Security Vulnerabilities - CVEs Published In February 2022
An information exposure through log file vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that logs the cleartext credentials of the connecting GlobalProtect user when authenticating using Connect Before Logon feature. This issue impacts GlobalProtect App 5.2 versions earlier than 5.2.9 on Windows. This issue does not affect the GlobalProtect app on other platforms.
CVSS Score
3.3
EPSS Score
0.001
Published
2022-02-10
A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials.
CVSS Score
4.4
EPSS Score
0.001
Published
2022-02-10
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper enforcement of Administrator privilege levels for low-value sensitive data. An attacker with read-only Administrator access to the web-based management interface could exploit this vulnerability by sending a malicious HTTP request to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information about users of the system and orders that have been placed using the application.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-02-10
CVE-2022-20699
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
Known exploited
CVSS Score
10.0
EPSS Score
0.888
Published
2022-02-10
In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client.
CVSS Score
6.1
EPSS Score
0.0
Published
2022-02-10
Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial of Service.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-02-10
Stormshield Network Security (SNS) 3.x has an Integer Overflow in the high-availability component.
CVSS Score
5.8
EPSS Score
0.003
Published
2022-02-10
A reflected cross-site-scripting attack in web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to execute code in the device of the victim via sending a specific URL to the unauthenticated victim.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-02-10
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
CVSS Score
8.8
EPSS Score
0.02
Published
2022-02-10
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-02-10