Weekly Vulnerabilities Reports > January 3 to 9, 2022

Overview

250 new vulnerabilities reported during this period, including 7 critical vulnerabilities and 41 high severity vulnerabilities. This weekly summary report vulnerabilities in 521 products from 100 vendors including Huawei, Qualcomm, Apache, Debian, and Vehicle Service Management System Project. Vulnerabilities are notably categorized as "Cross-site Scripting", "NULL Pointer Dereference", "Out-of-bounds Write", "Path Traversal", and "Improper Privilege Management".

  • 190 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 79 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 196 reported vulnerabilities are exploitable by an anonymous user.
  • Huawei has the most reported vulnerabilities, with 41 reported vulnerabilities.
  • Huawei has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

7 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-06 CVE-2022-22704 Zabbix Improper Privilege Management vulnerability in Zabbix Zabbix-Agent2

The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration.

10.0
2022-01-03 CVE-2021-37120 Huawei Double Free vulnerability in Huawei Emui and Magic UI

There is a Double free vulnerability in Smartphone.Successful exploitation of this vulnerability may cause a kernel crash or privilege escalation.

10.0
2022-01-03 CVE-2021-39979 Huawei Code Injection vulnerability in Huawei Harmonyos

HHEE system has a Code Injection vulnerability.Successful exploitation of this vulnerability may affect HHEE system integrity.

10.0
2022-01-03 CVE-2021-25981 Talkyard Insufficient Session Expiration vulnerability in Talkyard

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration.

10.0
2022-01-06 CVE-2021-43947 Atlassian Unspecified vulnerability in Atlassian products

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature.

9.0
2022-01-05 CVE-2021-43779 Teclib Edition Improper Input Validation vulnerability in Teclib-Edition Addressing

GLPI is an open source IT Asset Management, issue tracking system and service desk system.

9.0
2022-01-04 CVE-2021-45913 Controlup Use of Hard-coded Credentials vulnerability in Controlup Agent

A hardcoded key in ControlUp Real-Time Agent (cuAgent.exe) before 8.2.5 may allow a potential attacker to run OS commands via a WCF channel.

9.0

41 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-04 CVE-2021-41141 Teluu Improper Locking vulnerability in Teluu Pjsip

PJSIP is a free and open source multimedia communication library written in the C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

7.8
2022-01-03 CVE-2021-38576 Tianocore Unspecified vulnerability in Tianocore Edk2

A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty.

7.8
2022-01-03 CVE-2021-39973 Huawei NULL Pointer Dereference vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a Null pointer dereference in Smartphones.Successful exploitation of this vulnerability may cause the kernel to break down.

7.8
2022-01-03 CVE-2021-44158 Asus Out-of-bounds Write vulnerability in Asus Rt-Ax56U Firmware 3.0.0.4.386.44266

ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflow due to improper validation for httpd parameter length.

7.7
2022-01-03 CVE-2021-45917 SUN Moon Jingyao Improper Authentication vulnerability in SUN Moon Jingyao Network Computer Terminal Protection System Firmware

The server-request receiver function of Shockwall system has an improper authentication vulnerability.

7.7
2022-01-06 CVE-2021-46067 Vehicle Service Management System Project Unspecified vulnerability in Vehicle Service Management System Project Vehicle Service Management System

In Vehicle Service Management System 1.0 an attacker can steal the cookies leading to Full Account Takeover.

7.5
2022-01-06 CVE-2021-31522 Apache Unsafe Reflection vulnerability in Apache Kylin

Kylin can receive user input and load any class through Class.forName(...).

7.5
2022-01-06 CVE-2021-45456 Apache Command Injection vulnerability in Apache Kylin 4.0.0

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user.

7.5
2022-01-06 CVE-2021-41842 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in AtaLegacySmm in the kernel 5.0 before 05.08.46, 5.1 before 05.16.46, 5.2 before 05.26.46, 5.3 before 05.35.46, 5.4 before 05.43.46, and 5.5 before 05.51.45 in Insyde InsydeH2O.

7.5
2022-01-04 CVE-2021-43832 Linuxfoundation Missing Authentication for Critical Function vulnerability in Linuxfoundation Spinnaker

Spinnaker is an open source, multi-cloud continuous delivery platform.

7.5
2022-01-04 CVE-2022-21643 Useful Simple Open Source CMS Project SQL Injection vulnerability in Useful Simple Open-Source CMS Project Useful Simple Open-Source CMS

USOC is an open source CMS with a focus on simplicity.

7.5
2022-01-04 CVE-2022-21647 Codeigniter Deserialization of Untrusted Data vulnerability in Codeigniter

CodeIgniter is an open source PHP full-stack web framework.

7.5
2022-01-04 CVE-2021-24042 Whatsapp Out-of-bounds Write vulnerability in Whatsapp

The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.

7.5
2022-01-04 CVE-2022-0086 Transloadit Server-Side Request Forgery (SSRF) vulnerability in Transloadit Uppy

uppy is vulnerable to Server-Side Request Forgery (SSRF)

7.5
2022-01-04 CVE-2021-45389 Starwind Improper Privilege Management vulnerability in Starwind Command Center and San&Nas

StarWind SAN & NAS build 1578 and StarWind Command Center Build 6864 Update Manager allows authentication with JTW token which is signed with any key.

7.5
2022-01-04 CVE-2021-43711 Totolink Command Injection vulnerability in Totolink Ex200 Firmware 4.0.3C.7646B20201211

The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters.

7.5
2022-01-03 CVE-2021-37121 Huawei Improper Privilege Management vulnerability in Huawei Emui and Magic UI

There is a Configuration defects in Smartphone.Successful exploitation of this vulnerability may elevate the MEID (IMEI) permission.

7.5
2022-01-03 CVE-2021-37128 Huawei Path Traversal vulnerability in Huawei Harmonyos

HwPCAssistant has a Path Traversal vulnerability .Successful exploitation of this vulnerability may write any file.

7.5
2022-01-03 CVE-2021-39990 Huawei Out-of-bounds Write vulnerability in Huawei Harmonyos

The screen lock module has a Stack-based Buffer Overflow vulnerability.Successful exploitation of this vulnerability may affect user experience.

7.5
2022-01-03 CVE-2021-45428 Telesquare Authorization Bypass Through User-Controlled Key vulnerability in Telesquare Tlr-2005Ksh Firmware

TLR-2005KSH is affected by an incorrect access control vulnerability.

7.5
2022-01-03 CVE-2021-30351 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

An out of bound memory access can occur due to improper validation of number of frames being passed during music playback in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

7.5
2022-01-06 CVE-2021-45971 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in SdHostDriver in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25.

7.2
2022-01-05 CVE-2021-45969 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25.

7.2
2022-01-05 CVE-2021-45970 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in IdeBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25.

7.2
2022-01-04 CVE-2021-41388 Netskope Improper Privilege Management vulnerability in Netskope

Netskope client prior to 89.x on macOS is impacted by a local privilege escalation vulnerability.

7.2
2022-01-03 CVE-2021-1894 Qualcomm Improper Handling of Exceptional Conditions vulnerability in Qualcomm products

Improper access control in TrustZone due to improper error handling while handling the signing key in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30268 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Possible heap Memory Corruption Issue due to lack of input validation when sending HWTC IQ Capture command in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

7.2
2022-01-03 CVE-2021-30269 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Possible null pointer dereference due to lack of TLB validation for user provided address in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30270 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Possible null pointer dereference in thread profile trap handler due to lack of thread ID validation before dereferencing it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30271 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Possible null pointer dereference in trap handler due to lack of thread ID validation before dereferencing it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30272 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Possible null pointer dereference in thread cache operation handler due to lack of validation of user provided input in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30274 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Possible integer overflow in access control initialization interface due to lack and size and address validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30275 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Possible integer overflow in page alignment interface due to lack of address and size validation before alignment in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30276 Qualcomm Exposure of Resource to Wrong Sphere vulnerability in Qualcomm products

Improper access control while doing XPU re-configuration dynamically can lead to unauthorized access to a secure resource in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30279 Qualcomm Improper Preservation of Permissions vulnerability in Qualcomm products

Possible access control violation while setting current permission for VMIDs due to improper permission masking in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30282 Qualcomm Improper Validation of Array Index vulnerability in Qualcomm products

Possible out of bound write in RAM partition table due to improper validation on number of partitions provided in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30289 Qualcomm Improper Handling of Exceptional Conditions vulnerability in Qualcomm products

Possible buffer overflow due to lack of range check while processing a DIAG command for COEX management in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

7.2
2022-01-03 CVE-2021-30303 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Possible buffer overflow due to lack of buffer length check when segmented WMI command is received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30335 Qualcomm Reachable Assertion vulnerability in Qualcomm products

Possible assertion in QOS request due to improper validation when multiple add or update request are received simultaneously in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

7.2
2022-01-03 CVE-2021-30336 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Possible out of bound read due to lack of domain input validation while processing APK close session request in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Wearables

7.2
2022-01-03 CVE-2021-30337 Qualcomm Use After Free vulnerability in Qualcomm products

Possible use after free when process shell memory is freed using IOCTL call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

7.2

151 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-04 CVE-2021-22045 Vmware Out-of-bounds Write vulnerability in VMWare products

VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi650-202110101-SG), VMware Workstation (16.2.0) and VMware Fusion (12.2.0) contains a heap-overflow vulnerability in CD-ROM device emulation.

6.9
2022-01-06 CVE-2022-0128 VIM
Apple
Out-of-bounds Read vulnerability in multiple products

vim is vulnerable to Out-of-bounds Read

6.8
2022-01-06 CVE-2021-44564 Kalkitech Unspecified vulnerability in Kalkitech products

A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device.

6.8
2022-01-06 CVE-2021-46143 Libexpat Project
Netapp
Tenable
Integer Overflow or Wraparound vulnerability in multiple products

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

6.8
2022-01-04 CVE-2021-43852 Oroinc Unspecified vulnerability in Oroinc Oroplatform

OroPlatform is a PHP Business Application Platform.

6.8
2022-01-04 CVE-2021-45978 Foxit Command Injection vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via xfa.host.gotoURL in the XFA API.

6.8
2022-01-04 CVE-2021-45979 Foxit Command Injection vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via app.launchURL in the JavaScript API.

6.8
2022-01-04 CVE-2021-45980 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via getURL in the JavaScript API.

6.8
2022-01-03 CVE-2021-37134 Huawei Race Condition vulnerability in Huawei Harmonyos

Location-related APIs exists a Race Condition vulnerability.Successful exploitation of this vulnerability may use Higher Permissions for invoking the interface of location-related components.

6.8
2022-01-03 CVE-2021-25994 Userfrosting Injection vulnerability in Userfrosting

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection.

6.8
2022-01-06 CVE-2022-21663 Wordpress
Debian
Fedoraproject
Injection vulnerability in multiple products

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database.

6.5
2022-01-06 CVE-2022-21664 Wordpress
Debian
Fedoraproject
SQL Injection vulnerability in multiple products

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database.

6.5
2022-01-06 CVE-2021-46075 Vehicle Service Management System Project Improper Privilege Management vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0.

6.5
2022-01-06 CVE-2021-46079 Vehicle Service Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Vehicle Service Management System Project Vehicle Service Management System

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0.

6.5
2022-01-06 CVE-2021-46076 Vehicle Service Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload.

6.5
2022-01-05 CVE-2022-22111 Daybydaycrm Missing Authorization vulnerability in Daybydaycrm Daybyday CRM 2.2.0

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization.

6.5
2022-01-04 CVE-2022-21644 Useful Simple Open Source CMS Project SQL Injection vulnerability in Useful Simple Open-Source CMS Project Useful Simple Open-Source CMS

USOC is an open source CMS with a focus on simplicity.

6.5
2022-01-03 CVE-2021-24786 Wpchill SQL Injection vulnerability in Wpchill Download Monitor

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

6.5
2022-01-03 CVE-2021-25023 Optimocha SQL Injection vulnerability in Optimocha Speed Booster Pack

The Speed Booster Pack âš¡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection

6.5
2022-01-03 CVE-2021-25030 E Dynamics SQL Injection vulnerability in E-Dynamics Events Made Easy

The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users.

6.5
2022-01-04 CVE-2021-40525 Apache Path Traversal vulnerability in Apache James

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file.

6.4
2022-01-03 CVE-2021-37116 Huawei Improper Input Validation vulnerability in Huawei Harmonyos

PCManager has a Weaknesses Introduced During Design vulnerability .Successful exploitation of this vulnerability may cause that the PIN of the subscriber is changed.

6.4
2022-01-03 CVE-2021-39982 Huawei Improper Privilege Management vulnerability in Huawei Harmonyos 2.0

Phone Manager application has a Improper Privilege Management vulnerability.Successful exploitation of this vulnerability may read and write arbitrary files by tampering with Phone Manager notifications.

6.4
2022-01-04 CVE-2021-41789 Mediatek Improper Input Validation vulnerability in Mediatek Mt7615 Firmware and Mt7622 Firmware

In wifi driver, there is a possible system crash due to a missing validation check.

6.1
2022-01-06 CVE-2022-0121 Hoppscotch Information Exposure vulnerability in Hoppscotch

hoppscotch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

6.0
2022-01-05 CVE-2021-43816 Linuxfoundation
Fedoraproject
Improper Preservation of Permissions vulnerability in multiple products

containerd is an open source container runtime.

6.0
2022-01-06 CVE-2022-0122 Digitalbazaar Open Redirect vulnerability in Digitalbazaar Forge

forge is vulnerable to URL Redirection to Untrusted Site

5.8
2022-01-05 CVE-2022-21651 Shopware Open Redirect vulnerability in Shopware

Shopware is an open source e-commerce software platform.

5.8
2022-01-05 CVE-2022-21652 Shopware Insufficient Session Expiration vulnerability in Shopware

Shopware is an open source e-commerce software platform.

5.5
2022-01-06 CVE-2022-21661 Wordpress
Fedoraproject
Debian
SQL Injection vulnerability in multiple products

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database.

5.0
2022-01-06 CVE-2021-43045 Apache Allocation of Resources Without Limits or Throttling vulnerability in Apache Avro 1.10.1/1.10.2

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack.

5.0
2022-01-06 CVE-2021-27738 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin

All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.

5.0
2022-01-06 CVE-2021-44878 Pac4J Improper Verification of Cryptographic Signature vulnerability in Pac4J

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification.

5.0
2022-01-06 CVE-2021-45457 Apache Insufficiently Protected Credentials vulnerability in Apache Kylin

In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.

5.0
2022-01-06 CVE-2021-45458 Apache Inadequate Encryption Strength vulnerability in Apache Kylin

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords.

5.0
2022-01-06 CVE-2021-44351 Naviwebs Path Traversal vulnerability in Naviwebs Navigate CMS 2.9

An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /navigate/navigate_download.php id parameter.

5.0
2022-01-05 CVE-2020-5956 Insyde Improper Privilege Management vulnerability in Insyde Insydeh2O

An issue was discovered in SdLegacySmm in Insyde InsydeH2O with kernel 5.1 before 05.15.11, 5.2 before 05.25.11, 5.3 before 05.34.11, and 5.4 before 05.42.11.

5.0
2022-01-05 CVE-2022-21653 Typelevel Inadequate Encryption Strength vulnerability in Typelevel Jawn

Jawn is an open source JSON parser.

5.0
2022-01-05 CVE-2021-38918 IBM Unspecified vulnerability in IBM Powervm Hypervisor

IBM PowerVM Hypervisor FW860, FW940, FW950, and FW1010, through a specific sequence of VM management operations could lead to a violation of the isolation between peer VMs.

5.0
2022-01-05 CVE-2022-22110 Daybydaycrm Weak Password Requirements vulnerability in Daybydaycrm Daybyday CRM

In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality.

5.0
2022-01-05 CVE-2020-15933 Fortinet Information Exposure vulnerability in Fortinet Fortimail

A exposure of sensitive information to an unauthorized actor in Fortinet FortiMail versions 6.0.9 and below, FortiMail versions 6.2.4 and below FortiMail versions 6.4.1 and 6.4.0 allows attacker to obtain potentially sensitive software-version information via client-side resources inspection.

5.0
2022-01-05 CVE-2021-45115 Djangoproject
Fedoraproject
Resource Exhaustion vulnerability in multiple products

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.

5.0
2022-01-05 CVE-2021-45116 Djangoproject
Fedoraproject
Exposure of Resource to Wrong Sphere vulnerability in multiple products

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.

5.0
2022-01-05 CVE-2021-45452 Djangoproject
Fedoraproject
Path Traversal vulnerability in multiple products

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

5.0
2022-01-04 CVE-2021-3845 WS Scrcpy Project Externally Controlled Reference to a Resource in Another Sphere vulnerability in WS Scrcpy Project WS Scrcpy

ws-scrcpy is vulnerable to External Control of File Name or Path

5.0
2022-01-04 CVE-2021-40148 Mediatek Missing Encryption of Sensitive Data vulnerability in Mediatek products

In Modem EMM, there is a possible information disclosure due to a missing data encryption.

5.0
2022-01-04 CVE-2021-3842 Nltk
Debian
Fedoraproject
nltk is vulnerable to Inefficient Regular Expression Complexity
5.0
2022-01-04 CVE-2021-34797 Apache Information Exposure Through Log Files vulnerability in Apache Geode

Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-".

5.0
2022-01-04 CVE-2021-40110 Apache Unspecified vulnerability in Apache James 2.2.0

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression.

5.0
2022-01-04 CVE-2022-0083 Livehelperchat Information Exposure Through an Error Message vulnerability in Livehelperchat Live Helper Chat

livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information

5.0
2022-01-03 CVE-2021-20147 Zohocorp Information Exposure Through Discrepancy vulnerability in Zohocorp Manageengine Adselfservice Plus

ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI.

5.0
2022-01-03 CVE-2021-37098 Huawei Unspecified vulnerability in Huawei Harmonyos

Hilinksvc service exists a Data Processing Errors vulnerability .Successful exploitation of this vulnerability may cause application crash.

5.0
2022-01-03 CVE-2021-37110 Huawei Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a Timing design defects in Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-37111 Huawei Allocation of Resources Without Limits or Throttling vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a Memory leakage vulnerability in Smartphone.Successful exploitation of this vulnerability may cause memory exhaustion.

5.0
2022-01-03 CVE-2021-37112 Huawei Externally Controlled Reference to a Resource in Another Sphere vulnerability in Huawei Harmonyos

Hisuite module has a External Control of System or Configuration Setting vulnerability.Successful exploitation of this vulnerability may lead to Firmware leak.

5.0
2022-01-03 CVE-2021-37113 Huawei Improper Privilege Management vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a Privilege escalation vulnerability with the file system component in Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-37114 Huawei Out-of-bounds Read vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an Out-of-bounds read vulnerability in Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-37117 Huawei Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a Service logic vulnerability in Smartphone.Successful exploitation of this vulnerability may cause WLAN DoS.

5.0
2022-01-03 CVE-2021-37118 Huawei Improper Handling of Exceptional Conditions vulnerability in Huawei Harmonyos

The HwNearbyMain module has a Improper Handling of Exceptional Conditions vulnerability.Successful exploitation of this vulnerability may lead to message leak.

5.0
2022-01-03 CVE-2021-37119 Huawei Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a Service logic vulnerability in Smartphone.Successful exploitation of this vulnerability may cause WLAN DoS.

5.0
2022-01-03 CVE-2021-37125 Huawei Information Exposure vulnerability in Huawei Harmonyos

Arbitrary file has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability .Successful exploitation of this vulnerability may cause confidentiality is affected.

5.0
2022-01-03 CVE-2021-37126 Huawei Path Traversal vulnerability in Huawei Harmonyos

Arbitrary file has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability .Successful exploitation of this vulnerability may cause the directory is traversed.

5.0
2022-01-03 CVE-2021-37132 Huawei Incorrect Default Permissions vulnerability in Huawei Harmonyos

PackageManagerService has a Permissions, Privileges, and Access Controls vulnerability .Successful exploitation of this vulnerability may cause that Third-party apps can obtain the complete list of Harmony apps without permission.

5.0
2022-01-03 CVE-2021-37133 Huawei Exposure of Resource to Wrong Sphere vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an Unauthorized file access vulnerability in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-39966 Huawei Missing Initialization of Resource vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an Uninitialized AOD driver structure in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-39967 Huawei Incorrect Default Permissions vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a Vulnerability of obtaining broadcast information improperly due to improper broadcast permission settings in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-39968 Huawei Unspecified vulnerability in Huawei Harmonyos

Changlian Blocklist has a Business Logic Errors vulnerability .Successful exploitation of this vulnerability may expand the attack surface of the message class.

5.0
2022-01-03 CVE-2021-39969 Huawei Exposure of Resource to Wrong Sphere vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an Unauthorized file access vulnerability in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-39970 Huawei Path Traversal vulnerability in Huawei Harmonyos

HwPCAssistant has a Improper Input Validation vulnerability.Successful exploitation of this vulnerability may create any file with the system app permission.

5.0
2022-01-03 CVE-2021-39971 Huawei Externally Controlled Reference to a Resource in Another Sphere vulnerability in Huawei Harmonyos

Password vault has a External Control of System or Configuration Setting vulnerability.Successful exploitation of this vulnerability could compromise confidentiality.

5.0
2022-01-03 CVE-2021-39972 Huawei Exposure of Resource to Wrong Sphere vulnerability in Huawei Harmonyos

MyHuawei-App has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability.Successful exploitation of this vulnerability could compromise confidentiality.

5.0
2022-01-03 CVE-2021-39974 Huawei Out-of-bounds Read vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an Out-of-bounds read in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.

5.0
2022-01-03 CVE-2021-39975 Huawei Unspecified vulnerability in Huawei Harmonyos

Hilinksvc has a Data Processing Errors vulnerability.Successful exploitation of this vulnerability may cause denial of service attacks.

5.0
2022-01-03 CVE-2021-39977 Huawei NULL Pointer Dereference vulnerability in Huawei Harmonyos

The HwNearbyMain module has a NULL Pointer Dereference vulnerability.Successful exploitation of this vulnerability may cause a process to restart.

5.0
2022-01-03 CVE-2021-39978 Huawei SQL Injection vulnerability in Huawei Harmonyos

Telephony application has a SQL Injection vulnerability.Successful exploitation of this vulnerability may cause privacy and security issues.

5.0
2022-01-03 CVE-2021-39980 Huawei Exposure of Resource to Wrong Sphere vulnerability in Huawei Harmonyos 2.0

Telephony application has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability.Successful exploitation of this vulnerability could lead to sensitive information disclosure.

5.0
2022-01-03 CVE-2021-39983 Huawei Unspecified vulnerability in Huawei Harmonyos 2.0

The HwNearbyMain module has a Data Processing Errors vulnerability.Successful exploitation of this vulnerability may cause a process to restart.

5.0
2022-01-03 CVE-2021-39984 Huawei Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0

Huawei idap module has a Out-of-bounds Read vulnerability.Successful exploitation of this vulnerability may cause Denial of Service.

5.0
2022-01-03 CVE-2021-39985 Huawei Improper Validation of Array Index vulnerability in Huawei Harmonyos

The HwNearbyMain module has a Improper Validation of Array Index vulnerability.Successful exploitation of this vulnerability may cause a process to restart.

5.0
2022-01-03 CVE-2021-39987 Huawei Type Confusion vulnerability in Huawei Harmonyos

The HwNearbyMain module has a Data Processing Errors vulnerability.Successful exploitation of this vulnerability may cause a process to restart.

5.0
2022-01-03 CVE-2021-39988 Huawei NULL Pointer Dereference vulnerability in Huawei Harmonyos

The HwNearbyMain module has a NULL Pointer Dereference vulnerability.Successful exploitation of this vulnerability may cause a process to restart.

5.0
2022-01-03 CVE-2021-39989 Huawei Incorrect Type Conversion or Cast vulnerability in Huawei Harmonyos

The HwNearbyMain module has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability.Successful exploitation of this vulnerability may cause a process to restart.

5.0
2022-01-03 CVE-2020-23026 Dhrystone Project NULL Pointer Dereference vulnerability in Dhrystone Project Dhrystone 2.1

A NULL pointer dereference in the main() function dhry_1.c of dhrystone 2.1 causes a denial of service (DoS).

5.0
2022-01-03 CVE-2021-24831 Rich WEB Missing Authorization vulnerability in Rich-Web TAB

All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.

5.0
2022-01-03 CVE-2021-24893 Stars Rating Project Resource Exhaustion vulnerability in Stars Rating Project Stars Rating

The Stars Rating WordPress plugin before 3.5.1 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated.

5.0
2022-01-03 CVE-2021-30273 Qualcomm Reachable Assertion vulnerability in Qualcomm products

Possible assertion due to improper handling of IPV6 packet with invalid length in destination options header in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables

5.0
2022-01-03 CVE-2021-30293 Qualcomm Reachable Assertion vulnerability in Qualcomm products

Possible assertion due to lack of input validation in PUSCH configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT

5.0
2022-01-03 CVE-2022-0079 Showdoc Information Exposure Through an Error Message vulnerability in Showdoc

showdoc is vulnerable to Generation of Error Message Containing Sensitive Information

5.0
2022-01-04 CVE-2021-45912 Controlup OS Command Injection vulnerability in Controlup Real-Time Agent

An unauthenticated Named Pipe channel in Controlup Real-Time Agent (cuAgent.exe) before 8.5 potentially allows an attacker to run OS commands via the ProcessActionRequest WCF method.

4.6
2022-01-04 CVE-2022-20012 Google Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0/12.0

In mdp driver, there is a possible memory corruption due to an integer overflow.

4.6
2022-01-04 CVE-2022-20014 Google Improper Input Validation vulnerability in Google Android 10.0/11.0/12.0

In vow driver, there is a possible memory corruption due to improper input validation.

4.6
2022-01-04 CVE-2022-20016 Google Improper Locking vulnerability in Google Android 10.0/11.0

In vow driver, there is a possible memory corruption due to improper locking.

4.6
2022-01-04 CVE-2021-44168 Fortinet Download of Code Without Integrity Check vulnerability in Fortinet Fortios

A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

4.6
2022-01-04 CVE-2021-31833 Mcafee Improper Privilege Management vulnerability in Mcafee Application and Change Control

Potential product security bypass vulnerability in McAfee Application and Change Control (MACC) prior to version 8.3.4 allows a locally logged in attacker to circumvent the application solidification protection provided by MACC, permitting them to run applications that would usually be prevented by MACC.

4.6
2022-01-04 CVE-2021-20872 Konicaminolta Unspecified vulnerability in Konicaminolta products

Protection mechanism failure vulnerability in KONICA MINOLTA bizhub series (bizhub C750i G00-35 and earlier, bizhub C650i/C550i/C450i G00-B6 and earlier, bizhub C360i/C300i/C250i G00-B6 and earlier, bizhub 750i/650i/550i/450i G00-37 and earlier, bizhub 360i/300i G00-33 and earlier, bizhub C287i/C257i/C227i G00-19 and earlier, bizhub 306i/266i/246i/226i G00-B6 and earlier, bizhub C759/C659 GC7-X8 and earlier, bizhub C658/C558/C458 GC7-X8 and earlier, bizhub 958/808/758 GC7-X8 and earlier, bizhub 658e/558e/458e GC7-X8 and earlier, bizhub C287/C227 GC7-X8 and earlier, bizhub 287/227 GC7-X8 and earlier, bizhub 368e/308e GC7-X8 and earlier, bizhub C368/C308/C258 GC9-X4 and earlier, bizhub 558/458/368/308 GC9-X4 and earlier, bizhub C754e/C654e GDQ-M0 and earlier, bizhub 754e/654e GDQ-M0 and earlier, bizhub C554e/C454e GDQ-M1 and earlier, bizhub C364e/C284e/C224e GDQ-M1 and earlier, bizhub 554e/454e/364e/284e/224e GDQ-M1 and earlier, bizhub C754/C654 C554/C454 GR1-M0 and earlier, bizhub C364/C284/C224 GR1-M0 and earlier, bizhub 754/654 GR1-M0 and earlier, bizhub C3851FS/C3851/C3351 GC9-X4 and earlier, bizhub 4752/4052 GC9-X4 and earlier) allows a physical attacker to bypass the firmware integrity verification and to install malicious firmware.

4.6
2022-01-03 CVE-2020-11263 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

An integer overflow due to improper check performed after the address and size passed are aligned in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking

4.6
2022-01-03 CVE-2021-30262 Qualcomm Improper Input Validation vulnerability in Qualcomm products

Improper validation of a socket state when socket events are being sent to clients can lead to invalid access of memory in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

4.6
2022-01-03 CVE-2021-30267 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Possible integer overflow to buffer overflow due to improper input validation in FTM ARA commands in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile

4.6
2022-01-03 CVE-2021-30298 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Possible out of bound access due to improper validation of item size and DIAG memory pools data while switching between USB and PCIE interface in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

4.6
2022-01-04 CVE-2022-20013 Google Race Condition vulnerability in Google Android 10.0/11.0

In vow driver, there is a possible memory corruption due to a race condition.

4.4
2022-01-07 CVE-2021-38674 Qnap Cross-site Scripting vulnerability in Qnap QTS

A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud.

4.3
2022-01-06 CVE-2021-42841 Practo Cross-site Scripting vulnerability in Practo Insta HMS

Insta HMS before 12.4.10 is vulnerable to XSS because of improper validation of user-supplied input by multiple scripts.

4.3
2022-01-06 CVE-2021-46043 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

A Pointer Dereference Vulnerability exits in GPAC 1.0.1 in the gf_list_count function, which causes a Denial of Service.

4.3
2022-01-06 CVE-2021-46044 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1via ShiftMetaOffset.isra, which causes a Denial of Service (context-dependent).

4.3
2022-01-06 CVE-2021-46039 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the shift_chunk_offsets.part function, which causes a Denial of Service (context-dependent).

4.3
2022-01-06 CVE-2021-46040 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the finplace_shift_moov_meta_offsets function, which causes a Denial of Servie (context-dependent).

4.3
2022-01-06 CVE-2021-46041 Gpac Unspecified vulnerability in Gpac 1.0.1

A Segmentation Fault Vulnerability exists in GPAC 1.0.1 via the co64_box_new function, which causes a Denial of Service.

4.3
2022-01-06 CVE-2021-46042 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the _fseeko function, which causes a Denial of Service.

4.3
2022-01-06 CVE-2021-44590 Libming Resource Exhaustion vulnerability in Libming 0.4.8

In libming 0.4.8, a memory exhaustion vulnerability exist in the function cws2fws in util/main.c.

4.3
2022-01-06 CVE-2021-44591 Libming Allocation of Resources Without Limits or Throttling vulnerability in Libming 0.4.8

In libming 0.4.8, the parseSWF_DEFINELOSSLESS2 function in util/parser.c lacks a boundary check that would lead to denial-of-service attacks via a crafted SWF file.

4.3
2022-01-06 CVE-2021-44584 Emlog Cross-site Scripting vulnerability in Emlog

Cross-site scripting (XSS) vulnerability in index.php in emlog version <= pro-1.0.7 allows remote attackers to inject arbitrary web script or HTML via the s parameter.

4.3
2022-01-06 CVE-2021-36737 Apache Cross-site Scripting vulnerability in Apache Pluto 3.0.0/3.0.1

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks.

4.3
2022-01-06 CVE-2021-36738 Apache Cross-site Scripting vulnerability in Apache Pluto 3.0.0/3.0.1

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks.

4.3
2022-01-06 CVE-2021-36739 Apache Cross-site Scripting vulnerability in Apache Pluto 3.1.0

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

4.3
2022-01-06 CVE-2022-22707 Lighttpd
Debian
Out-of-bounds Write vulnerability in multiple products

In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration.

4.3
2022-01-06 CVE-2021-46144 Roundcube
Debian
Cross-site Scripting vulnerability in multiple products

Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.

4.3
2022-01-06 CVE-2021-46141 Uriparser Project
Fedoraproject
Debian
Opensuse
Use After Free vulnerability in multiple products

An issue was discovered in uriparser before 0.9.6.

4.3
2022-01-06 CVE-2021-46142 Uriparser Project
Fedoraproject
Debian
Opensuse
Use After Free vulnerability in multiple products

An issue was discovered in uriparser before 0.9.6.

4.3
2022-01-06 CVE-2020-23986 Github Readme Stats Project Cross-site Scripting vulnerability in Github Readme Stats Project Github Readme Stats 1.0

Github Read Me Stats commit 3c7220e4f7144f6cb068fd433c774f6db47ccb95 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the function renderError.

4.3
2022-01-06 CVE-2020-27428 MIT Cross-site Scripting vulnerability in MIT Scratch-Svg-Renderer 0.2.0

A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file.

4.3
2022-01-05 CVE-2021-46038 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

A Pointer Dereference vulnerability exists in GPAC 1.0.1 in unlink_chunk.isra, which causes a Denial of Service (context-dependent).

4.3
2022-01-05 CVE-2021-45832 Hdfgroup Out-of-bounds Write vulnerability in Hdfgroup Hdf5 1.13.11

A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 at at hdf5/src/H5Eint.c, which causes a Denial of Service (context-dependent).

4.3
2022-01-05 CVE-2021-45833 Hdfgroup Out-of-bounds Write vulnerability in Hdfgroup Hdf5 1.13.11

A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 via the H5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, which causes a Denial of Service (context-dependent).

4.3
2022-01-05 CVE-2021-45830 Hdfgroup Out-of-bounds Write vulnerability in Hdfgroup Hdf5 1.13.11

A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 via H5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial of Service.

4.3
2022-01-05 CVE-2021-45831 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Box via __strlen_avx2, which causes a Denial of Service.

4.3
2022-01-05 CVE-2021-31589 Beyondtrust Cross-site Scripting vulnerability in Beyondtrust Appliance Base Software

A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.

4.3
2022-01-05 CVE-2021-41043 Tcpdump Use After Free vulnerability in Tcpdump Tcpslice

Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact.

4.3
2022-01-04 CVE-2021-43677 Fluxbb Cross-site Scripting vulnerability in Fluxbb 1.4.12

Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability.

4.3
2022-01-04 CVE-2022-21648 Nette Cross-site Scripting vulnerability in Nette Latte

Latte is an open source template engine for PHP.

4.3
2022-01-04 CVE-2021-38542 Apache Command Injection vulnerability in Apache James 2.2.0

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.

4.3
2022-01-04 CVE-2021-43942 Atlassian Cross-site Scripting vulnerability in Atlassian Jira Server and Jira Server and Data Center

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint.

4.3
2022-01-03 CVE-2021-39981 Huawei Unspecified vulnerability in Huawei Harmonyos 2.0

Chang Lian application has a vulnerability which can be maliciously exploited to hide the calling number.Successful exploitation of this vulnerability allows you to make an anonymous call.

4.3
2022-01-03 CVE-2021-45829 Hdfgroup Improper Resource Shutdown or Release vulnerability in Hdfgroup Hdf5 1.13.11

HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial of Service.

4.3
2022-01-03 CVE-2021-3837 Openwhyd Improper Authorization vulnerability in Openwhyd

openwhyd is vulnerable to Improper Authorization

4.3
2022-01-03 CVE-2021-46109 Asus Cross-site Scripting vulnerability in Asus Rt-Ac52U B1 Firmware 3.0.0.4.380.10931

Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack.

4.3
2022-01-03 CVE-2021-24973 Geminilabs Cross-site Scripting vulnerability in Geminilabs Site Reviews

The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin

4.3
2022-01-03 CVE-2021-25016 Premio Cross-site Scripting vulnerability in Premio Chaty and Chaty PRO

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting

4.3
2022-01-03 CVE-2021-25022 Updraftplus Cross-site Scripting vulnerability in Updraftplus

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues

4.3
2022-01-03 CVE-2021-25027 Ideabox Cross-site Scripting vulnerability in Ideabox Powerpack Addons for Elementor

The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

4.3
2022-01-03 CVE-2021-25040 Booking Calendar Project Cross-site Scripting vulnerability in Booking Calendar Project Booking Calendar

The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-01-06 CVE-2021-4194 Bookstackapp Exposure of Resource to Wrong Sphere vulnerability in Bookstackapp Bookstack

bookstack is vulnerable to Improper Access Control

4.0
2022-01-06 CVE-2021-36774 Apache Exposure of Resource to Wrong Sphere vulnerability in Apache Kylin

Apache Kylin allows users to read data from other database systems using JDBC.

4.0
2022-01-05 CVE-2022-21642 Discourse Information Exposure vulnerability in Discourse

Discourse is an open source platform for community discussion.

4.0
2022-01-05 CVE-2022-22107 Daybydaycrm Missing Authorization vulnerability in Daybydaycrm Daybyday CRM

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization.

4.0
2022-01-05 CVE-2022-22108 Daybydaycrm Missing Authorization vulnerability in Daybydaycrm Daybyday CRM

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization.

4.0
2022-01-05 CVE-2021-43946 Atlassian Improper Authentication vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint.

4.0
2022-01-04 CVE-2021-43850 Discourse Unspecified vulnerability in Discourse

Discourse is an open source platform for community discussion.

4.0
2022-01-04 CVE-2021-40111 Apache Infinite Loop vulnerability in Apache James 2.2.0

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions.

4.0
2022-01-03 CVE-2021-25020 FFW Path Traversal vulnerability in FFW Complete Analytics Optimization Suite

The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

4.0
2022-01-03 CVE-2021-25021 FFW Path Traversal vulnerability in FFW Optimize MY Google Fonts

The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

4.0
2022-01-03 CVE-2021-44674 Opmantek Path Traversal vulnerability in Opmantek Open-Audit 4.2.0

An information exposure issue has been discovered in Opmantek Open-AudIT 4.2.0.

4.0

51 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-04 CVE-2021-39143 Linuxfoundation Path Traversal vulnerability in Linuxfoundation Spinnaker

Spinnaker is an open source, multi-cloud continuous delivery platform.

3.6
2022-01-06 CVE-2022-21662 Wordpress
Debian
Cross-site Scripting vulnerability in multiple products

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database.

3.5
2022-01-06 CVE-2021-45744 Bludit Cross-site Scripting vulnerability in Bludit

A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.

3.5
2022-01-06 CVE-2021-45745 Bludit Cross-site Scripting vulnerability in Bludit

A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.

3.5
2022-01-06 CVE-2021-46068 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.

3.5
2022-01-06 CVE-2021-46069 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.

3.5
2022-01-06 CVE-2021-46070 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service Requests Section in login panel.

3.5
2022-01-06 CVE-2021-46071 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Category List Section in login panel.

3.5
2022-01-06 CVE-2021-46072 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.

3.5
2022-01-06 CVE-2021-46073 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the User List Section in login panel.

3.5
2022-01-06 CVE-2021-46074 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Settings Section in login panel.

3.5
2022-01-06 CVE-2021-46078 Vehicle Service Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Vehicle Service Management System Project Vehicle Service Management System

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0.

3.5
2022-01-06 CVE-2021-46080 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System

A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0.

3.5
2022-01-05 CVE-2022-22109 Daybydaycrm Cross-site Scripting vulnerability in Daybydaycrm Daybyday CRM 2.2.0

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks.

3.5
2022-01-05 CVE-2021-22567 Dart Unspecified vulnerability in Dart Software Development KIT

Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign.

3.5
2022-01-04 CVE-2022-21649 Convos Cross-site Scripting vulnerability in Convos

Convos is an open source multi-user chat that runs in a web browser.

3.5
2022-01-04 CVE-2022-21650 Convos Cross-site Scripting vulnerability in Convos

Convos is an open source multi-user chat that runs in a web browser.

3.5
2022-01-04 CVE-2021-41236 Oroinc Cross-site Scripting vulnerability in Oroinc Oroplatform

OroPlatform is a PHP Business Application Platform.

3.5
2022-01-03 CVE-2021-20148 Zohocorp Information Exposure vulnerability in Zohocorp Manageengine Adselfservice Plus

ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name.

3.5
2022-01-03 CVE-2021-24680 Wptravelengine Cross-site Scripting vulnerability in Wptravelengine WP Travel Engine

The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed

3.5
2022-01-03 CVE-2021-24828 Mlcalc Cross-site Scripting vulnerability in Mlcalc Mortgage Calculator/Loan Calculator

The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

3.5
2022-01-03 CVE-2021-24963 Litespeedtech Cross-site Scripting vulnerability in Litespeedtech Litespeed Cache

The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting

3.5
2022-01-03 CVE-2021-24991 Wpovernight Cross-site Scripting vulnerability in Wpovernight Woocommerce PDF Invoices& Packing Slips

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard

3.5
2022-01-04 CVE-2022-20021 Google Unspecified vulnerability in Google Android 10.0/11.0

In Bluetooth, there is a possible application crash due to bluetooth does not properly handle the reception of multiple LMP_host_connection_req.

3.3
2022-01-04 CVE-2022-20022 Google Unspecified vulnerability in Google Android 10.0/11.0

In Bluetooth, there is a possible link disconnection due to bluetooth does not properly handle a connection attempt from a host with the same BD address as the currently connected BT host.

3.3
2022-01-04 CVE-2022-20023 Google Missing Release of Resource after Effective Lifetime vulnerability in Google Android 10.0/11.0

In Bluetooth, there is a possible application crash due to bluetooth flooding a device with LMP_AU_rand packet.

3.3
2022-01-03 CVE-2021-30348 Qualcomm Resource Exhaustion vulnerability in Qualcomm products

Improper validation of LLM utility timers availability can lead to denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music

3.3
2022-01-03 CVE-2021-35093 Qualcomm Out-of-bounds Write vulnerability in Qualcomm Csr8510 A10 Firmware and Csr8811 A12 Firmware

Possible memory corruption in BT controller when it receives an oversized LMP packet over 2-DH1 link and leads to denial of service in BlueCore

3.3
2022-01-06 CVE-2021-46145 Honda Authentication Bypass by Capture-replay vulnerability in Honda Civic 2012

The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking.

2.9
2022-01-04 CVE-2021-20869 Konicaminolta Information Exposure vulnerability in Konicaminolta products

Exposure of sensitive information to an unauthorized actor vulnerability in KONICA MINOLTA bizhub series (bizhub C750i G00-35 and earlier, bizhub C650i/C550i/C450i G00-B6 and earlier, bizhub C360i/C300i/C250i G00-B6 and earlier, bizhub 750i/650i/550i/450i G00-37 and earlier, bizhub 360i/300i G00-33 and earlier, bizhub C287i/C257i/C227i G00-19 and earlier, bizhub 306i/266i/246i/226i G00-B6 and earlier, bizhub C759/C659 GC7-X8 and earlier, bizhub C658/C558/C458 GC7-X8 and earlier, bizhub 958/808/758 GC7-X8 and earlier, bizhub 658e/558e/458e GC7-X8 and earlier, bizhub C287/C227 GC7-X8 and earlier, bizhub 287/227 GC7-X8 and earlier, bizhub 368e/308e GC7-X8 and earlier, bizhub C368/C308/C258 GC9-X4 and earlier, bizhub 558/458/368/308 GC9-X4 and earlier, bizhub C754e/C654e GDQ-M0 and earlier, bizhub 754e/654e GDQ-M0 and earlier, bizhub C554e/C454e GDQ-M1 and earlier, bizhub C364e/C284e/C224e GDQ-M1 and earlier, bizhub 554e/454e/364e/284e/224e GDQ-M1 and earlier, bizhub C754/C654 C554/C454 GR1-M0 and earlier, bizhub C364/C284/C224 GR1-M0 and earlier, bizhub 754/654 GR1-M0 and earlier, bizhub C4050i/C3350i/C4000i/C3300i G00-B6 and earlier, bizhub C3320i G00-B6 and earlier, bizhub 4750i/4050i G00-22 and earlier, bizhub 4700i G00-22 and earlier, bizhub C3851FS/C3851/C3351 GC9-X4 and earlier, and bizhub 4752/4052 GC9-X4 and earlier) allows an attacker on the adjacent network to obtain some of user credentials if LDAP server authentication is enabled via a specific SOAP message.

2.9
2022-01-04 CVE-2021-20871 Konicaminolta Information Exposure vulnerability in Konicaminolta products

Exposure of sensitive information to an unauthorized actor vulnerability in KONICA MINOLTA bizhub series (bizhub C750i G00-35 and earlier, bizhub C650i/C550i/C450i G00-B6 and earlier, bizhub C360i/C300i/C250i G00-B6 and earlier, bizhub 750i/650i/550i/450i G00-37 and earlier, bizhub 360i/300i G00-33 and earlier, bizhub C287i/C257i/C227i G00-19 and earlier, bizhub 306i/266i/246i/226i G00-B6 and earlier, bizhub C759/C659 GC7-X8 and earlier, bizhub C658/C558/C458 GC7-X8 and earlier, bizhub 958/808/758 GC7-X8 and earlier, bizhub 658e/558e/458e GC7-X8 and earlier, bizhub C287/C227 GC7-X8 and earlier, bizhub 287/227 GC7-X8 and earlier, bizhub 368e/308e GC7-X8 and earlier, bizhub C368/C308/C258 GC9-X4 and earlier, bizhub 558/458/368/308 GC9-X4 and earlier, bizhub C754e/C654e GDQ-M0 and earlier, bizhub 754e/654e GDQ-M0 and earlier, bizhub C554e/C454e GDQ-M1 and earlier, bizhub C364e/C284e/C224e GDQ-M1 and earlier, bizhub 554e/454e/364e/284e/224e GDQ-M1 and earlier, bizhub C754/C654 C554/C454 GR1-M0 and earlier, bizhub C364/C284/C224 GR1-M0 and earlier, bizhub 754/654 GR1-M0 and earlier, bizhub C4050i/C3350i/C4000i/C3300i G00-B6 and earlier, bizhub C3320i G00-B6 and earlier, bizhub 4750i/4050i G00-22 and earlier, bizhub 4700i G00-22 and earlier, bizhub C3851FS/C3851/C3351 GC9-X4 and earlier, and bizhub 4752/4052 GC9-X4 and earlier) allows an attacker on the adjacent network to obtain the credentials if the destination information including credentials are registered in the address book via a specific SOAP message.

2.9
2022-01-03 CVE-2021-45916 SMR Improper Input Validation vulnerability in SMR Shenwang Endpoint Protection Security System

The programming function of Shockwall system has an improper input validation vulnerability.

2.7
2022-01-03 CVE-2021-24964 Litespeedtech Cross-site Scripting vulnerability in Litespeedtech Litespeed Cache

The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value.

2.6
2022-01-03 CVE-2021-24999 Booster Cross-site Scripting vulnerability in Booster for Woocommerce

The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting

2.6
2022-01-03 CVE-2021-25000 Booster Cross-site Scripting vulnerability in Booster for Woocommerce

The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue

2.6
2022-01-03 CVE-2021-25001 Booster Cross-site Scripting vulnerability in Booster for Woocommerce

The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_create_products_xml_result parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue

2.6
2022-01-04 CVE-2021-20868 Konicaminolta Incorrect Authorization vulnerability in Konicaminolta products

Incorrect authorization vulnerability in KONICA MINOLTA bizhub series (bizhub C750i G00-35 and earlier, bizhub C650i/C550i/C450i G00-B6 and earlier, bizhub C360i/C300i/C250i G00-B6 and earlier, bizhub 750i/650i/550i/450i G00-37 and earlier, bizhub 360i/300i G00-33 and earlier, bizhub C287i/C257i/C227i G00-19 and earlier, bizhub 306i/266i/246i/226i G00-B6 and earlier, bizhub C759/C659 GC7-X8 and earlier, bizhub C658/C558/C458 GC7-X8 and earlier, bizhub 958/808/758 GC7-X8 and earlier, bizhub 658e/558e/458e GC7-X8 and earlier, bizhub C287/C227 GC7-X8 and earlier, bizhub 287/227 GC7-X8 and earlier, bizhub 368e/308e GC7-X8 and earlier, bizhub C368/C308/C258 GC9-X4 and earlier, bizhub 558/458/368/308 GC9-X4 and earlier, bizhub C754e/C654e GDQ-M0 and earlier, bizhub 754e/654e GDQ-M0 and earlier, bizhub C554e/C454e GDQ-M1 and earlier, bizhub C364e/C284e/C224e GDQ-M1 and earlier, bizhub 554e/454e/364e/284e/224e GDQ-M1 and earlier, bizhub C754/C654 C554/C454 GR1-M0 and earlier, bizhub C364/C284/C224 GR1-M0 and earlier, bizhub 754/654 GR1-M0 and earlier, bizhub C4050i/C3350i/C4000i/C3300i G00-B6 and earlier, bizhub C3320i G00-B6 and earlier, bizhub 4750i/4050i G00-22 and earlier, bizhub 4700i G00-22 and earlier, bizhub C3851FS/C3851/C3351 GC9-X4 and earlier, and bizhub 4752/4052 GC9-X4 and earlier) allows an attacker on the adjacent network to obtain user credentials if external server authentication is enabled via a specific SOAP message sent by an administrative user.

2.3
2022-01-07 CVE-2021-25743 Kubernetes Unspecified vulnerability in Kubernetes

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal.

2.1
2022-01-06 CVE-2021-28714 Linux
Debian
Improper Resource Shutdown or Release vulnerability in multiple products

Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them.

2.1
2022-01-06 CVE-2021-28715 Linux
Debian
Improper Resource Shutdown or Release vulnerability in multiple products

Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them.

2.1
2022-01-05 CVE-2021-28711 XEN
Debian
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains".
2.1
2022-01-05 CVE-2021-28712 XEN
Debian
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains".
2.1
2022-01-05 CVE-2021-28713 XEN
Debian
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains".
2.1
2022-01-04 CVE-2022-20015 Google Improper Initialization vulnerability in Google Android 10.0/11.0

In kd_camera_hw driver, there is a possible information disclosure due to uninitialized data.

2.1
2022-01-04 CVE-2022-20018 Google Use of Uninitialized Resource vulnerability in Google Android 10.0/11.0/12.0

In seninf driver, there is a possible information disclosure due to uninitialized data.

2.1
2022-01-04 CVE-2022-20019 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/11.0

In libMtkOmxGsmDec, there is a possible information disclosure due to an incorrect bounds check.

2.1
2022-01-04 CVE-2022-20020 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 11.0

In libvcodecdrv, there is a possible information disclosure due to a missing bounds check.

2.1
2022-01-03 CVE-2021-1918 Qualcomm Exposure of Resource to Wrong Sphere vulnerability in Qualcomm products

Improper handling of resource allocation in virtual machines can lead to information exposure in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile

2.1
2022-01-03 CVE-2021-30278 Qualcomm Improper Input Validation vulnerability in Qualcomm products

Improper input validation in TrustZone memory transfer interface can lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

2.1
2022-01-03 CVE-2021-30283 Qualcomm Improper Handling of Exceptional Conditions vulnerability in Qualcomm products

Possible denial of service due to improper handling of debug register trap from user applications in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile

2.1
2022-01-04 CVE-2021-20870 Konicaminolta Improper Handling of Exceptional Conditions vulnerability in Konicaminolta products

Improper handling of exceptional conditions vulnerability in KONICA MINOLTA bizhub series (bizhub C750i G00-35 and earlier, bizhub C650i/C550i/C450i G00-B6 and earlier, bizhub C360i/C300i/C250i G00-B6 and earlier, bizhub 750i/650i/550i/450i G00-37 and earlier, bizhub 360i/300i G00-33 and earlier, bizhub C287i/C257i/C227i G00-19 and earlier, bizhub 306i/266i/246i/226i G00-B6 and earlier, bizhub C759/C659 GC7-X8 and earlier, bizhub C658/C558/C458 GC7-X8 and earlier, bizhub 958/808/758 GC7-X8 and earlier, bizhub 658e/558e/458e GC7-X8 and earlier, bizhub C287/C227 GC7-X8 and earlier, bizhub 287/227 GC7-X8 and earlier, bizhub 368e/308e GC7-X8 and earlier, bizhub C368/C308/C258 GC9-X4 and earlier, bizhub 558/458/368/308 GC9-X4 and earlier, bizhub C754e/C654e GDQ-M0 and earlier, bizhub 754e/654e GDQ-M0 and earlier, bizhub C554e/C454e GDQ-M1 and earlier, bizhub C364e/C284e/C224e GDQ-M1 and earlier, bizhub 554e/454e/364e/284e/224e GDQ-M1 and earlier, bizhub C754/C654 C554/C454 GR1-M0 and earlier, bizhub C364/C284/C224 GR1-M0 and earlier, bizhub 754/654 GR1-M0 and earlier, bizhub C4050i/C3350i/C4000i/C3300i G00-B6 and earlier, bizhub C3320i G00-B6 and earlier, bizhub 4750i/4050i G00-22 and earlier, bizhub 4700i G00-22 and earlier, bizhub C3851FS/C3851/C3351 GC9-X4 and earlier, bizhub 4752/4052 GC9-X4 and earlier, bizhub C3850/C3350/3850FS, bizhub 4750/4050, bizhub C3110, bizhub C3100P) allows a physical attacker to obtain unsent scanned image data when scanned data transmission is stopped due to the network error by ejecting a HDD before the scan job times out.

1.9