Security Vulnerabilities - CVEs Published In February 2022
A Null Pointer Dereference vulnerability exists in GPAC 1.1.0 via the xtra_box_write function in /box_code_base.c, which causes a Denial of Service. This vulnerability was fixed in commit 71f9871.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-02-04
Remote Code Execution in cominput.jsp and comoutput.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to inject and execute arbitrary system commands via the unsanitized user-controlled "command" and "commandvalues" parameters.
CVSS Score
9.8
EPSS Score
0.142
Published
2022-02-04
Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote authenticated users to change the password of any targeted user accounts via lack of proper authorization in the user-controlled "userID" parameter of the HTTP POST request.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-02-04
Directory travesal in /northstar/filemanager/download.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to download arbitrary files, including JSP source code, across the filesystem of the host of the web application.
CVSS Score
7.5
EPSS Score
0.012
Published
2022-02-04
Systemic Insecure Permissions in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to use various functionalities without authentication.
CVSS Score
9.8
EPSS Score
0.014
Published
2022-02-04
Cleartext Transmission of Sensitive Information in /northstar/Admin/login.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote local user to intercept users credentials transmitted in cleartext over HTTP.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-02-04
A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file.
CVSS Score
6.1
EPSS Score
0.013
Published
2022-02-04
The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.
CVSS Score
8.8
EPSS Score
0.039
Published
2022-02-04
An incorrect check in the component cdr.php of Voipmonitor GUI before v24.96 allows unauthenticated attackers to escalate privileges via a crafted request.
CVSS Score
9.8
EPSS Score
0.029
Published
2022-02-04
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
CVSS Score
9.8
EPSS Score
0.909
Published
2022-02-04