Security Vulnerabilities - CVEs Published In January 2023
Authenticated denial of service
CVSS Score
6.5
EPSS Score
0.006
Published
2023-01-26
Unauthenticated denial of service
CVSS Score
7.5
EPSS Score
0.005
Published
2023-01-26
A command injection vulnerability in the DDNS service configuration of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to execute code in the context of the root user.
CVSS Score
6.2
EPSS Score
0.006
Published
2023-01-26
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
CVSS Score
6.7
EPSS Score
0.51
Published
2023-01-26
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
CVSS Score
5.3
EPSS Score
0.014
Published
2023-01-26
All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.
CVSS Score
7.4
EPSS Score
0.007
Published
2023-01-26
File existence disclosure vulnerability in NetIQ Identity Manager plugin prior to version 4.8.5 allows attacker to determine whether a file exists on the filesystem. This issue affects: Micro Focus NetIQ Identity Manager NetIQ Identity Manager versions prior to 4.8.5 on ALL.
CVSS Score
1.8
EPSS Score
0.003
Published
2023-01-26
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.
This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
CVSS Score
8.1
EPSS Score
0.323
Published
2023-01-26
Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"
CVSS Score
7.5
EPSS Score
0.029
Published
2023-01-26
All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.
CVSS Score
9.8
EPSS Score
0.068
Published
2023-01-26