Weekly Vulnerabilities Reports > July 25 to 31, 2022

Overview

85 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 45 high severity vulnerabilities. This weekly summary report vulnerabilities in 89 products from 32 vendors including Google, Fedoraproject, Debian, Moodle, and Netapp. Vulnerabilities are notably categorized as "Use After Free", "Cross-site Scripting", "Exposure of Resource to Wrong Sphere", "Out-of-bounds Write", and "Improper Input Validation".

  • 80 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 76 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 54 reported vulnerabilities.
  • Fedoraproject has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

10 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-28 CVE-2021-41556 Squirrel Lang
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution.

10.0
2022-07-28 CVE-2022-2564 Mongoosejs Unspecified vulnerability in Mongoosejs Mongoose

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

9.8
2022-07-28 CVE-2022-27612 Synology Classic Buffer Overflow vulnerability in Synology Audio Station

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Audio Station before 6.5.4-3367 allows remote attackers to execute arbitrary commands via unspecified vectors.

9.8
2022-07-28 CVE-2022-31627 PHP Out-of-bounds Write vulnerability in PHP

In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.

9.8
2022-07-25 CVE-2022-35649 Moodle
Fedoraproject
Improper Input Validation vulnerability in multiple products

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code.

9.8
2022-07-25 CVE-2020-7677 Thenify Project
Debian
This affects the package thenify before 3.3.1.
9.8
2022-07-25 CVE-2022-36450 Obsidian Improper Input Validation vulnerability in Obsidian

Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL.

9.8
2022-07-25 CVE-2022-36446 Webmin Improper Encoding or Escaping of Output vulnerability in Webmin

software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

9.8
2022-07-27 CVE-2022-1853 Google Use After Free vulnerability in Google Chrome

Use after free in Indexed DB in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

9.6
2022-07-28 CVE-2022-2010 Google
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Out of bounds read in compositing in Google Chrome prior to 102.0.5005.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

9.3

45 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-28 CVE-2022-2163 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction.

8.8
2022-07-28 CVE-2022-2294 Google
Fedoraproject
Webkitgtk
Wpewebkit
Apple
Webrtc Project
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2295 Google
Fedoraproject
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2296 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions.

8.8
2022-07-28 CVE-2022-1919 Google Use After Free vulnerability in Google Chrome

Use after free in Codecs in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2007 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebGPU in Google Chrome prior to 102.0.5005.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2008 Google
Fedoraproject
Double Free vulnerability in multiple products

Double free in WebGL in Google Chrome prior to 102.0.5005.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2011 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in ANGLE in Google Chrome prior to 102.0.5005.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2156 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Core in Google Chrome prior to 103.0.5060.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2157 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Interest groups in Google Chrome prior to 103.0.5060.53 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2158 Google
Fedoraproject
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 103.0.5060.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-28 CVE-2022-2161 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebApp Provider in Google Chrome prior to 103.0.5060.53 allowed a remote attacker who convinced the user to engage in specific user interactions to potentially exploit heap corruption via specific UI interactions.

8.8
2022-07-28 CVE-2022-2415 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in WebGL in Google Chrome prior to 103.0.5060.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-27 CVE-2022-1854 Google Use After Free vulnerability in Google Chrome

Use after free in ANGLE in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-27 CVE-2022-1855 Google Use After Free vulnerability in Google Chrome

Use after free in Messaging in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-27 CVE-2022-1856 Google Use After Free vulnerability in Google Chrome

Use after free in User Education in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension or specific user interaction.

8.8
2022-07-27 CVE-2022-1857 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in File System API in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to bypass file system restrictions via a crafted HTML page.

8.8
2022-07-27 CVE-2022-1859 Google Use After Free vulnerability in Google Chrome

Use after free in Performance Manager in Google Chrome prior to 102.0.5005.61 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-27 CVE-2022-1860 Google Use After Free vulnerability in Google Chrome

Use after free in UI Foundations in Google Chrome on Chrome OS prior to 102.0.5005.61 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific user interactions.

8.8
2022-07-27 CVE-2022-1861 Google Use After Free vulnerability in Google Chrome

Use after free in Sharing in Google Chrome on Chrome OS prior to 102.0.5005.61 allowed a remote attacker who convinced a user to enage in specific user interactions to potentially exploit heap corruption via specific user interaction.

8.8
2022-07-27 CVE-2022-1863 Google Use After Free vulnerability in Google Chrome

Use after free in Tab Groups in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension and specific user interaction.

8.8
2022-07-27 CVE-2022-1864 Google Use After Free vulnerability in Google Chrome

Use after free in WebApp Installs in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension and specific user interaction.

8.8
2022-07-27 CVE-2022-1865 Google Use After Free vulnerability in Google Chrome

Use after free in Bookmarks in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension and specific user interaction.

8.8
2022-07-27 CVE-2022-1866 Google Use After Free vulnerability in Google Chrome

Use after free in Tablet Mode in Google Chrome on Chrome OS prior to 102.0.5005.61 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via specific user interactions.

8.8
2022-07-27 CVE-2022-1870 Google Use After Free vulnerability in Google Chrome

Use after free in App Service in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

8.8
2022-07-27 CVE-2022-1874 Google Incorrect Authorization vulnerability in Google Chrome

Insufficient policy enforcement in Safe Browsing in Google Chrome on Mac prior to 102.0.5005.61 allowed a remote attacker to bypass downloads protection policy via a crafted HTML page.

8.8
2022-07-27 CVE-2022-1876 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in DevTools in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-26 CVE-2022-1496 Google Use After Free vulnerability in Google Chrome

Use after free in File Manager in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via specific and direct user interaction.

8.8
2022-07-26 CVE-2022-1633 Google Use After Free vulnerability in Google Chrome

Use after free in Sharesheet in Google Chrome on Chrome OS prior to 101.0.4951.64 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via specific user interactions.

8.8
2022-07-26 CVE-2022-1634 Google Use After Free vulnerability in Google Chrome

Use after free in Browser UI in Google Chrome prior to 101.0.4951.64 allowed a remote attacker who had convinced a user to engage in specific UI interaction to potentially exploit heap corruption via specific user interactions.

8.8
2022-07-26 CVE-2022-1635 Google Use After Free vulnerability in Google Chrome

Use after free in Permission Prompts in Google Chrome prior to 101.0.4951.64 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via specific user interactions.

8.8
2022-07-26 CVE-2022-1636 Google Use After Free vulnerability in Google Chrome

Use after free in Performance APIs in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-26 CVE-2022-1639 Google Use After Free vulnerability in Google Chrome

Use after free in ANGLE in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-26 CVE-2022-1640 Google Use After Free vulnerability in Google Chrome

Use after free in Sharing in Google Chrome prior to 101.0.4951.64 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-07-26 CVE-2022-1641 Google Use After Free vulnerability in Google Chrome

Use after free in Web UI Diagnostics in Google Chrome on Chrome OS prior to 101.0.4951.64 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via specific user interaction.

8.8
2022-07-26 CVE-2022-33745 XEN
Debian
Fedoraproject
insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode.
8.8
2022-07-25 CVE-2022-26307 Libreoffice Cleartext Storage of Sensitive Information vulnerability in Libreoffice

LibreOffice supports the storage of passwords for web connections in the user’s configuration database.

8.8
2022-07-28 CVE-2022-30287 Horde
Debian
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class.

8.0
2022-07-26 CVE-2022-29957 Emerson Missing Authentication for Critical Function vulnerability in Emerson Deltav Distributed Control System

The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication.

7.8
2022-07-25 CVE-2022-2522 VIM Heap-based Buffer Overflow vulnerability in VIM

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.

7.8
2022-07-27 CVE-2022-36946 Linux
Debian
Netapp
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
7.5
2022-07-25 CVE-2022-34749 Mistune Project
Fedoraproject
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases.
7.5
2022-07-25 CVE-2022-24992 QR Code Generator Project Path Traversal vulnerability in QR Code Generator Project QR Code Generator

A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal.

7.5
2022-07-25 CVE-2022-35650 Moodle
Fedoraproject
Improper Input Validation vulnerability in multiple products

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions.

7.5
2022-07-25 CVE-2022-26306 Libreoffice Inadequate Encryption Strength vulnerability in Libreoffice

LibreOffice supports the storage of passwords for web connections in the user’s configuration database.

7.5

30 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-29 CVE-2022-34526 Libtiff
Fedoraproject
Netapp
Out-of-bounds Write vulnerability in multiple products

A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0.

6.5
2022-07-28 CVE-2022-2553 Clusterlabs
Debian
Fedoraproject
Improper Authentication vulnerability in multiple products

The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node.

6.5
2022-07-28 CVE-2022-2160 Google
Fedoraproject
Exposure of Resource to Wrong Sphere vulnerability in multiple products

Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from a user's local files via a crafted HTML page.

6.5
2022-07-27 CVE-2021-46830 Helpsystems Path Traversal vulnerability in Helpsystems Goanywhere Managed File Transfer

A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client.

6.5
2022-07-27 CVE-2022-1858 Google Out-of-bounds Read vulnerability in Google Chrome

Out of bounds read in DevTools in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to perform an out of bounds memory read via specific user interaction.

6.5
2022-07-27 CVE-2022-1862 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Extensions in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to bypass profile restrictions via a crafted HTML page.

6.5
2022-07-27 CVE-2022-1867 Google Improper Input Validation vulnerability in Google Chrome

Insufficient validation of untrusted input in Data Transfer in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to bypass same origin policy via a crafted clipboard content.

6.5
2022-07-27 CVE-2022-1868 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Extensions API in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.

6.5
2022-07-27 CVE-2022-1869 Google Type Confusion vulnerability in Google Chrome

Type Confusion in V8 in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.5
2022-07-27 CVE-2022-1873 Google Exposure of Resource to Wrong Sphere vulnerability in Google Chrome

Insufficient policy enforcement in COOP in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2022-07-26 CVE-2022-1497 Google Origin Validation Error vulnerability in Google Chrome

Inappropriate implementation in Input in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to spoof the contents of cross-origin websites via a crafted HTML page.

6.5
2022-07-26 CVE-2022-1500 Google Improper Input Validation vulnerability in Google Chrome

Insufficient data validation in Dev Tools in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass content security policy via a crafted HTML page.

6.5
2022-07-26 CVE-2022-1501 Google Exposure of Resource to Wrong Sphere vulnerability in Google Chrome

Inappropriate implementation in iframe in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2022-07-26 CVE-2022-1499 Google Incorrect Authorization vulnerability in Google Chrome

Inappropriate implementation in WebAuthentication in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

6.3
2022-07-28 CVE-2016-3709 Xmlsoft Cross-site Scripting vulnerability in Xmlsoft Libxml2

Possible cross-site scripting vulnerability in libxml after commit 960f0e2.

6.1
2022-07-25 CVE-2022-35651 Moodle
Redhat
Fedoraproject
Cross-site Scripting vulnerability in multiple products

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details.

6.1
2022-07-25 CVE-2022-35652 Moodle
Fedoraproject
Open Redirect vulnerability in multiple products

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature.

6.1
2022-07-25 CVE-2022-35653 Moodle
Fedoraproject
Redhat
Cross-site Scripting vulnerability in multiple products

A reflected XSS issue was identified in the LTI module of Moodle.

6.1
2022-07-27 CVE-2022-36879 Linux
Debian
Netapp
An issue was discovered in the Linux kernel through 5.18.14.
5.5
2022-07-26 CVE-2022-29965 Emerson Use of a Broken or Risky Cryptographic Algorithm vulnerability in Emerson products

The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords.

5.5
2022-07-28 CVE-2022-34140 Feehi Cross-site Scripting vulnerability in Feehi CMS 2.1.1

A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.

5.4
2022-07-25 CVE-2022-0594 Shareaholic Incorrect Authorization vulnerability in Shareaholic

The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.

5.3
2022-07-28 CVE-2022-35882 Gsplugins Cross-site Scripting vulnerability in Gsplugins GS Testimonial Slider

Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in GS Plugins GS Testimonial Slider plugin <= 1.9.5 at WordPress.

4.8
2022-07-27 CVE-2022-1871 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in File System API in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to bypass file system policy via a crafted HTML page.

4.3
2022-07-27 CVE-2022-1872 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in Extensions API in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page.

4.3
2022-07-27 CVE-2022-1875 Google Exposure of Resource to Wrong Sphere vulnerability in Google Chrome

Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2022-07-27 CVE-2022-36880 Webmin Cross-site Scripting vulnerability in Webmin Usermin

The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.

4.3
2022-07-26 CVE-2022-1495 Google Authentication Bypass by Spoofing vulnerability in Google Chrome

Incorrect security UI in Downloads in Google Chrome on Android prior to 101.0.4951.41 allowed a remote attacker to spoof the APK downloads dialog via a crafted HTML page.

4.3
2022-07-26 CVE-2022-1498 Google Exposure of Resource to Wrong Sphere vulnerability in Google Chrome

Inappropriate implementation in HTML Parser in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2022-07-26 CVE-2022-1637 Google Exposure of Resource to Wrong Sphere vulnerability in Google Chrome

Inappropriate implementation in Web Contents in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS