![]() NOTE: this is disputed by the vendor for multiple reasons, e.g., it is inconsistent with CVE ID assignment rules for cloud services, and no product with version V1.0 exists. ** DISPUTED ** HireVue Hiring Platform V1.0 suffers from Use of a Broken or Risky Cryptographic Algorithm. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. ** DISPUTED ** A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. The engine is not responsible for validating the input. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary Java code, and thus either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input. ** DISPUTED ** Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor's position is that this is a design choice, not a vulnerability. This vulnerability allows authenticated attackers to create and upload their own custom-built firmware and inject malicious code. ** DISPUTED ** Patlite NH-FB v1.46 and below was discovered to contain insufficient firmware validation during the upgrade firmware file upload process. NOTE: a third party states "The described attack cannot be executed as demonstrated." This passcode is only four digits, far below typical length/complexity for a user account's password. ![]() ** DISPUTED ** UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be used for a privileged shell via Sudo. NOTE: the vendor's position is that the product is not intended for untrusted input. ** DISPUTED ** md2roff 1.9 has a stack-based buffer overflow via a Markdown file, a different vulnerability than CVE-2022-34913.
0 Comments
Leave a Reply. |