Security Vulnerabilities - CVEs Published In January 2022
The CaasKit module has a path traversal vulnerability. Successful exploitation of this vulnerability may cause the MeeTime application to be unavailable.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-01-10
The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
CVSS Score
7.3
EPSS Score
0.005
Published
2022-01-10
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
CVSS Score
9.8
EPSS Score
0.006
Published
2022-01-10
Users have access to the directory where the installation repair occurs. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted EXE in the repair folder which runs with the Check Point Remote Access Client privileges.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-01-10
The FANUC R-30iA and R-30iB series controllers are vulnerable to integer coercion errors, which cause the device to crash. A restart is required.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-01-10
The FANUC R-30iA and R-30iB series controllers are vulnerable to an out-of-bounds write, which may allow an attacker to remotely execute arbitrary code. INIT START/restore from backup required.
CVSS Score
7.4
EPSS Score
0.004
Published
2022-01-10
In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-01-10
In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver can be used for clickjacking. This includes the settings page.
CVSS Score
7.1
EPSS Score
0.004
Published
2022-01-10
CVE-2021-35247
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
Known exploited
CVSS Score
4.3
EPSS Score
0.05
Published
2022-01-10
SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-01-10