Security Vulnerabilities - CVEs Published In May 2022
A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access.
CVSS Score
8.8
EPSS Score
0.0
Published
2022-05-18
A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account.
CVSS Score
6.3
EPSS Score
0.004
Published
2022-05-18
A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.
CVSS Score
8.0
EPSS Score
0.001
Published
2022-05-18
A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-05-18
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.
CVSS Score
7.5
EPSS Score
0.009
Published
2022-05-18
The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.
CVSS Score
8.1
EPSS Score
0.012
Published
2022-05-18
The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.
CVSS Score
5.9
EPSS Score
0.002
Published
2022-05-18
The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-05-18
Tenda AX12 v22.03.01.21_cn was discovered to contain a stack overflow via the lanIp parameter in /goform/AdvSetLanIp.
CVSS Score
7.5
EPSS Score
0.025
Published
2022-05-18
In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.
CVSS Score
9.8
EPSS Score
0.034
Published
2022-05-18