before 12R allows SQL Injection on the login page.
CVSS Score
7.5
EPSS Score
0.777
Published
2022-06-07
WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to delete arbitrary files from a limited set of directories on the system. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
CVSS Score
9.1
EPSS Score
0.011
Published
2022-06-07
Jamf Private Access before 2022-05-16 has Incorrect Access Control, in which an unauthorized user can reach a system in the internal infrastructure, aka WND-44801.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-06-07
A vulnerability classified as problematic has been found in Fast Food Ordering System 1.0. Affected is the file Master.php of the Master List. The manipulation of the argument Description with the input foo "><img src="" onerror="alert(document.cookie)"> leads to cross site scripting. It is possible to launch the attack remotely but it requires authentication. Exploit details have been disclosed to the public.
CVSS Score
3.5
EPSS Score
0.002
Published
2022-06-07
The "Add category" functionality inside the "Global Keywords" menu in "SeedDMS" version 6.0.18 and 5.1.25, is prone to stored XSS which allows an attacker to inject malicious javascript code.
CVSS Score
5.4
EPSS Score
0.008
Published
2022-06-06
SeedDMS 6.0.17 and 5.1.24 are vulnerable to Directory Traversal. The "Remove file" functionality inside the "Log files management" menu does not sanitize user input allowing attackers with admin privileges to delete arbitrary files on the remote system.
CVSS Score
6.5
EPSS Score
0.013
Published
2022-06-06
SeedDMS versions 6.0.18 and 5.1.25 and below are vulnerable to stored XSS. An attacker with admin privileges can inject the payload inside the "Role management" menu and then trigger the payload by loading the "Users management" menu
CVSS Score
4.8
EPSS Score
0.006
Published
2022-06-06
A reflected cross-site scripting (XSS) vulnerability in the login portal of Avantune Genialcloud ProJ - 10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS Score
6.1
EPSS Score
0.005
Published
2022-06-06