Security Vulnerabilities - CVEs Published In January 2022
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
CVSS Score
4.8
EPSS Score
0.22
Published
2022-01-27
Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user.
CVSS Score
7.2
EPSS Score
0.03
Published
2022-01-27
An issue was discovered in Stormshield SNS before 4.2.3 (when the proxy is used). An attacker can saturate the proxy connection table. This would result in the proxy denying any new connections.
CVSS Score
5.3
EPSS Score
0.004
Published
2022-01-27
Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.
CVSS Score
4.3
EPSS Score
0.0
Published
2022-01-27
Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-01-27
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
CVSS Score
7.0
EPSS Score
0.001
Published
2022-01-27
Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-01-27
Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.
CVSS Score
8.6
EPSS Score
0.004
Published
2022-01-27
Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-01-27
Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior to 6.0.2.
CVSS Score
7.6
EPSS Score
0.003
Published
2022-01-27