Security Vulnerabilities - CVEs Published In February 2022
CompleteFTPService.exe in the server in EnterpriseDT CompleteFTP before 12.1.4 allows Remote Code Execution by leveraging a Windows user account that has SSH access. The exec command is always run as SYSTEM.
CVSS Score
8.8
EPSS Score
0.228
Published
2022-02-14
A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-14
An Arbitrary File Deletion vulnerability exists in SourceCodester Attendance Management System v1.0 via the csv parameter in admin/pageUploadCSV.php, which can cause a Denial of Service (crash).
CVSS Score
7.5
EPSS Score
0.003
Published
2022-02-14
In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-by-one buffer overflow for a vector.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-02-14
In Malwarebytes Binisoft Windows Firewall Control before 6.8.1.0, programs executed from the Tools tab can be used to escalate privileges.
CVSS Score
7.8
EPSS Score
0.003
Published
2022-02-14
A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-02-14
An Incorrect Access Control vulnerability exists in zzcms 8.2, which lets a malicious user bypass authentication by changing the user name in the cookie to use any password.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-02-14
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-02-14
Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user's device via open redirection.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-02-14
IBM Cognos Analytics Mobile for Android applications prior to version 1.1.14 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 215592.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-02-14