Security Vulnerabilities - CVEs Published In January 2022
The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp. This vulnerability is triggered when the archive is extracted upon calling uncompressTo() on a ZipFile object.
CVSS Score
5.5
EPSS Score
0.007
Published
2022-01-31
This affects the package juce-framework/JUCE before 6.1.5. This vulnerability is triggered when a malicious archive is crafted with an entry containing a symbolic link. When extracted, the symbolic link is followed outside of the target dir allowing writing arbitrary files on the target host. In some cases, this can allow an attacker to execute arbitrary code. The vulnerable code is in the ZipFile::uncompressEntry function in juce_ZipFile.cpp and is executed when the archive is extracted upon calling uncompressTo() on a ZipFile object.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-01-31
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
CVSS Score
4.1
EPSS Score
0.004
Published
2022-01-31
Alps Alpine Touchpad Driver 10.3201.101.215 is vulnerable to DLL Injection.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-01-31
An issue was discovered in FAUST iServer before 9.0.019.019.7. For each URL request, it accesses the corresponding .fau file on the operating system without preventing %2e%2e%5c directory traversal.
CVSS Score
7.5
EPSS Score
0.897
Published
2022-01-31
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.
CVSS Score
9.1
EPSS Score
0.0
Published
2022-01-31
The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.
CVSS Score
4.9
EPSS Score
0.081
Published
2022-01-31
xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-01-31
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS Score
8.4
EPSS Score
0.001
Published
2022-01-30
Use After Free in GitHub repository vim/vim prior to 8.2.
CVSS Score
8.4
EPSS Score
0.002
Published
2022-01-30