Security Vulnerabilities - CVEs Published In June 2022
In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).
CVSS Score
9.8
EPSS Score
0.041
Published
2022-06-03
In Real Player 20.0.8.310, there is a DCP:// URI Remote Arbitrary Code Execution Vulnerability. This is an internal URL Protocol used by Real Player to reference a file that contains an URL. It is possible to inject script code to arbitrary domains. It is also possible to reference arbitrary local files.
CVSS Score
9.6
EPSS Score
0.027
Published
2022-06-03
qDecoder before 12.1.0 does not ensure that the percent character is followed by two hex digits for URL decoding.
CVSS Score
5.3
EPSS Score
0.005
Published
2022-06-03
adbyby v2.7 allows external users to make connections via port 8118. This can cause a program logic error and lead to a Denial of Service (DoS) via high CPU usage due to a large number of connections.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-06-03
eG Agent before 7.2 has weak file permissions that enable escalation of privileges to SYSTEM.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-06-02
A CWE-20: Improper Input Validation vulnerability exists that could cause potential remote code execution when an attacker is able to intercept and modify a request on the same network or has configuration access to an ION device on the network. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
CVSS Score
8.0
EPSS Score
0.011
Published
2022-06-02
A CWE-20: Improper Input Validation vulnerability exists that could allow the product to be maliciously manipulated when the user is tricked into performing certain actions on a webpage. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
CVSS Score
6.5
EPSS Score
0.002
Published
2022-06-02
A CWE-798: Use of Hard-coded Credentials vulnerability exists that could allow arbitrary code to be executed when root level access is obtained. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
CVSS Score
9.4
EPSS Score
0.004
Published
2022-06-02
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
CVSS Score
8.6
EPSS Score
0.003
Published
2022-06-02
A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability exists that could allow unauthorized access when an attacker uses cross-domain attacks. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
CVSS Score
8.2
EPSS Score
0.004
Published
2022-06-02