Security
Headlines
HeadlinesLatestCVEs

Tag

#windows

CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

CVE
Open in Source
#sql#vulnerability#web#windows#apple#php#chrome#webkit
CVE-2022-45307: Vuln/php-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.

CVE-2022-45306: Vuln/azure-pipelines-agent-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.

CVE-2022-45305: Vuln/python3-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder.

CVE-2022-45304: Vuln/cmder-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.

CVE-2022-45301: Vuln/ruby-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Ruby package v3.1.2.1 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\ruby31 and all files located in that folder.

CVE-2022-45223: Web-Based Student Clearance System in PHP Free Source Code v1.0 — Unrestricted input leads to xss

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.

GHSA-jf2p-4gqj-849g: Temporary File Information Disclosure vulnerability in MPXJ

### Impact On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ. ### Patches The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes. ### Workarounds Setting `java.io.tmpdir` to a directory to which only the user running the application has access will prevent other users from accessing these temporary files. ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/joniles/mpxj