Security Vulnerabilities - CVEs Published In March 2022
The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request. For example, ability to send a push message to hundreds of thousands of machines is only restricted on the client side, and can thus be bypassed with a modified client.
CVSS Score
8.8
EPSS Score
0.091
Published
2022-03-20
A buffer overflow in the NRSessionSearchResult parser in Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allows remote attackers to execute arbitrary code via matchmaking servers, a different vulnerability than CVE-2021-34170.
CVSS Score
9.8
EPSS Score
0.099
Published
2022-03-20
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.
CVSS Score
8.2
EPSS Score
0.003
Published
2022-03-19
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.
CVSS Score
8.8
EPSS Score
0.046
Published
2022-03-19
taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file.
CVSS Score
9.8
EPSS Score
0.01
Published
2022-03-18
Classcms v2.5 and below contains an arbitrary file upload via the component \class\classupload. This vulnerability allows attackers to execute code injection via a crafted .txt file.
CVSS Score
7.8
EPSS Score
0.005
Published
2022-03-18
Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter.
CVSS Score
9.8
EPSS Score
0.802
Published
2022-03-18
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
CVSS Score
8.8
EPSS Score
0.005
Published
2022-03-18
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
CVSS Score
7.5
EPSS Score
0.009
Published
2022-03-18
DCN Firewall DCME-520 was discovered to contain an arbitrary file download vulnerability via the path parameter in the file /audit/log/log_management.php.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-03-18