Security Vulnerabilities - CVEs Published In January 2022
There is a Out-of-Bound Write in the Allwinner R818 SoC Android Q SDK V1.0 camera driver "/dev/cedar_dev" through iotcl cmd IOCTL_SET_PROC_INFO and IOCTL_COPY_PROC_INFO, which could cause a system crash or EoP.
CVSS Score
7.5
EPSS Score
0.008
Published
2022-01-18
China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.
CVSS Score
8.8
EPSS Score
0.039
Published
2022-01-18
An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-01-18
Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.
CVSS Score
9.1
EPSS Score
0.386
Published
2022-01-18
Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0.
CVSS Score
5.7
EPSS Score
0.001
Published
2022-01-18
In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-01-17
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
CVSS Score
6.1
EPSS Score
0.159
Published
2022-01-17
Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.
CVSS Score
7.2
EPSS Score
0.005
Published
2022-01-17
IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 212346.
CVSS Score
6.3
EPSS Score
0.023
Published
2022-01-17
managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-01-17