Security Vulnerabilities - CVEs Published In March 2022
STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to abuse signature verification. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API. It is exploitable for STSAFE-J in closed configuration and J-SIGN (when signature verification is activated) but not for J-SAFE3 EPASS BAC and EAC products. It might also impact other products based on the J-SAFE-3 Java Card platform.
CVSS Score
6.2
EPSS Score
0.0
Published
2022-03-04
Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating the inventory details and items.
CVSS Score
5.0
EPSS Score
0.001
Published
2022-03-04
There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. The v10 variable is directly retrieved from the http request parameter startIp. Then v10 will be splice to stack by function sscanf without any security check,which causes stack overflow. By POSTing the page /goform/SetPptpServerCfg with proper startIp, the attacker can easily perform remote code execution with carefully crafted overflow data.
CVSS Score
9.8
EPSS Score
0.035
Published
2022-03-04
Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.
CVSS Score
3.5
EPSS Score
0.003
Published
2022-03-04
A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).
CVSS Score
7.5
EPSS Score
0.005
Published
2022-03-04
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).
CVSS Score
7.5
EPSS Score
0.005
Published
2022-03-04
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
CVSS Score
10.0
EPSS Score
0.403
Published
2022-03-04
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.
CVSS Score
6.6
EPSS Score
0.009
Published
2022-03-04
A flaw was found in htmldoc in v1.9.12. Heap buffer overflow in render_table_row(),in ps-pdf.cxx may lead to arbitrary code execution and denial of service.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-03-03
Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-03-03