Security Vulnerabilities - CVEs Published In July 2022
Allows a remote user to read files on the camera's OS "GetFileContent.cgi". Reading arbitrary files on the camera's OS as root user.
CVSS Score
7.6
EPSS Score
0.003
Published
2022-07-18
The server checks the user's cookie in a non-standard way, and a value is entered in the cookie value name of the status and its value is set to true to bypass the identification with the system using a username and password.
CVSS Score
5.9
EPSS Score
0.001
Published
2022-07-18
Browsing the admin.html page allows the user to reset the admin password. Also appears in the JS code for the password.
CVSS Score
6.8
EPSS Score
0.001
Published
2022-07-18
Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.
CVSS Score
5.7
EPSS Score
0.001
Published
2022-07-18
Browsing the path: http://ip/wifi_ap_pata_get.cmd, will show in the name of the existing access point on the component, and a password in clear text.
CVSS Score
6.3
EPSS Score
0.001
Published
2022-07-18
This vulnerability affects all of the company's products that also include the FW versions: update_i90_cv2.021_b20210104, update_i50_v1.0.55_b20200509, update_x6_v2.1.2_b202001127, update_b5_v2.0.9_b20200706. This vulnerability makes it possible to extract from the FW the existing user passwords on their operating systems and passwords.
CVSS Score
5.7
EPSS Score
0.001
Published
2022-07-18
AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.
CVSS Score
7.1
EPSS Score
0.001
Published
2022-07-18
ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.
CVSS Score
8.2
EPSS Score
0.015
Published
2022-07-18
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.
CVSS Score
8.8
EPSS Score
0.025
Published
2022-07-18
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-07-18