Security Vulnerabilities - CVEs Published In April 2022
An attacker can gain knowledge of a session temporary working folder where the getfile and putfile commands are used in MDT AutoSave versions prior to v6.02.06. An attacker can leverage this knowledge to provide a malicious command to the working directory where the read and write activity can be initiated.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-04-01
An attacker could decipher the encryption and gain access to MDT AutoSave versions prior to v6.02.06.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-04-01
An attacker could utilize a function in MDT AutoSave versions prior to v6.02.06 that permits changing a designated path to another path and traversing the directory, allowing the replacement of an existing file with a malicious file.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-04-01
An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user’s permissions, granting the attacker the ability to login.
CVSS Score
9.8
EPSS Score
0.002
Published
2022-04-01
A function in MDT AutoSave versions prior to v6.02.06 is used to retrieve system information for a specific process, and this information collection executes multiple commands and summarizes the information into an XML. This function and subsequent process gives full path to the executable and is therefore vulnerable to binary hijacking.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-04-01
Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.
CVSS Score
8.5
EPSS Score
0.0
Published
2022-04-01
A getfile function in MDT AutoSave versions prior to v6.02.06 enables a user to supply an optional parameter, resulting in the processing of a request in a special manner. This can result in the execution of an unzip command and place a malicious .exe file in one of the locations the function looks for and get execution capabilities.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-04-01
Two buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O Series firmware version 2.2 or earlier may allow a remote attacker to cause a denial-of-service condition.
CVSS Score
7.5
EPSS Score
0.009
Published
2022-04-01
Data can be copied without validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier, which may allow a remote attacker to cause denial-of-service conditions.
CVSS Score
7.5
EPSS Score
0.008
Published
2022-04-01
It was observed that while login into Business-central console, HTTP request discloses sensitive information like username and password when intercepted using some tool like burp suite etc.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-04-01