Security Vulnerabilities - CVEs Published In April 2022
singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.
CVSS Score
9.1
EPSS Score
0.002
Published
2022-04-08
jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.
CVSS Score
7.0
EPSS Score
0.001
Published
2022-04-08
An Access Control vulnerability exists in D-Link DIR-823G REVA1 1.02B05 (Lastest) via any parameter in the HNAP1 function
CVSS Score
9.8
EPSS Score
0.034
Published
2022-04-07
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
CVSS Score
6.1
EPSS Score
0.234
Published
2022-04-07
A Heap-based Buffer Overflow vulnerability exists in JerryScript 2.4.0 and prior versions via an out-of-bounds read in parser_parse_for_statement_start in the js-parser-statm.c file. This issue is similar to CVE-2020-29657.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-04-07
Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2.
CVSS Score
8.4
EPSS Score
0.002
Published
2022-04-07
Taiwan Secom Dr.ID Access Control system’s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service.
CVSS Score
7.3
EPSS Score
0.006
Published
2022-04-07
aEnrich a+HRD has inadequate filtering for special characters in URLs. An unauthenticated remote attacker can bypass authentication and perform path traversal attacks to access arbitrary files under website root directory.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-04-07
aEnrich a+HRD has inadequate privilege restrictions, an unauthenticated remote attacker can use the API function to upload and execute malicious scripts to control the system or disrupt service.
CVSS Score
9.8
EPSS Score
0.008
Published
2022-04-07
Host Header injection in password Reset in GitHub repository livehelperchat/livehelperchat prior to 3.97.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-04-07