Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In February 2022
CVE-2022-22916
O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.
CVSS Score
9.8
EPSS Score
0.902
Published
2022-02-17
CVE-2021-45382
Known exploited
A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched.
CVSS Score
9.8
EPSS Score
0.942
Published
2022-02-17
CVE-2021-46314
A Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetNetworkTomographySettings.php of D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin because backticks can be used for command injection when judging whether it is a reasonable domain name.
CVSS Score
9.8
EPSS Score
0.235
Published
2022-02-17
CVE-2022-22914
An incorrect access control issue in the component FileManager of Ovidentia CMS 6.0 allows authenticated attackers to to view and download content in the upload directory via path traversal.
CVSS Score
7.5
EPSS Score
0.007
Published
2022-02-17
CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.
CVSS Score
5.9
EPSS Score
0.015
Published
2022-02-17
CVE-2014-8597
A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-17
CVE-2022-0633
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
CVSS Score
6.5
EPSS Score
0.016
Published
2022-02-17
CVE-2022-22912
Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.022
Published
2022-02-17
CVE-2021-46247
The use of a hard-coded cryptographic key significantly increases the possibility encrypted data may be recovered from ASUS CMAX6000 v1.02.00.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-02-17
CVE-2022-0639
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-02-17


Products
Pricing
Contact Us

Shodan ® - All rights reserved