NVD disclosure day

Published threat advisories for March 30, 2022

CVE advisoryCRITICAL

CVE-2022-26646

Online Banking System Local File Inclusion Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An online banking system has a local file inclusion vulnerability through its `pages` parameter. This could allow an attacker to access sensitive system files when the system is running. The vulnerability does not require authentication or special access, and could lead to information disclosure or code execution. The

CVE advisoryCRITICAL

CVE-2022-26645

Online Banking System Banking System RCE Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A remote code execution vulnerability in an online banking system allows attackers to upload and execute arbitrary code via a crafted PHP file through an image upload function. This could lead to unauthorized code execution and potential system compromise. The primary concern is to determine if this technology is in us

CVE advisoryCRITICAL

CVE-2021-46009

Totolink A3100R Firmware Authentication Bypass Vulnerability.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

Unauthenticated access to sensitive configuration pages on Totolink A3100R devices is possible. This allows attackers to read information and modify administrative settings without credentials. The critical severity indicates a significant risk if these devices are exposed to the network.

CVE advisoryCRITICAL

CVE-2021-46007

Totolink A3100R Command Injection Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A critical command injection vulnerability exists in specific router firmware, allowing unauthenticated attackers to execute arbitrary commands remotely by sending crafted requests to the device's web interface. This could lead to a complete compromise of the router, potentially enabling unauthorized network access or