Security Vulnerabilities - CVEs Published In January 2022
Pexip Infinity before 26 allows remote denial of service because of missing RTMP input validation.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-01-15
A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-01-15
Open Design Alliance Drawings SDK before 2022.12.1 mishandles the loading of JPG files. Unchecked input data from a crafted JPG file leads to memory corruption. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Score
7.8
EPSS Score
0.006
Published
2022-01-15
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
CVSS Score
9.8
EPSS Score
0.929
Published
2022-01-15
CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 2021-12-20 allows a local user to gain elevated privileges via a Trojan horse Procmon64.exe in the user's Temp directory.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-01-15
China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.
CVSS Score
9.8
EPSS Score
0.018
Published
2022-01-15
Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.
CVSS Score
7.5
EPSS Score
0.013
Published
2022-01-15
By passing invalid javascript code where await and yield were called upon non-async and non-generator getter/setter functions, Hermes would invoke generator functions and error out on invalid await/yield positions. This could result in segmentation fault as a consequence of type confusion error, with a low chance of RCE. This issue affects Hermes versions prior to v0.10.0.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-01-15
Spin v6.5.1 was discovered to contain an out-of-bounds write in lex() at spinlex.c.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-01-14
Modex v2.11 was discovered to contain an Use-After-Free vulnerability via the component tcache.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-01-14