CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 0CVE-2022-42970 – Schneider Electric APC Easy UPS Online updatePassword Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-42970
A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261) This vulnerability allows remote attackers to bypass authentication on affected installations of Schneider Electric APC Easy UPS Online. Authentication is not required to exploit this vulnerability. The specific flaw exists within the updatePassword function. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. • https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 0CVE-2022-42971 – Schneider Electric APC Easy UPS Online UpLoadAction Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-42971
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric APC Easy UPS Online. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UpLoadAction class. When parsing the filename parameter, the process does not properly validate user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 31EXPL: 0CVE-2023-21730 – Microsoft Cryptographic Services Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2023-21730
Microsoft Cryptographic Services Elevation of Privilege Vulnerability Vulnerabilidad de elevación de privilegios de Microsoft Cryptographic Services • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21730 • CWE-190: Integer Overflow or Wraparound CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 31EXPL: 0CVE-2023-21679 – Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-21679
Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability Vulnerabilidad de ejecución remota de código del protocolo de túnel de capa 2 de Windows (L2TP) • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21679 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 31EXPL: 0CVE-2023-21754 – Windows Kernel Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2023-21754
Windows Kernel Elevation of Privilege Vulnerability Vulnerabilidad de elevación de privilegios del kernel de Windows • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21754 • CWE-190: Integer Overflow or Wraparound •