Security Vulnerabilities - CVEs Published In January 2022
An untrusted search path vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker with file creation privilege in the Windows root directory (such as C:\) to store a program that can then be unintentionally executed by another local user when that user utilizes a Live Terminal session. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.
CVSS Score
6.7
EPSS Score
0.0
Published
2022-01-12
A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables an authenticated local user to execute programs with elevated privileges. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-01-12
ChronoForms 7.0.7 allows fname Directory Traversal to read arbitrary files.
CVSS Score
2.7
EPSS Score
0.001
Published
2022-01-12
ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files.
CVSS Score
5.3
EPSS Score
0.461
Published
2022-01-12
Unisys ClearPath MCP TCP/IP Networking Services 59.1, 60.0, and 62.0 has an Infinite Loop.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-01-12
MartDevelopers Inc iResturant v1.0 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-01-12
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
CVSS Score
9.8
EPSS Score
0.032
Published
2022-01-12
Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
CVSS Score
8.8
EPSS Score
0.078
Published
2022-01-12
Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.
CVSS Score
7.8
EPSS Score
0.011
Published
2022-01-12
Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.
CVSS Score
7.2
EPSS Score
0.046
Published
2022-01-12