Security Vulnerabilities - CVEs Published In March 2022
Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php.
CVSS Score
9.8
EPSS Score
0.002
Published
2022-03-28
74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php.
CVSS Score
7.5
EPSS Score
0.213
Published
2022-03-28
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
CVSS Score
5.3
EPSS Score
0.597
Published
2022-03-28
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
CVSS Score
9.8
EPSS Score
0.056
Published
2022-03-28
ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==).
CVSS Score
9.8
EPSS Score
0.014
Published
2022-03-28
ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal.
CVSS Score
8.1
EPSS Score
0.141
Published
2022-03-28
Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column.
CVSS Score
9.8
EPSS Score
0.011
Published
2022-03-28
CVE-2022-26258
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.
Known exploited
CVSS Score
9.8
EPSS Score
0.894
Published
2022-03-28
In DLink DAP-1360 F1 firmware version <=v6.10 in the "webupg" binary, an attacker can use the "file" parameter to execute arbitrary system commands when the parameter is "name=deleteFile" after being authorized.
CVSS Score
9.8
EPSS Score
0.135
Published
2022-03-27
WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-03-27