HIGH

LIEF commit 365a16a was discovered to contain a heap-buffer overflow via the function print_binary at /c/macho_reader.c. Commit 0033b6312fd311b2e45e379c04a83d77c1e58578 contains a patch.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-38495
https…

graphql-java before 19.0, 18.3, and 17.4 is vulnerable to Denial of Service. An attacker send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0, 18.3, and 17.4.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3773…

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-38638
https://github.com/casdoor/casdoor/issues/1035
https://g…

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not ta…

rdiffweb prior to 2.4.1 is vulnerable to Improper Restriction of Rendered UI Layers or Frames. This allows attackers to perform clickjacking attacks that can trick victims into performing actions such as entering passwords, liking or deleting posts, an…

The Blink1Control2 application <= 2.2.7 uses weak password encryption and an insecure method of storage. Version 2.2.9 fixes the issue.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-35513
https://github.com/p1ckzi/CVE-2022-35513
https://gith…

DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe ‘xml.etree’ library to parse untrusted XML input.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3718…

RosarioSIS Student Information System prior to version 10.1 is vulnerable to Improper Handling of Length Parameter Inconsistency.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2714
https://github.com/francoisjacquet/rosariosis/commit/4022954c3f…

An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the n…

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-43565
https://groups.google.com/forum/#!forum/golang-announce
http…