Security Vulnerability Disclosures (2022)
Security Vulnerability Disclosures (2022)
A collection of 23 CVEs (27 total vulnerabilities) discovered and responsibly disclosed during Q1 2022 across open-source projects. All vulnerabilities were reported through huntr.com and coordinated with vendors for remediation.
Disclaimer: This vulnerability research was conducted as a personal initiative during free time in the first quarter of 2022. The approach employed was generic and exploratory in nature, focusing on common vulnerability patterns across various open-source projects without a specific vulnerability research focus. These findings represent opportunistic discoveries rather than focused, targeted security research.
Summary Statistics
| Metric | Count |
|---|---|
| Total CVEs Assigned | 23 |
| Total Vulnerabilities Reported | 27 |
| Year of Discovery | 2022 |
| Critical Severity (CVSS 9.0+) | 0 |
| High Severity (CVSS 7.0-8.9) | 9 |
| Medium Severity (CVSS 4.0-6.9) | 12 |
| Low Severity (CVSS 0.1-3.9) | 2 |
| Unique Vendors Affected | 8 |
Severity Breakdown
🔴 High Severity (9 CVEs)
- Access Control → RCE - CVE-2022-0824 (Webmin)
- Relative Path Traversal → RCE - CVE-2022-1648 (PandoraFMS)
- SQL Injection - CVE-2022-0754 (SuiteCRM)
- Improper Access Control - CVE-2022-0755 (SuiteCRM), CVE-2022-0580 (LibreNMS)
- Improper Authorization - CVE-2022-0587 (LibreNMS), CVE-2022-26310 (PandoraFMS)
- Sensitive Information Exposure - CVE-2022-0588 (LibreNMS)
- CSRF → Privilege Escalation - CVE-2022-26309 (PandoraFMS)
🟠Medium Severity (12 CVEs)
- Improper Access Control / Authorization - CVE-2022-0829 (Webmin), CVE-2022-0731, CVE-2022-0746 (Dolibarr), CVE-2022-0576 (LibreNMS), CVE-2022-26308 (PandoraFMS), CVE-2022-1223, CVE-2022-1224, CVE-2022-1225 (phpipam), CVE-2022-0756 (SuiteCRM)
- XSS - Reflected / Stored / Generic - CVE-2022-0752, CVE-2022-0753 (HestiaCP), CVE-2022-1226 (phpipam), CVE-2022-0575, CVE-2022-0589 (LibreNMS), Navigate CMS, S-Cart (multiple)
🟡 Low Severity (2 CVEs)
- Reflected XSS (phpipam, HestiaCP)
Disclosed Vulnerabilities by Vendor
LibreNMS (6 Vulnerabilities, 6 CVEs)
Infrastructure monitoring platform with multiple access control and XSS flaws discovered.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2022-0575 | XSS - Stored | Medium |
| CVE-2022-0576 | XSS - Generic | Medium |
| CVE-2022-0580 | Improper Access Control | High |
| CVE-2022-0587 | Improper Authorization | High |
| CVE-2022-0588 | Sensitive Information Exposure | High |
| CVE-2022-0589 | XSS - Stored | Medium |
Impact: Authenticated attackers could escalate privileges, view sensitive data (API tokens, credentials), and inject malicious scripts affecting other users.
Links: GitHub
PandoraFMS (4 Vulnerabilities, 4 CVEs)
Monitoring and management platform with authorization and RCE vulnerabilities.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2022-1648 | Relative Path Traversal → RCE | High |
| CVE-2022-26308 | Improper Access Control (Credential Store) | Medium |
| CVE-2022-26309 | CSRF → User Privilege Escalation | High |
| CVE-2022-26310 | Improper Authorization → Vertical Privesc | High |
Impact: Path traversal allows remote code execution; attackers could escalate privileges, access credential storage, and execute arbitrary commands. CSRF vulnerabilities enable unauthorized privilege elevation.
Links: GitHub
SuiteCRM (3 Vulnerabilities, 3 CVEs)
Open-source customer relationship management platform with injection and access control issues.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2022-0754 | SQL Injection | High |
| CVE-2022-0755 | Improper Access Control | High |
| CVE-2022-0756 | Improper Authorization | Medium |
Impact: Unauthenticated SQL injection enables database extraction; access control flaws allow unauthorized data manipulation.
Links: GitHub
phpipam (4 Vulnerabilities, 4 CVEs)
IP address management platform with weak access control and XSS vulnerabilities.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2022-1223 | Improper Access Control | Medium |
| CVE-2022-1224 | Improper Authorization | Medium |
| CVE-2022-1225 | Incorrect Privilege Assignment | Medium |
| CVE-2022-1226 | XSS - Reflected | Low |
Impact: Normal users could export sensitive data (XLS, MySQL dumps) restricted to administrators; reflected XSS affects other users.
Links: GitHub
Webmin (3 Vulnerabilities, 2 CVEs)
Remote system administration tool with access control bypass leading to RCE.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2022-0824 | Improper Access Control → RCE | High |
| CVE-2022-0829 | Improper Authorization | Medium |
| (no CVE) | Improper Access Control (File Manager) | High |
Impact: Access control bypass allows authenticated attackers to execute arbitrary commands as root. File manager access control flaw enables unauthorized file operations.
Links: Website
Dolibarr (2 Vulnerabilities, 2 CVEs)
ERP/CRM platform with access control and business logic vulnerabilities.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2022-0731 | Improper Access Control (IDOR) | Medium |
| CVE-2022-0746 | Business Logic Errors | Medium |
Impact: Insecure Direct Object References (IDOR) allow attackers to access or modify other users’ data; business logic flaws enable unauthorized transactions.
Links: GitHub
HestiaCP (2 Vulnerabilities, 2 CVEs)
Control panel for VPS/server management with XSS vulnerabilities.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2022-0752 | XSS - Generic | Low |
| CVE-2022-0753 | XSS - Reflected | Low |
Impact: XSS flaws affect other panel users, potentially stealing sessions or injecting malicious content.
Links: GitHub
Navigate CMS (1 Vulnerability, 0 CVEs)
Content management system with XSS vulnerability.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| (no CVE) | XSS - Reflected | Medium |
Impact: Reflected XSS allows attackers to inject malicious scripts that execute in victims’ browsers, potentially stealing sessions or redirecting to phishing sites.
Links: GitHub
S-Cart (2 Vulnerabilities, 0 CVEs)
E-commerce shopping cart platform with stored XSS vulnerabilities across multiple modules.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| (no CVE) | XSS - Stored | Medium |
| (no CVE) | XSS - Stored | Medium |
Impact: Stored XSS allows persistent malicious script injection affecting all platform users. Attackers can steal credentials, inject keyloggers, or redirect users to malicious sites.
Links: GitHub
Vulnerability Patterns & Insights
Most Common Vulnerability Types
-
Access Control / Authorization Issues - 13 CVEs Improper privilege separation, IDOR, business logic flaws, credential access
-
Cross-Site Scripting (XSS) - 8+ CVEs Stored, reflected, and generic XSS variants across UI layers
-
Remote Code Execution - 2 CVEs Path traversal and access control bypass leading to RCE
-
SQL Injection - 1 CVE Direct database query execution
Most Affected Vendors
- LibreNMS - 6 vulnerabilities (infrastructure monitoring focus)
- PandoraFMS - 4 vulnerabilities (enterprise monitoring)
- phpipam - 4 vulnerabilities (IP management)
- SuiteCRM - 3 vulnerabilities
- Webmin - 3 vulnerabilities (2 CVEs, 1 unassigned)
- Dolibarr, HestiaCP - 2 vulnerabilities each
- Navigate CMS, S-Cart - 3 vulnerabilities combined (1 and 2 respectively, unassigned)
Vulnerability Distribution by Severity
- High (9 CVEs): RCE (path traversal, access control), SQL injection, credential exposure, privilege escalation, authorization bypass, CSRF
- Medium (12 CVEs): XSS, auth bypass, business logic flaws, credential access
- Low (2 CVEs): Reflected XSS with limited impact
Responsible Disclosure Timeline
All vulnerabilities were:
- Reported via huntr.com’s coordinated disclosure platform
- Tracked with vendor communication and remediation status
- Disclosed only after vendor patches were released or timelines agreed upon
- Published with CVE assignment following MITRE standards
Resources & References
- Full Profile: https://huntr.com/users/faisalfs10x
- Vulnerability Reporting: huntr.com
- CVE Details: Access individual CVE records on CVE.org by ID
- GitHub Repository: CVE-IDs - Proof-of-concept exploits and write-ups (if any)
Methodology
These vulnerabilities were discovered through:
- Source code review - Manual analysis of application code
- Input validation testing - Fuzzing and payload injection
- Access control verification - Privilege boundary testing
- Business logic analysis - Workflow and feature interaction testing
Findings reflect a commitment to responsible vulnerability disclosure and improving security posture across open-source software.
Last updated: Q1 2022