Security Vulnerabilities - CVEs Published In January 2022
SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted File Upload, that allows attackers to upload files with any file extension which can lead to arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.021
Published
2022-01-18
Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code.
CVSS Score
7.2
EPSS Score
0.005
Published
2022-01-18
Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading z ZIP file that contains a symbolic link.
CVSS Score
4.9
EPSS Score
0.002
Published
2022-01-18
In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-01-18
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-01-18
SoftVibe SARABAN for INFOMA 1.1 allows SQL Injection.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-01-18
There is a NULL pointer dereference in the syscall open_exec function of Allwinner R818 SoC Android Q SDK V1.0 that could executable a malicious file to cause a system crash.
CVSS Score
7.5
EPSS Score
0.006
Published
2022-01-18
There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash.
CVSS Score
7.5
EPSS Score
0.008
Published
2022-01-18
An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead to privileged executable pages being mapped as executable from an unprivileged context. This can be leveraged by an attacker to bypass executability restrictions of kernel-mode pages from user-mode. An incorrect setting of PXN bits within mmu_flags_to_s1_pte_attr lead to unprivileged executable pages being mapped as executable from a privileged context. This can be leveraged by an attacker to bypass executability restrictions of user-mode pages from kernel-mode. Typically this allows a potential attacker to circumvent a mitigation, making exploitation of potential kernel-mode vulnerabilities easier. We recommend updating kernel beyond commit 7d731b4e9599088ac3073956933559da7bca6a00 and rebuilding.
CVSS Score
9.8
EPSS Score
0.0
Published
2022-01-18
China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRMesh/set_ZRMesh which receives parameters by POST request, and the parameter mesh_enable and mesh_device have a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.
CVSS Score
8.8
EPSS Score
0.039
Published
2022-01-18