Security Vulnerability Disclosures (2022)

10 minute read

  10 minute read

Security Vulnerability Disclosures (2022)

A collection of 23 CVEs (27 total vulnerabilities) discovered and responsibly disclosed during Q1 2022 across open-source projects. All vulnerabilities were reported through huntr.com and coordinated with vendors for remediation.

Disclaimer: This vulnerability research was conducted as a personal initiative during free time in the first quarter of 2022. The approach employed was generic and exploratory in nature, focusing on common vulnerability patterns across various open-source projects without a specific vulnerability research focus. These findings represent opportunistic discoveries rather than focused, targeted security research.

Summary Statistics

Metric Count
Total CVEs Assigned 23
Total Vulnerabilities Reported 27
Year of Discovery 2022
Critical Severity (CVSS 9.0+) 0
High Severity (CVSS 7.0-8.9) 9
Medium Severity (CVSS 4.0-6.9) 12
Low Severity (CVSS 0.1-3.9) 2
Unique Vendors Affected 8

Severity Breakdown

🔴 High Severity (9 CVEs)

  • Access Control → RCE - CVE-2022-0824 (Webmin)
  • Relative Path Traversal → RCE - CVE-2022-1648 (PandoraFMS)
  • SQL Injection - CVE-2022-0754 (SuiteCRM)
  • Improper Access Control - CVE-2022-0755 (SuiteCRM), CVE-2022-0580 (LibreNMS)
  • Improper Authorization - CVE-2022-0587 (LibreNMS), CVE-2022-26310 (PandoraFMS)
  • Sensitive Information Exposure - CVE-2022-0588 (LibreNMS)
  • CSRF → Privilege Escalation - CVE-2022-26309 (PandoraFMS)

🟠 Medium Severity (12 CVEs)

  • Improper Access Control / Authorization - CVE-2022-0829 (Webmin), CVE-2022-0731, CVE-2022-0746 (Dolibarr), CVE-2022-0576 (LibreNMS), CVE-2022-26308 (PandoraFMS), CVE-2022-1223, CVE-2022-1224, CVE-2022-1225 (phpipam), CVE-2022-0756 (SuiteCRM)
  • XSS - Reflected / Stored / Generic - CVE-2022-0752, CVE-2022-0753 (HestiaCP), CVE-2022-1226 (phpipam), CVE-2022-0575, CVE-2022-0589 (LibreNMS), Navigate CMS, S-Cart (multiple)

🟡 Low Severity (2 CVEs)

  • Reflected XSS (phpipam, HestiaCP)

Disclosed Vulnerabilities by Vendor

LibreNMS (6 Vulnerabilities, 6 CVEs)

Infrastructure monitoring platform with multiple access control and XSS flaws discovered.

CVE ID Vulnerability Type Severity
CVE-2022-0575 XSS - Stored Medium
CVE-2022-0576 XSS - Generic Medium
CVE-2022-0580 Improper Access Control High
CVE-2022-0587 Improper Authorization High
CVE-2022-0588 Sensitive Information Exposure High
CVE-2022-0589 XSS - Stored Medium

Impact: Authenticated attackers could escalate privileges, view sensitive data (API tokens, credentials), and inject malicious scripts affecting other users.

Links: GitHub


PandoraFMS (4 Vulnerabilities, 4 CVEs)

Monitoring and management platform with authorization and RCE vulnerabilities.

CVE ID Vulnerability Type Severity
CVE-2022-1648 Relative Path Traversal → RCE High
CVE-2022-26308 Improper Access Control (Credential Store) Medium
CVE-2022-26309 CSRF → User Privilege Escalation High
CVE-2022-26310 Improper Authorization → Vertical Privesc High

Impact: Path traversal allows remote code execution; attackers could escalate privileges, access credential storage, and execute arbitrary commands. CSRF vulnerabilities enable unauthorized privilege elevation.

Links: GitHub


SuiteCRM (3 Vulnerabilities, 3 CVEs)

Open-source customer relationship management platform with injection and access control issues.

CVE ID Vulnerability Type Severity
CVE-2022-0754 SQL Injection High
CVE-2022-0755 Improper Access Control High
CVE-2022-0756 Improper Authorization Medium

Impact: Unauthenticated SQL injection enables database extraction; access control flaws allow unauthorized data manipulation.

Links: GitHub


phpipam (4 Vulnerabilities, 4 CVEs)

IP address management platform with weak access control and XSS vulnerabilities.

CVE ID Vulnerability Type Severity
CVE-2022-1223 Improper Access Control Medium
CVE-2022-1224 Improper Authorization Medium
CVE-2022-1225 Incorrect Privilege Assignment Medium
CVE-2022-1226 XSS - Reflected Low

Impact: Normal users could export sensitive data (XLS, MySQL dumps) restricted to administrators; reflected XSS affects other users.

Links: GitHub


Webmin (3 Vulnerabilities, 2 CVEs)

Remote system administration tool with access control bypass leading to RCE.

CVE ID Vulnerability Type Severity
CVE-2022-0824 Improper Access Control → RCE High
CVE-2022-0829 Improper Authorization Medium
(no CVE) Improper Access Control (File Manager) High

Impact: Access control bypass allows authenticated attackers to execute arbitrary commands as root. File manager access control flaw enables unauthorized file operations.

Links: Website


Dolibarr (2 Vulnerabilities, 2 CVEs)

ERP/CRM platform with access control and business logic vulnerabilities.

CVE ID Vulnerability Type Severity
CVE-2022-0731 Improper Access Control (IDOR) Medium
CVE-2022-0746 Business Logic Errors Medium

Impact: Insecure Direct Object References (IDOR) allow attackers to access or modify other users’ data; business logic flaws enable unauthorized transactions.

Links: GitHub


HestiaCP (2 Vulnerabilities, 2 CVEs)

Control panel for VPS/server management with XSS vulnerabilities.

CVE ID Vulnerability Type Severity
CVE-2022-0752 XSS - Generic Low
CVE-2022-0753 XSS - Reflected Low

Impact: XSS flaws affect other panel users, potentially stealing sessions or injecting malicious content.

Links: GitHub


Content management system with XSS vulnerability.

CVE ID Vulnerability Type Severity
(no CVE) XSS - Reflected Medium

Impact: Reflected XSS allows attackers to inject malicious scripts that execute in victims’ browsers, potentially stealing sessions or redirecting to phishing sites.

Links: GitHub


S-Cart (2 Vulnerabilities, 0 CVEs)

E-commerce shopping cart platform with stored XSS vulnerabilities across multiple modules.

CVE ID Vulnerability Type Severity
(no CVE) XSS - Stored Medium
(no CVE) XSS - Stored Medium

Impact: Stored XSS allows persistent malicious script injection affecting all platform users. Attackers can steal credentials, inject keyloggers, or redirect users to malicious sites.

Links: GitHub


Vulnerability Patterns & Insights

Most Common Vulnerability Types

  1. Access Control / Authorization Issues - 13 CVEs Improper privilege separation, IDOR, business logic flaws, credential access

  2. Cross-Site Scripting (XSS) - 8+ CVEs Stored, reflected, and generic XSS variants across UI layers

  3. Remote Code Execution - 2 CVEs Path traversal and access control bypass leading to RCE

  4. SQL Injection - 1 CVE Direct database query execution

Most Affected Vendors

  • LibreNMS - 6 vulnerabilities (infrastructure monitoring focus)
  • PandoraFMS - 4 vulnerabilities (enterprise monitoring)
  • phpipam - 4 vulnerabilities (IP management)
  • SuiteCRM - 3 vulnerabilities
  • Webmin - 3 vulnerabilities (2 CVEs, 1 unassigned)
  • Dolibarr, HestiaCP - 2 vulnerabilities each
  • Navigate CMS, S-Cart - 3 vulnerabilities combined (1 and 2 respectively, unassigned)

Vulnerability Distribution by Severity

  • High (9 CVEs): RCE (path traversal, access control), SQL injection, credential exposure, privilege escalation, authorization bypass, CSRF
  • Medium (12 CVEs): XSS, auth bypass, business logic flaws, credential access
  • Low (2 CVEs): Reflected XSS with limited impact

Responsible Disclosure Timeline

All vulnerabilities were:

  1. Reported via huntr.com’s coordinated disclosure platform
  2. Tracked with vendor communication and remediation status
  3. Disclosed only after vendor patches were released or timelines agreed upon
  4. Published with CVE assignment following MITRE standards

Resources & References

  • Full Profile: https://huntr.com/users/faisalfs10x
  • Vulnerability Reporting: huntr.com
  • CVE Details: Access individual CVE records on CVE.org by ID
  • GitHub Repository: CVE-IDs - Proof-of-concept exploits and write-ups (if any)

Methodology

These vulnerabilities were discovered through:

  • Source code review - Manual analysis of application code
  • Input validation testing - Fuzzing and payload injection
  • Access control verification - Privilege boundary testing
  • Business logic analysis - Workflow and feature interaction testing

Findings reflect a commitment to responsible vulnerability disclosure and improving security posture across open-source software.


Last updated: Q1 2022