Security Vulnerabilities - CVEs Published In May 2022
Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is possible to manipulate the Windows OS language bar to launch an OS command prompt, resulting in a context-escape from application into OS.
CVSS Score
7.4
EPSS Score
0.003
Published
2022-05-23
Inout Blockchain AltExchanger 1.2.1 and Inout Blockchain FiatExchanger 2.2.1 allow Chart/TradingView/chart_content/master.php symbol SQL injection.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-05-23
Inout Blockchain AltExchanger 1.2.1 allows index.php/coins/update_marketboxslider marketcurrency SQL injection.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-05-23
The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation.
CVSS Score
8.8
EPSS Score
0.005
Published
2022-05-23
Annke N48PBB (Network Video Recorder) products of version 3.4.106 build 200422 and prior are vulnerable to a stack-based buffer overflow, which allows an unauthorized remote attacker to execute arbitrary code with the same privileges as the server user (root).
CVSS Score
9.4
EPSS Score
0.016
Published
2022-05-23
The Simple Blog plugin in Wondercms 3.4.1 is vulnerable to stored cross-site scripting (XSS) vulnerability. When any user opens a particular blog hosted on an attackers' site, XSS may occur.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-05-23
Time of Check - Time of Use (TOCTOU) vulnerability in Quick Heal Total Security prior to 12.1.1.27 allows a local attacker to achieve privilege escalation, potentially leading to deletion of system files. This is achieved through exploiting the time between detecting a file as malicious and when the action of quarantining or cleaning is performed, and using the time to replace the malicious file by a symlink.
CVSS Score
7.9
EPSS Score
0.0
Published
2022-05-23
A DLL hijacking vulnerability in the installed for Quick Heal Total Security prior to 12.1.1.27 allows a local attacker to achieve privilege escalation, leading to execution of arbitrary code, via the installer not restricting the search path for required DLLs and then not verifying the signature of the DLLs it tries to load.
CVSS Score
7.9
EPSS Score
0.001
Published
2022-05-23
Certain EMCO Software products are affected by: CWE-494: Download of Code Without Integrity Check. This affects MSI Package Builder for Windows 9.1.4 and Remote Installer for Windows 6.0.13 and Ping Monitor for Windows 8.0.18 and Remote Shutdown for Windows 7.2.2 and WakeOnLan 2.0.8 and Network Inventory for Windows 5.8.22 and Network Software Scanner for Windows 2.0.8 and UnLock IT for Windows 6.1.1. The impact is: execute arbitrary code (remote). The component is: Updater. The attack vector is: To exploit this vulnerability, a user must trigger an update of an affected installation of EMCO Software. ¶¶ Multiple products from EMCO Software are affected by a remote code execution vulnerability during the update process.
CVSS Score
8.8
EPSS Score
0.109
Published
2022-05-23
Rescue Dispatch Management System 1.0 is vulnerable to Incorrect Access Control via http://localhost/rdms/admin/?page=system_info.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-05-23