Security Vulnerabilities - CVEs Published In March 2022
Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port exposes an unauthenticated Das U-Boot BIOS shell.
CVSS Score
6.8
EPSS Score
0.001
Published
2022-03-10
Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-03-10
A use after free vulnerability was discovered in PDFTron SDK version 9.2.0. A crafted PDF can overwrite RIP with data previously allocated on the heap. This issue affects: PDFTron PDFTron SDK 9.2.0 on OSX; 9.2.0 on Linux; 9.2.0 on Windows.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-03-10
Improper Protection of Alternate Path vulnerability in Setup wizard process prior to SMR Mar-2022 Release 1 allows physical attacker package installation before finishing Setup wizard.
CVSS Score
4.2
EPSS Score
0.0
Published
2022-03-10
An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission
CVSS Score
4.4
EPSS Score
0.002
Published
2022-03-10
Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission
CVSS Score
7.9
EPSS Score
0.0
Published
2022-03-10
Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list of locked app without authentication.
CVSS Score
4.1
EPSS Score
0.0
Published
2022-03-10
Security misconfiguration of RKP in kernel prior to SMR Mar-2022 Release 1 allows a system not to be protected by RKP.
CVSS Score
5.9
EPSS Score
0.0
Published
2022-03-10
The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services).
CVSS Score
8.0
EPSS Score
0.003
Published
2022-03-10
sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.
CVSS Score
9.8
EPSS Score
0.026
Published
2022-03-10