Security Vulnerabilities - CVEs Published In January 2023
The File Upload function of EasyTest has insufficient filtering for special characters and file type. A remote attacker authenticated as a general user can upload and execute arbitrary files, to manipulate system or disrupt service.
CVSS Score
8.8
EPSS Score
0.007
Published
2023-01-03
The Download function’s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database.
CVSS Score
8.8
EPSS Score
0.008
Published
2023-01-03
The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make API functions calls, manipulate system and terminate service.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-01-03
Out-of-bounds write vulnerability in V-SFT v6.1.7.0 and earlier and TELLUS v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted image file.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-01-03
ChangingTec ServiSign component has insufficient filtering for special characters in the connection response parameter. An unauthenticated remote attacker can host a malicious website for the component user to access, which triggers command injection and allows the attacker to execute arbitrary system command to perform arbitrary system operation or disrupt service.
CVSS Score
8.8
EPSS Score
0.015
Published
2023-01-03
ChangingTec ServiSign component has a path traversal vulnerability. An unauthenticated LAN attacker can exploit this vulnerability to bypass authentication and access arbitrary system files.
CVSS Score
6.5
EPSS Score
0.006
Published
2023-01-03
ChangingTec ServiSign component has a path traversal vulnerability due to insufficient filtering for special characters in the DLL file path. An unauthenticated remote attacker can host a malicious website for the component user to access, which triggers the component to load malicious DLL files under arbitrary file path and allows the attacker to perform arbitrary system operation and disrupt of service.
CVSS Score
8.8
EPSS Score
0.028
Published
2023-01-03
Vitals ESP upload function has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to access arbitrary system files.
CVSS Score
6.5
EPSS Score
0.007
Published
2023-01-03
Out-of-bounds read vulnerability in V-SFT v6.1.7.0 and earlier and TELLUS v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted image file.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-01-03
Out-of-bounds write vulnerability in V-Server v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted project file.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-01-03