Security Vulnerabilities - CVEs Published In September 2022
Missing Access Control vulnerability in PHP Crafts Accommodation System plugin <= 1.0.1 at WordPress.
CVSS Score
7.6
EPSS Score
0.007
Published
2022-09-06
Open Asset Import Library (assimp) commit 3c253ca was discovered to contain a segmentation violation via the component Assimp::XFileImporter::CreateMeshes.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-09-06
tinyexr commit 0647fb3 was discovered to contain a heap-buffer overflow via the component rleUncompress.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-09-06
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
CVSS Score
10.0
EPSS Score
0.825
Published
2022-09-06
Dell BIOS versions contain an Improper Authentication vulnerability. A locally authenticated malicious user could potentially exploit this vulnerability by sending malicious input to an SMI in order to bypass security controls.
CVSS Score
6.1
EPSS Score
0.0
Published
2022-09-06
Dell BIOS contains a race condition vulnerability. A local attacker could exploit this vulnerability by sending malicious input via SMI in order to bypass security checks during SMM.
CVSS Score
6.1
EPSS Score
0.0
Published
2022-09-06
Dell BIOS versions contain a stack-based buffer overflow vulnerability. A local attacker could exploit this vulnerability by sending malicious input via SMI to bypass security checks resulting in arbitrary code execution in SMM.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-09-06
Dell BIOS versions contain an Insecure Automated Optimization vulnerability. A local authenticated malicious user could exploit this vulnerability by sending malicious input via SMI to obtain arbitrary code execution during SMM.
CVSS Score
7.9
EPSS Score
0.0
Published
2022-09-06
Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B state, the state will be altered for contract B as if the call was not made in the read-only mode. This can lead to some effects not designed by the original smart contracts programmers. This issue was patched in version 1.3.35. There are no known workarounds.
CVSS Score
6.5
EPSS Score
0.004
Published
2022-09-06
Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
CVSS Score
5.9
EPSS Score
0.006
Published
2022-09-06