Security Vulnerabilities - CVEs Published In January 2022
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.
CVSS Score
5.3
EPSS Score
0.18
Published
2022-01-03
ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-01-03
Hilinksvc service exists a Data Processing Errors vulnerability .Successful exploitation of this vulnerability may cause application crash.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-01-03
A NULL pointer dereference in the main() function dhry_1.c of dhrystone 2.1 causes a denial of service (DoS).
CVSS Score
7.5
EPSS Score
0.003
Published
2022-01-03
Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-01-03
openwhyd is vulnerable to Improper Authorization
CVSS Score
8.6
EPSS Score
0.001
Published
2022-01-03
TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.
CVSS Score
9.8
EPSS Score
0.936
Published
2022-01-03
The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin
CVSS Score
4.9
EPSS Score
0.004
Published
2022-01-03
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues
CVSS Score
6.1
EPSS Score
0.003
Published
2022-01-03
The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection
CVSS Score
7.2
EPSS Score
0.005
Published
2022-01-03