Weekly Vulnerabilities Reports > January 17 to 23, 2022

Overview

341 new vulnerabilities reported during this period, including 60 critical vulnerabilities and 106 high severity vulnerabilities. This weekly summary report vulnerabilities in 496 products from 153 vendors including Juniper, Jerryscript, Gitlab, Debian, and Fresenius Kabi. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Reachable Assertion", and "NULL Pointer Dereference".

  • 240 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 95 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 216 reported vulnerabilities are exploitable by an anonymous user.
  • Juniper has the most reported vulnerabilities, with 27 reported vulnerabilities.
  • Mingsoft has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

60 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-23 CVE-2021-46024 Projectworlds SQL Injection vulnerability in Projectworlds Online-Shopping-Webvsite-In-PHP 1.0

Projectworlds online-shopping-webvsite-in-php 1.0 suffers from a SQL Injection vulnerability via the "id" parameter in cart_add.php, No login is required.

9.8
2022-01-21 CVE-2022-23363 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via index.php.

9.8
2022-01-21 CVE-2022-23364 HMS Project SQL Injection vulnerability in HMS Project HMS 1.0

HMS v1.0 was discovered to contain a SQL injection vulnerability via adminlogin.php.

9.8
2022-01-21 CVE-2022-23365 HMS Project SQL Injection vulnerability in HMS Project HMS 1.0

HMS v1.0 was discovered to contain a SQL injection vulnerability via doctorlogin.php.

9.8
2022-01-21 CVE-2022-23366 HMS Project SQL Injection vulnerability in HMS Project HMS 1.0

HMS v1.0 was discovered to contain a SQL injection vulnerability via patientlogin.php.

9.8
2022-01-21 CVE-2022-22553 Dell Improper Restriction of Excessive Authentication Attempts vulnerability in Dell EMC Appsync 3.9.0.0/4.2.0.0/4.3.0.0

Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI.

9.8
2022-01-21 CVE-2021-23518 Cached Path Relative Project
Debian
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path.
9.8
2022-01-21 CVE-2021-40595 Online Leave Management System Project SQL Injection vulnerability in Online Leave Management System Project Online Leave Management System 1.0

SQL injection vulnerability in Sourcecodester Online Leave Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /leave_system/classes/Login.php.

9.8
2022-01-21 CVE-2021-23196 Fresenius Kabi Improper Authentication vulnerability in Fresenius-Kabi products

The web application on Agilia Link+ version 3.0 implements authentication and session management mechanisms exclusively on the client-side and does not protect authentication attributes sufficiently.

9.8
2022-01-21 CVE-2021-23233 Fresenius Kabi Use of Hard-coded Credentials vulnerability in Fresenius-Kabi products

Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can be accessed without any authentication information such as the session cookie.

9.8
2022-01-21 CVE-2021-40247 Oretnom23 SQL Injection vulnerability in Oretnom23 Budget and Expense Tracker System 1.0

SQL injection vulnerability in Sourcecodester Budget and Expense Tracker System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username field.

9.8
2022-01-21 CVE-2021-43355 Fresenius Kabi Improper Authentication vulnerability in Fresenius-Kabi products

Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 allows user input to be validated on the client side without authentication by the server.

9.8
2022-01-21 CVE-2022-23128 Mitsubishielectric
Iconics
Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products.
9.8
2022-01-21 CVE-2020-4877 IBM Incorrect Authorization vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2

IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable to unauthorized modifications by using public fields in public classes.

9.8
2022-01-21 CVE-2020-4879 IBM Improper Authentication vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2

IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote attacker to bypass security restrictions, caused by improper validation of authentication cookies.

9.8
2022-01-21 CVE-2021-46308 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

An SQL Injection vulnerability exists in Sourcecodester Online Railway Reservation Sysytem 1.0 via the sid parameter.

9.8
2022-01-21 CVE-2021-46309 Oretnom23 SQL Injection vulnerability in Oretnom23 Employee and Visitor Gate Pass Logging System 1.0

An SQL Injection vulnerability exists in Sourcecodester Employee and Visitor Gate Pass Logging System 1.0 via the username parameter.

9.8
2022-01-21 CVE-2021-35003 TP Link Unspecified vulnerability in Tp-Link Archer C90 Firmware 1.0.6

This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer C90 1.0.6 Build 20200114 rel.73164(5553) routers.

9.8
2022-01-21 CVE-2021-35004 TP Link Unspecified vulnerability in Tp-Link Tl-Wa1201 Firmware 1.0.1

This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link TL-WA1201 1.0.1 Build 20200709 rel.66244(5553) wireless access points.

9.8
2022-01-21 CVE-2021-40855 Europa Improper Certificate Validation vulnerability in Europa Technical Specifications for Digital Covid Certificates 1.0

The EU Technical Specifications for Digital COVID Certificates before 1.1 mishandle certificate governance.

9.8
2022-01-21 CVE-2021-46198 Courier Management System Project SQL Injection vulnerability in Courier Management System Project Courier Management System 1.0

An SQL Injection vulnerability exists in Sourceodester Courier Management System 1.0 via the email parameter in /cms/ajax.php app.

9.8
2022-01-21 CVE-2021-46200 Simple Music Cloud Community System Project SQL Injection vulnerability in Simple Music Cloud Community System Project Simple Music Cloud Community System 1.0

An SQL Injection vulnerability exists in Sourcecodester Simple Music Clour Community System 1.0 via the email parameter in /music/ajax.php.

9.8
2022-01-21 CVE-2021-46201 Online Resort Management System Project SQL Injection vulnerability in Online Resort Management System Project Online Resort Management System 1.0

An SQL Injection vulnerability exists in Sourcecodester Online Resort Management System 1.0 via the id parameterv in /orms/ node.

9.8
2022-01-21 CVE-2021-46307 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

An SQL Injection vulnerability exists in Projectworlds Online Examination System 1.0 via the eid parameter in account.php.

9.8
2022-01-21 CVE-2022-0318 VIM
Apple
Debian
Out-of-bounds Write vulnerability in multiple products

Heap-based Buffer Overflow in vim/vim prior to 8.2.

9.8
2022-01-21 CVE-2022-22928 Mingsoft Use of Hard-coded Credentials vulnerability in Mingsoft Mcms 5.2.4

MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code.

9.8
2022-01-21 CVE-2022-22929 Mingsoft Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 5.2.4

MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file.

9.8
2022-01-21 CVE-2022-22930 Mingsoft Unspecified vulnerability in Mingsoft Mcms 5.2.4

A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload.

9.8
2022-01-21 CVE-2022-23314 Mingsoft SQL Injection vulnerability in Mingsoft Mcms 5.2.4

MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do.

9.8
2022-01-21 CVE-2022-23315 Mingsoft Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 5.2.4

MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do.

9.8
2022-01-20 CVE-2021-46061 Computer AND Mobile Repair Shop Management System Project SQL Injection vulnerability in Computer and Mobile Repair Shop Management System Project Computer and Mobile Repair Shop Management System 1.0

An SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0 via the code parameter in /rsms/ node app.

9.8
2022-01-20 CVE-2021-44090 Sourcecodester Online Reviewer System Project SQL Injection vulnerability in Sourcecodester Online Reviewer System Project Sourcecodester Online Reviewer System 1.0

An SQL Injection vulnerability exists in Sourcecodester Online Reviewer System 1.0 via the password parameter.

9.8
2022-01-20 CVE-2021-44092 Pharmacy Management Project SQL Injection vulnerability in Pharmacy Management Project Pharmacy Management 1.0

An SQL Injection vulnerability exists in code-projects Pharmacy Management 1.0 via the username parameter in the administer login form.

9.8
2022-01-20 CVE-2021-44244 Sourcecodester Logistic HUB Parcel S Management System Project SQL Injection vulnerability in Sourcecodester Logistic HUB Parcel'S Management System Project Sourcecodester Logistic HUB Parcel'S Management System 1.0

An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Parcel's Management System 1.0 via the username parameter in login.php.

9.8
2022-01-20 CVE-2021-44245 Covid 19 Testing Management System Project SQL Injection vulnerability in Covid 19 Testing Management System Project Covid 19 Testing Management System 1.0

An SQL Injection vulnerability exists in Courcecodester COVID 19 Testing Management System (CTMS) 1.0 via the (1) username and (2) contactno parameters.

9.8
2022-01-20 CVE-2021-44734 Lexmark Code Injection vulnerability in Lexmark products

Embedded web server input sanitization vulnerability in Lexmark devices through 2021-12-07, which can which can lead to remote code execution on the device.

9.8
2022-01-20 CVE-2021-44735 Lexmark Command Injection vulnerability in Lexmark products

Embedded web server command injection vulnerability in Lexmark devices through 2021-12-07.

9.8
2022-01-20 CVE-2021-44736 Lexmark Improper Authentication vulnerability in Lexmark Mc3224I Firmware

The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature.

9.8
2022-01-20 CVE-2021-44738 Lexmark Classic Buffer Overflow vulnerability in Lexmark products

Buffer overflow vulnerability has been identified in Lexmark devices through 2021-12-07 in postscript interpreter.

9.8
2022-01-19 CVE-2022-21679 Istio Always-Incorrect Control Flow Implementation vulnerability in Istio 1.12.0/1.12.1

Istio is an open platform to connect, manage, and secure microservices.

9.8
2022-01-19 CVE-2021-33912 Libspf2 Project
Debian
Out-of-bounds Write vulnerability in multiple products

libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c.

9.8
2022-01-19 CVE-2021-33913 Libspf2 Project Out-of-bounds Write vulnerability in Libspf2 Project Libspf2

libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c.

9.8
2022-01-19 CVE-2021-46204 Taogogo SQL Injection vulnerability in Taogogo Taocms 3.0.2

Taocms v3.0.2 was discovered to contain an arbitrary file read vulnerability via the path parameter.

9.8
2022-01-19 CVE-2022-23221 H2Database
Debian
Oracle
Argument Injection or Modification vulnerability in multiple products

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

9.8
2022-01-19 CVE-2022-22167 Juniper Unspecified vulnerability in Juniper Junos

A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device.

9.8
2022-01-18 CVE-2021-46013 Free School Management Software Project Unrestricted Upload of File with Dangerous Type vulnerability in Free School Management Software Project Free School Management Software 1.0

An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0.

9.8
2022-01-18 CVE-2021-29215 HPE Unspecified vulnerability in HPE TEZ

A potential security vulnerability in HPE Ezmeral Data Fabric that may allow a remote access restriction bypass in the TEZ MapR ecosystem component was discovered in version(s): Prior to Tez-0.8: mapr-tez-0.8.201907081100-1.noarch; prior to Tez-0.9: mapr-tez-0.9.201907090334-1.noarch; prior to Tez-0.9.2: mapr-tez-0.9.2.0.201907081043-1.noarch.

9.8
2022-01-18 CVE-2021-41807 M Files Improper Restriction of Excessive Authentication Attempts vulnerability in M-Files Server and M-Files web

Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.

9.8
2022-01-18 CVE-2022-23305 Apache
Netapp
Broadcom
QOS
Oracle
SQL Injection vulnerability in multiple products

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout.

9.8
2022-01-18 CVE-2021-38697 Softvibe Unrestricted Upload of File with Dangerous Type vulnerability in Softvibe Saraban 1.1

SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted File Upload, that allows attackers to upload files with any file extension which can lead to arbitrary code execution.

9.8
2022-01-18 CVE-2021-22566 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Fuchsia

An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead to privileged executable pages being mapped as executable from an unprivileged context.

9.8
2022-01-17 CVE-2021-4171 Janeczku Unspecified vulnerability in Janeczku Calibre-Web

calibre-web is vulnerable to Business Logic Errors

9.8
2022-01-17 CVE-2022-0239 Stanford Unspecified vulnerability in Stanford Corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

9.8
2022-01-17 CVE-2022-23303 W1 FI
Fedoraproject
Information Exposure Through Discrepancy vulnerability in multiple products

The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns.

9.8
2022-01-17 CVE-2022-23304 W1 FI
Fedoraproject
Information Exposure Through Discrepancy vulnerability in multiple products

The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns.

9.8
2022-01-19 CVE-2022-22157 Juniper Incorrect Authorization vulnerability in Juniper Junos

A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device.

9.3
2022-01-21 CVE-2021-31562 Fresenius Kabi Use of a Broken or Risky Cryptographic Algorithm vulnerability in Fresenius-Kabi products

The SSL/TLS configuration of Fresenius Kabi Agilia Link + version 3.0 has serious deficiencies that may allow an attacker to compromise SSL/TLS sessions in different ways.

9.1
2022-01-18 CVE-2022-23408 Wolfssl Use of Insufficiently Random Values vulnerability in Wolfssl 5.0.0/5.1.0

wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations.

9.1
2022-01-18 CVE-2021-44757 Zohocorp Unspecified vulnerability in Zohocorp products

Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.

9.1
2022-01-19 CVE-2022-22769 Tibco Cross-site Scripting vulnerability in Tibco EBX and EBX Add-Ons

The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system.

9.0

106 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-21 CVE-2021-46242 Hdfgroup Use After Free vulnerability in Hdfgroup Hdf5 1.13.11

HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry.

8.8
2022-01-21 CVE-2022-22551 Dell Session Fixation vulnerability in Dell EMC Appsync 3.9.0.0/4.2.0.0/4.3.0.0

DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings.

8.8
2022-01-21 CVE-2021-44464 Fresenius Kabi Use of Hard-coded Credentials vulnerability in Fresenius-Kabi products

Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 contains service credentials likely to be common across all instances.

8.8
2022-01-21 CVE-2022-0323 Mustache Project Code Injection vulnerability in Mustache Project Mustache

Improper Neutralization of Special Elements Used in a Template Engine in Packagist mustache/mustache prior to 2.14.1.

8.8
2022-01-20 CVE-2021-44737 Lexmark Path Traversal vulnerability in Lexmark products

PJL directory traversal vulnerability in Lexmark devices through 2021-12-07 that can be leveraged to overwrite internal configuration files.

8.8
2022-01-20 CVE-2021-43269 Code42 Code Injection vulnerability in Code42

In Code42 app before 8.8.0, eval injection allows an attacker to change a device’s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution.

8.8
2022-01-19 CVE-2022-21699 Ipython
Debian
Fedoraproject
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language.
8.8
2022-01-19 CVE-2022-21701 Istio Incorrect Authorization vulnerability in Istio 1.12.0/1.12.1

Istio is an open platform to connect, manage, and secure microservices.

8.8
2022-01-19 CVE-2021-45808 Jpress Unrestricted Upload of File with Dangerous Type vulnerability in Jpress 4.2.0

jpress v4.2.0 allows users to register an account by default.

8.8
2022-01-19 CVE-2022-21392 Oracle Unspecified vulnerability in Oracle Enterprise Manager Base Platform 13.4.0.0/13.5.0.0

Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Policy Framework).

8.8
2022-01-18 CVE-2021-43353 Crisp Cross-Site Request Forgery (CSRF) vulnerability in Crisp Live Chat

The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31.

8.8
2022-01-18 CVE-2022-0215 Xootix Cross-Site Request Forgery (CSRF) vulnerability in Xootix products

The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site.

8.8
2022-01-18 CVE-2022-23302 Apache
Netapp
Broadcom
QOS
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.

8.8
2022-01-18 CVE-2022-23307 Apache
QOS
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw.

8.8
2022-01-18 CVE-2021-33965 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRMesh/set_ZRMesh which receives parameters by POST request, and the parameter mesh_enable and mesh_device have a command injection vulnerability.

8.8
2022-01-18 CVE-2021-33964 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability.

8.8
2022-01-18 CVE-2021-45394 Html2Pdf Project Deserialization of Untrusted Data vulnerability in Html2Pdf Project Html2Pdf

An issue was discovered in Spipu HTML2PDF before 5.2.4.

8.8
2022-01-17 CVE-2021-38965 IBM OS Command Injection vulnerability in IBM Filenet Content Manager 5.5.4/5.5.6/5.5.7

IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

8.8
2022-01-17 CVE-2022-0258 Pimcore Unspecified vulnerability in Pimcore

pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

8.8
2022-01-17 CVE-2021-25036 Aioseo Improper Handling of Case Sensitivity vulnerability in Aioseo ALL in ONE SEO

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to.

8.8
2022-01-17 CVE-2021-4164 Janeczku Unspecified vulnerability in Janeczku Calibre-Web

calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)

8.8
2022-01-17 CVE-2022-0180 Expresstech Cross-Site Request Forgery (CSRF) vulnerability in Expresstech Quiz and Survey Master

Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to hijack the authentication of administrators and conduct arbitrary operations via a specially crafted web page.

8.8
2022-01-21 CVE-2020-4875 IBM XXE vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2

IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

8.2
2022-01-21 CVE-2020-4876 IBM XXE vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2

IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

8.2
2022-01-21 CVE-2022-21707 Wasmcloud Missing Authorization vulnerability in Wasmcloud Host Runtime

wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers.

8.1
2022-01-21 CVE-2021-44593 Simple College Website Project SQL Injection vulnerability in Simple College Website Project Simple College Website 1.0

Simple College Website 1.0 is vulnerable to unauthenticated file upload & remote code execution via UNION-based SQL injection in the username parameter on /admin/login.php.

8.1
2022-01-21 CVE-2021-36338 Dell Reliance on Cookies without Validation and Integrity Checking vulnerability in Dell products

Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability.

8.0
2022-01-18 CVE-2022-0154 Gitlab Cross-Site Request Forgery (CSRF) vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2.

8.0
2022-01-23 CVE-2022-23850 Epub2Txt Project Out-of-bounds Write vulnerability in Epub2Txt Project Epub2Txt

xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document.

7.8
2022-01-21 CVE-2021-36339 Dell Unspecified vulnerability in Dell products

The Dell EMC Virtual Appliances before 9.2.2.2 contain undocumented user accounts.

7.8
2022-01-21 CVE-2022-23220 Usbview Project Missing Authentication for Critical Function vulnerability in Usbview Project Usbview

USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement.

7.8
2022-01-21 CVE-2022-21933 Asus Out-of-bounds Write vulnerability in Asus products

ASUS VivoMini/Mini PC device has an improper input validation vulnerability.

7.8
2022-01-21 CVE-2022-22893 Jerryscript Out-of-bounds Write vulnerability in Jerryscript 3.0.0

Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm.c.

7.8
2022-01-21 CVE-2022-22894 Jerryscript Out-of-bounds Write vulnerability in Jerryscript 3.0.0

Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache.c.

7.8
2022-01-21 CVE-2022-22895 Jerryscript Out-of-bounds Write vulnerability in Jerryscript 3.0.0

Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion.c.

7.8
2022-01-20 CVE-2022-22888 Jerryscript Out-of-bounds Write vulnerability in Jerryscript 3.0.0

Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_op_object_find_own in /ecma/operations/ecma-objects.c.

7.8
2022-01-20 CVE-2021-46324 Espruino Out-of-bounds Write vulnerability in Espruino 2.11.251

Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.

7.8
2022-01-20 CVE-2021-46325 Espruino Out-of-bounds Write vulnerability in Espruino 2.10.246

Espruino 2v10.246 was discovered to contain a stack buffer overflow via src/jsutils.c in vcbprintf.

7.8
2022-01-20 CVE-2021-46326 Moddable Out-of-bounds Write vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __asan_memcpy.

7.8
2022-01-20 CVE-2021-46328 Moddable Out-of-bounds Write vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __libc_start_main.

7.8
2022-01-20 CVE-2021-46332 Moddable Out-of-bounds Write vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via xs/sources/xsDataView.c in fxUint8Getter.

7.8
2022-01-20 CVE-2021-46334 Moddable Out-of-bounds Write vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a stack buffer overflow via the component __interceptor_strcat.

7.8
2022-01-20 CVE-2022-23120 Trendmicro Code Injection vulnerability in Trendmicro Deep Security Agent 20.0

A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root.

7.8
2022-01-20 CVE-2021-45417 Advanced Intrusion Detection Environment Project
Redhat
Fedoraproject
Canonical
Debian
Out-of-bounds Write vulnerability in multiple products

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.

7.8
2022-01-19 CVE-2021-23843 Bosch Missing Authentication for Critical Function vulnerability in Bosch products

The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices.

7.8
2022-01-19 CVE-2021-42810 Thalesgroup Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Thalesgroup Safenet Authentication Service Remote Desktop Gateway

A flaw in the previous versions of the product may allow an authenticated attacker the ability to execute code as a privileged user on a system where the agent is installed.

7.8
2022-01-19 CVE-2021-31854 Mcafee OS Command Injection vulnerability in Mcafee Agent

A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe.

7.8
2022-01-19 CVE-2022-0166 Mcafee Uncontrolled Search Path Element vulnerability in Mcafee Agent

A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5.

7.8
2022-01-19 CVE-2022-22162 Juniper Unspecified vulnerability in Juniper Junos

A Generation of Error Message Containing Sensitive Information vulnerability in the CLI of Juniper Networks Junos OS allows a locally authenticated attacker with low privileges to elevate these to the level of any other user logged in via J-Web at this time, potential leading to a full compromise of the device.

7.8
2022-01-18 CVE-2021-34401 Nvidia Unspecified vulnerability in Nvidia Shield Experience

NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service.

7.8
2022-01-18 CVE-2021-34403 Nvidia Use After Free vulnerability in Nvidia Shield Experience

NVIDIA Linux distributions contain a vulnerability in nvmap ioctl, which allows any user with a local account to exploit a use-after-free condition, leading to code privilege escalation, loss of confidentiality and integrity, or denial of service.

7.8
2022-01-18 CVE-2020-14110 MI Incorrect Authorization vulnerability in MI Ax3600 Firmware 1.0.50

AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background.

7.8
2022-01-18 CVE-2022-0261 VIM
Debian
Apple
Out-of-bounds Write vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

7.8
2022-01-18 CVE-2022-0263 Pimcore Unspecified vulnerability in Pimcore

Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7.

7.8
2022-01-18 CVE-2021-34404 Nvidia Unspecified vulnerability in Nvidia Shield Experience

Android images for T210 provided by NVIDIA contain a vulnerability in BROM, where failure to limit access to AHB-DMA when BROM fails may allow an unprivileged attacker with physical access to cause denial of service or impact integrity and confidentiality beyond the security scope of BROM.

7.6
2022-01-21 CVE-2021-39480 Bingrep Project Allocation of Resources Without Limits or Throttling vulnerability in Bingrep Project Bingrep 0.8.5

Bingrep v0.8.5 was discovered to contain a memory allocation failure which can cause a Denial of Service (DoS).

7.5
2022-01-21 CVE-2022-23837 Contribsys
Debian
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph.

7.5
2022-01-21 CVE-2021-23460 Camunda Unspecified vulnerability in Camunda Min-Dash

The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

7.5
2022-01-21 CVE-2021-23631 Convert SVG Core Project Path Traversal vulnerability in Convert-Svg-Core Project Convert-Svg-Core

This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg.

7.5
2022-01-21 CVE-2021-23664 Isomorphic GIT Server-Side Request Forgery (SSRF) vulnerability in Isomorphic-Git Cors-Proxy

The package @isomorphic-git/cors-proxy before 2.7.1 are vulnerable to Server-side Request Forgery (SSRF) due to missing sanitization and validation of the redirection action in middleware.js.

7.5
2022-01-21 CVE-2021-23236 Fresenius Kabi Resource Exhaustion vulnerability in Fresenius-Kabi products

Requests may be used to interrupt the normal operation of the device.

7.5
2022-01-21 CVE-2021-41835 Fresenius Kabi Cleartext Transmission of Sensitive Information vulnerability in Fresenius-Kabi products

Fresenius Kabi Agilia Link + version 3.0 does not enforce transport layer encryption.

7.5
2022-01-21 CVE-2020-19861 Nlnetlabs Out-of-bounds Read vulnerability in Nlnetlabs Ldns 1.7.1

When a zone file in ldns 1.7.1 is parsed, the function ldns_nsec3_salt_data is too trusted for the length value obtained from the zone file.

7.5
2022-01-21 CVE-2020-19858 Plutinosoft Path Traversal vulnerability in Plutinosoft Platinum

Platinum Upnp SDK through 1.2.0 has a directory traversal vulnerability.

7.5
2022-01-20 CVE-2020-23315 Microsoft Unspecified vulnerability in Microsoft Chakracore 1.12.0.0

There is an ASSERTION (pFuncBody->GetYieldRegister() == oldYieldRegister) failed in Js::DebugContext::RundownSourcesAndReparse in ChakraCore version 1.12.0.0-beta.

7.5
2022-01-20 CVE-2022-23119 Trendmicro Path Traversal vulnerability in Trendmicro Deep Security Agent 20.0

A directory traversal vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to read arbitrary files from the file system.

7.5
2022-01-20 CVE-2022-0282 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.

7.5
2022-01-20 CVE-2022-0281 Microweber Unspecified vulnerability in Microweber

Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.

7.5
2022-01-19 CVE-2021-38789 Allwinnertech Missing Authorization vulnerability in Allwinnertech Android Q SDK 1.0

Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller's permission, in which a third-party app could change system settings.

7.5
2022-01-19 CVE-2021-38788 Allwinnertech Unspecified vulnerability in Allwinnertech Android Q SDK 1.0

The Background service in Allwinner R818 SoC Android Q SDK V1.0 is used to manage background applications.

7.5
2022-01-19 CVE-2021-38787 Allwinnertech Integer Overflow or Wraparound vulnerability in Allwinnertech Android Q SDK 1.0

There is an integer overflow in the ION driver "/dev/ion" of Allwinner R818 SoC Android Q SDK V1.0 that could use the ioctl cmd "COMPAT_ION_IOC_SUNXI_FLUSH_RANGE" to cause a system crash (denial of service).

7.5
2022-01-19 CVE-2021-46104 Webp Path Traversal vulnerability in Webp Server GO 0.4.0

An issue was discovered in webp_server_go 0.4.0.

7.5
2022-01-19 CVE-2021-38786 Allwinnertech NULL Pointer Dereference vulnerability in Allwinnertech Android Q SDK 1.0

There is a NULL pointer dereference in media/libcedarc/vdecoder of Allwinner R818 SoC Android Q SDK V1.0, which could cause a media crash (denial of service).

7.5
2022-01-19 CVE-2022-22153 Juniper Unspecified vulnerability in Juniper Junos

An Insufficient Algorithmic Complexity combined with an Allocation of Resources Without Limits or Throttling vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX Series and MX Series with SPC3 allows an unauthenticated network attacker to cause latency in transit packet processing and even packet loss.

7.5
2022-01-19 CVE-2022-22159 Juniper Unspecified vulnerability in Juniper Junos

A vulnerability in the NETISR network queue functionality of Juniper Networks Junos OS kernel allows an attacker to cause a Denial of Service (DoS) by sending crafted genuine packets to a device.

7.5
2022-01-19 CVE-2022-22161 Juniper Unspecified vulnerability in Juniper Junos

An Uncontrolled Resource Consumption vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated network based attacker to cause 100% CPU load and the device to become unresponsive by sending a flood of traffic to the out-of-band management ethernet port.

7.5
2022-01-19 CVE-2022-22170 Juniper Unspecified vulnerability in Juniper Junos

A Missing Release of Resource after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause a Denial of Service (DoS) by sending specific packets over VXLAN which cause heap memory to leak and on exhaustion the PFE to reset.

7.5
2022-01-19 CVE-2022-22171 Juniper Unspecified vulnerability in Juniper Junos

An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause a Denial of Service (DoS) by sending specific packets over VXLAN which cause the PFE to reset.

7.5
2022-01-19 CVE-2022-22173 Juniper Unspecified vulnerability in Juniper Junos

A Missing Release of Memory after Effective Lifetime vulnerability in the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).

7.5
2022-01-19 CVE-2022-22174 Juniper Unspecified vulnerability in Juniper Junos

A vulnerability in the processing of inbound IPv6 packets in Juniper Networks Junos OS on QFX5000 Series and EX4600 switches may cause the memory to not be freed, leading to a packet DMA memory leak, and eventual Denial of Service (DoS) condition.

7.5
2022-01-19 CVE-2022-22175 Juniper Unspecified vulnerability in Juniper Junos

An Improper Locking vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated networked attacker to cause a flowprocessing daemon (flowd) crash and thereby a Denial of Service (DoS).

7.5
2022-01-19 CVE-2022-22177 Juniper Unspecified vulnerability in Juniper Junos 12.3/15.1/18.3

A release of illegal memory vulnerability in the snmpd daemon of Juniper Networks Junos OS, Junos OS Evolved allows an attacker to halt the snmpd daemon causing a sustained Denial of Service (DoS) to the service until it is manually restarted.

7.5
2022-01-19 CVE-2022-22178 Juniper Unspecified vulnerability in Juniper Junos

A Stack-based Buffer Overflow vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on MX Series and SRX series allows an unauthenticated networked attacker to cause a flowd crash and thereby a Denial of Service (DoS).

7.5
2022-01-19 CVE-2022-22180 Juniper Unspecified vulnerability in Juniper Junos

An Improper Check for Unusual or Exceptional Conditions vulnerability in the processing of specific IPv6 packets on certain EX Series devices may lead to exhaustion of DMA memory causing a Denial of Service (DoS).

7.5
2022-01-19 CVE-2022-23435 Android GIF Drawable Project Unspecified vulnerability in Android-Gif-Drawable Project Android-Gif-Drawable

decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service.

7.5
2022-01-18 CVE-2022-21689 Onionshare Unspecified vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

7.5
2022-01-18 CVE-2020-14107 MI Out-of-bounds Write vulnerability in MI Xiaomi Mirror Screen

A stack overflow in the HTTP server of Cast can be exploited to make the app crash in LAN.

7.5
2022-01-18 CVE-2021-29632 Freebsd Unspecified vulnerability in Freebsd 12.2/13.0

In FreeBSD 13.0-STABLE before n247428-9352de39c3dc, 12.2-STABLE before r370674, 13.0-RELEASE before p6, and 12.2-RELEASE before p12, certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory.

7.5
2022-01-18 CVE-2021-37866 Mattermost Insufficient Session Expiration vulnerability in Mattermost Boards 0.10.0

Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.

7.5
2022-01-18 CVE-2022-0236 Vjinfotech Missing Authorization vulnerability in Vjinfotech WP Import Export Lite

The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file.

7.5
2022-01-18 CVE-2022-0244 Gitlab Files or Directories Accessible to External Parties vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5.

7.5
2022-01-18 CVE-2022-22690 Umbraco HTTP Request Smuggling vulnerability in Umbraco CMS

Within the Umbraco CMS, a configuration element named "UmbracoApplicationUrl" (or just "ApplicationUrl") is used whenever application code needs to build a URL pointing back to the site.

7.5
2022-01-18 CVE-2021-38696 Softvibe Unspecified vulnerability in Softvibe Saraban 1.1

SoftVibe SARABAN for INFOMA 1.1 has Incorrect Access Control vulnerability, that allows attackers to access signature files on the application without any authentication.

7.5
2022-01-18 CVE-2021-38694 Softvibe SQL Injection vulnerability in Softvibe Saraban 1.1

SoftVibe SARABAN for INFOMA 1.1 allows SQL Injection.

7.5
2022-01-18 CVE-2021-38784 Allwinnertech NULL Pointer Dereference vulnerability in Allwinnertech Android Q SDK 1.0

There is a NULL pointer dereference in the syscall open_exec function of Allwinner R818 SoC Android Q SDK V1.0 that could executable a malicious file to cause a system crash.

7.5
2022-01-18 CVE-2021-38785 Allwinnertech NULL Pointer Dereference vulnerability in Allwinnertech Android Q SDK 1.0

There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash.

7.5
2022-01-18 CVE-2021-38783 Allwinnertech Out-of-bounds Write vulnerability in Allwinnertech Android Q SDK 1.0

There is a Out-of-Bound Write in the Allwinner R818 SoC Android Q SDK V1.0 camera driver "/dev/cedar_dev" through iotcl cmd IOCTL_SET_PROC_INFO and IOCTL_COPY_PROC_INFO, which could cause a system crash or EoP.

7.5
2022-01-17 CVE-2022-0240 Mruby Unspecified vulnerability in Mruby

mruby is vulnerable to NULL Pointer Dereference

7.5
2022-01-19 CVE-2022-22156 Juniper Unspecified vulnerability in Juniper Junos

An Improper Certificate Validation weakness in the Juniper Networks Junos OS allows an attacker to perform Person-in-the-Middle (PitM) attacks when a system script is fetched from a remote source at a specified HTTPS URL, which may compromise the integrity and confidentiality of the device.

7.4
2022-01-18 CVE-2022-22691 Umbraco HTTP Request Smuggling vulnerability in Umbraco CMS

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL.

7.4
2022-01-21 CVE-2021-33846 Fresenius Kabi Use of a Broken or Risky Cryptographic Algorithm vulnerability in Fresenius-Kabi products

Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 issues authentication tokens to authenticated users that are signed with a symmetric encryption key.

7.2
2022-01-19 CVE-2022-23046 Phpipam SQL Injection vulnerability in PHPipam 1.4.4

PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php

7.2
2022-01-18 CVE-2021-41550 Leostream Unrestricted Upload of File with Dangerous Type vulnerability in Leostream Connection Broker 9.0.40.17

Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code.

7.2
2022-01-17 CVE-2022-0242 Craterapp Unspecified vulnerability in Craterapp Crater

Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.

7.2
2022-01-19 CVE-2021-23842 Bosch Use of Hard-coded Credentials vulnerability in Bosch products

Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish.

7.1
2022-01-18 CVE-2021-4083 Linux
Netapp
Debian
Oracle
Race Condition vulnerability in multiple products

A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition.

7.0

171 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-19 CVE-2022-22154 Juniper Exposure of Resource to Wrong Sphere vulnerability in Juniper Junos

In a Junos Fusion scenario an External Control of Critical State Data vulnerability in the Satellite Device (SD) control state machine of Juniper Networks Junos OS allows an attacker who is able to make physical changes to the cabling of the device to cause a denial of service (DoS).

6.8
2022-01-18 CVE-2021-34402 Nvidia Out-of-bounds Write vulnerability in Nvidia Shield Experience

NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, where a user with high privileges might be able to read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service, Information disclosure, loss of Integrity, or possible escalation of privileges.

6.7
2022-01-19 CVE-2022-0266 Livehelperchat Unspecified vulnerability in Livehelperchat Live Helper Chat

Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.

6.6
2022-01-21 CVE-2022-21708 Graphql GO Project Uncontrolled Recursion vulnerability in Graphql-Go Project Graphql-Go 1.0.0/1.1.0/1.2.0

graphql-go is a GraphQL server with a focus on ease of use.

6.5
2022-01-21 CVE-2021-46243 Hdfgroup NULL Pointer Dereference vulnerability in Hdfgroup Hdf5 1.13.11

An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 via the function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c.

6.5
2022-01-21 CVE-2021-46244 Hdfgroup Divide By Zero vulnerability in Hdfgroup Hdf5 1.13.11

A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c.

6.5
2022-01-21 CVE-2020-19860 Nlnetlabs Out-of-bounds Read vulnerability in Nlnetlabs Ldns 1.7.1

When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_internal function has a heap out of bounds read vulnerability.

6.5
2022-01-20 CVE-2021-45230 Apache Unspecified vulnerability in Apache Airflow

In Apache Airflow prior to 2.2.0.

6.5
2022-01-20 CVE-2022-22733 Apache Information Exposure vulnerability in Apache Shardingsphere Elasticjob-Ui 3.0.0

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation.

6.5
2022-01-20 CVE-2022-0277 Microweber Unspecified vulnerability in Microweber

Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.

6.5
2022-01-19 CVE-2021-46027 Mysiteforme Project Cross-Site Request Forgery (CSRF) vulnerability in Mysiteforme Project Mysiteforme

mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management.

6.5
2022-01-19 CVE-2021-46203 Taogogo Path Traversal vulnerability in Taogogo Taocms 3.0.2

Taocms v3.0.2 was discovered to contain an arbitrary file read vulnerability via the path parameter.

6.5
2022-01-19 CVE-2022-22310 IBM Unspecified vulnerability in IBM Websphere Application Server 21.0.0.10/21.0.0.12

IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 could provide weaker than expected security.

6.5
2022-01-19 CVE-2022-22152 Juniper Unspecified vulnerability in Juniper Contrail Service Orchestration

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system.

6.5
2022-01-19 CVE-2022-22155 Juniper Memory Leak vulnerability in Juniper Junos

An Uncontrolled Resource Consumption vulnerability in the handling of IPv6 neighbor state change events in Juniper Networks Junos OS allows an adjacent attacker to cause a memory leak in the Flexible PIC Concentrator (FPC) of an ACX5448 router.

6.5
2022-01-19 CVE-2022-22160 Juniper Unspecified vulnerability in Juniper Junos

An Unchecked Error Condition vulnerability in the subscriber management daemon (smgd) of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to cause a crash of and thereby a Denial of Service (DoS).

6.5
2022-01-19 CVE-2022-22163 Juniper Unspecified vulnerability in Juniper Junos

An Improper Input Validation vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker to cause a crash of jdhcpd and thereby a Denial of Service (DoS).

6.5
2022-01-19 CVE-2022-22166 Juniper Improper Validation of Specified Quantity in Input vulnerability in Juniper Junos 20.4/21.1

An Improper Validation of Specified Quantity in Input vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause an rdp crash and thereby a Denial of Service (DoS).

6.5
2022-01-19 CVE-2022-22168 Juniper Unspecified vulnerability in Juniper Junos

An Improper Validation of Specified Type of Input vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to trigger a Missing Release of Memory after Effective Lifetime vulnerability.

6.5
2022-01-19 CVE-2022-22172 Juniper Unspecified vulnerability in Juniper Junos and Junos OS Evolved

A Missing Release of Memory after Effective Lifetime vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a memory leak.

6.5
2022-01-19 CVE-2022-22176 Juniper Improper Input Validation vulnerability in Juniper Junos

An Improper Validation of Syntactic Correctness of Input vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker sending a malformed DHCP packet to cause a crash of jdhcpd and thereby a Denial of Service (DoS).

6.5
2022-01-19 CVE-2022-22179 Juniper Improper Input Validation vulnerability in Juniper Junos

A Improper Validation of Specified Index, Position, or Offset in Input vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker to cause a crash of jdhcpd and thereby a Denial of Service (DoS).

6.5
2022-01-18 CVE-2022-21693 Onionshare Path Traversal vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

6.5
2022-01-18 CVE-2021-44839 Deltarm Weak Password Recovery Mechanism for Forgotten Password vulnerability in Deltarm Delta RM 1.2

An issue was discovered in Delta RM 1.2.

6.5
2022-01-18 CVE-2021-37864 Mattermost Incorrect Authorization vulnerability in Mattermost

Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.

6.5
2022-01-18 CVE-2021-39942 Gitlab Resource Exhaustion vulnerability in Gitlab

A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service.

6.5
2022-01-18 CVE-2022-0090 Gitlab Improper Privilege Management vulnerability in Gitlab

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1.

6.5
2022-01-18 CVE-2022-0152 Gitlab Missing Authorization vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2.

6.5
2022-01-18 CVE-2022-0172 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3.

6.5
2022-01-17 CVE-2021-25037 Aioseo Unspecified vulnerability in Aioseo ALL in ONE SEO

The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

6.5
2022-01-20 CVE-2022-21658 Rust Lang
Fedoraproject
Apple
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency.
6.3
2022-01-23 CVE-2021-45380 Appcms Cross-site Scripting vulnerability in Appcms 2.0.101

AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php

6.1
2022-01-22 CVE-2022-23808 Phpmyadmin Cross-site Scripting vulnerability in PHPmyadmin 5.1.0/5.1.1

An issue was discovered in phpMyAdmin 5.1 before 5.1.2.

6.1
2022-01-21 CVE-2022-22552 Dell Improper Restriction of Rendered UI Layers or Frames vulnerability in Dell EMC Appsync 3.9.0.0/4.2.0.0/4.3.0.0

Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync.

6.1
2022-01-21 CVE-2021-33848 Fresenius Kabi Cross-site Scripting vulnerability in Fresenius-Kabi products

Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 is vulnerable to reflected cross-site scripting attacks.

6.1
2022-01-21 CVE-2022-23127 Mitsubishielectric
Iconics
Cross-site Scripting vulnerability in multiple products

Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL.

6.1
2022-01-21 CVE-2022-23728 Google Unspecified vulnerability in Google Android

Attacker can reset the device with AT Command in the process of rebooting the device.

6.1
2022-01-20 CVE-2021-44829 AFI Solutions Cross-site Scripting vulnerability in Afi-Solutions Webacms 2.1.0

Cross Site Scripting (XSS) vulnerability exists in index.html in AFI WebACMS through 2.1.0 via the the ID parameter.

6.1
2022-01-19 CVE-2021-4143 Bigbluebutton Unspecified vulnerability in Bigbluebutton

Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.

6.1
2022-01-19 CVE-2021-26247 Cacti Cross-site Scripting vulnerability in Cacti 0.8.7G

As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.

6.1
2022-01-18 CVE-2022-23083 Broadcom Cross-site Scripting vulnerability in Broadcom products

NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transfer Management contain a XSS (Cross-Site Scripting) vulnerability in ReportCenter UI due to insufficient input validation that could potentially allow an attacker to execute code on the affected machine.

6.1
2022-01-18 CVE-2022-0262 Pimcore Unspecified vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7.

6.1
2022-01-18 CVE-2021-44217 Ericsson Cross-site Scripting vulnerability in Ericsson Codechecker

In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.

6.1
2022-01-17 CVE-2021-42357 Apache Cross-site Scripting vulnerability in Apache Knox

When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing.

6.1
2022-01-17 CVE-2021-33040 Futurepress Cross-site Scripting vulnerability in Futurepress Epub.Js

managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS.

6.1
2022-01-17 CVE-2021-24838 Bologer Unspecified vulnerability in Bologer Anycomment

The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.

6.1
2022-01-17 CVE-2021-24909 Navz Unspecified vulnerability in Navz ACF Photo Gallery Field

The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue

6.1
2022-01-17 CVE-2021-25024 Theeventscalendar Unspecified vulnerability in Theeventscalendar Eventcalendar

The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues

6.1
2022-01-17 CVE-2021-3853 Chaskiq Unspecified vulnerability in Chaskiq

chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1
2022-01-17 CVE-2022-0181 Expresstech Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master

Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors.

6.1
2022-01-20 CVE-2021-29785 IBM Unspecified vulnerability in IBM Soar

IBM Security SOAR V42 and V43could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

5.9
2022-01-19 CVE-2022-22169 Juniper Unspecified vulnerability in Juniper Junos 15.1/18.3

An Improper Initialization vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker who sends specific packets in certain orders and at specific timings to force OSPFv3 to unexpectedly enter graceful-restart (GR helper mode) even though there is not any Grace-LSA received in OSPFv3 causing a Denial of Service (DoS).

5.9
2022-01-18 CVE-2021-37865 Mattermost Resource Exhaustion vulnerability in Mattermost

Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

5.7
2022-01-21 CVE-2021-46234 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c.

5.5
2022-01-21 CVE-2021-46236 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_vrml_field_pointer_del () at scenegraph/vrml_tools.c.

5.5
2022-01-21 CVE-2021-46237 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

An untrusted pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c.

5.5
2022-01-21 CVE-2021-46238 Gpac Out-of-bounds Write vulnerability in Gpac 1.1.0

GPAC v1.1.0 was discovered to contain a stack overflow via the function gf_node_get_name () at scenegraph/base_scenegraph.c.

5.5
2022-01-21 CVE-2021-46239 Gpac Use After Free vulnerability in Gpac 1.1.0

The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid free vulnerability via the function gf_free () at utils/alloc.c.

5.5
2022-01-21 CVE-2021-46240 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_dump_vrml_sffield () at scene_manager/scene_dump.c.

5.5
2022-01-21 CVE-2021-46311 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_destroy_routes () at scenegraph/vrml_route.c.

5.5
2022-01-21 CVE-2021-46313 Gpac Unspecified vulnerability in Gpac 1.1.0

The binary MP4Box in GPAC v1.0.1 was discovered to contain a segmentation fault via the function __memmove_avx_unaligned_erms ().

5.5
2022-01-21 CVE-2021-23207 Fresenius Kabi Insufficiently Protected Credentials vulnerability in Fresenius-Kabi products

An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users.

5.5
2022-01-21 CVE-2022-23129 Mitsubishielectric
Iconics
Cleartext Storage of Sensitive Information vulnerability in multiple products

Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally.

5.5
2022-01-21 CVE-2022-23130 Mitsubishielectric
Iconics
Out-of-bounds Read vulnerability in multiple products

Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.97 and prior and ICONICS Hyper Historian versions 10.97 and prior allows an attacker to cause a DoS condition in the database server by getting a legitimate user to import a configuration file containing specially crafted stored procedures into GENESIS64 or MC Works64 and execute commands against the database from GENESIS64 or MC Works64.

5.5
2022-01-21 CVE-2022-0319 VIM
Debian
Apple
Out-of-bounds Read in vim/vim prior to 8.2.
5.5
2022-01-21 CVE-2022-0326 Mruby Unspecified vulnerability in Mruby

NULL Pointer Dereference in Homebrew mruby prior to 3.2.

5.5
2022-01-21 CVE-2022-22891 Jerryscript Unspecified vulnerability in Jerryscript 3.0.0

Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc.c.

5.5
2022-01-21 CVE-2022-22892 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_value_null (value) || ecma_is_value_boolean (value) || ecma_is_value_number (value) || ecma_is_value_string (value) || ecma_is_value_bigint (value) || ecma_is_value_symbol (value) || ecma_is_value_object (value)' failed at jerry-core/ecma/base/ecma-helpers-value.c in Jerryscripts 3.0.0.

5.5
2022-01-20 CVE-2022-22890 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT && arguments_type != SCANNER_ARGUMENTS_PRESENT_NO_REG' failed at /jerry-core/parser/js/js-scanner-util.c in Jerryscript 3.0.0.

5.5
2022-01-20 CVE-2021-46322 Duktape Project Improper Resource Shutdown or Release vulnerability in Duktape Project Duktape 2.99.99

Duktape v2.99.99 was discovered to contain a SEGV vulnerability via the component duk_push_tval in duktape/duk_api_stack.c.

5.5
2022-01-20 CVE-2021-46323 Espruino Unspecified vulnerability in Espruino 2.11.251

Espruino 2v11.251 was discovered to contain a SEGV vulnerability via src/jsinteractive.c in jsiGetDeviceFromClass.

5.5
2022-01-20 CVE-2021-46327 Moddable Unspecified vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsArray.c in fx_Array_prototype_sort.

5.5
2022-01-20 CVE-2021-46329 Moddable Unspecified vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via the component _fini.

5.5
2022-01-20 CVE-2021-46330 Moddable Unspecified vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsDataView.c in fx_ArrayBuffer_prototype_concat.

5.5
2022-01-20 CVE-2021-46331 Moddable Unspecified vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsProxy.c in fxProxyGetPrototype.

5.5
2022-01-20 CVE-2021-46333 Moddable Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain an invalid memory access vulnerability via the component __asan_memmove.

5.5
2022-01-20 CVE-2021-46335 Moddable NULL Pointer Dereference vulnerability in Moddable SDK 11.5.0

Moddable SDK v11.5.0 was discovered to contain a NULL pointer dereference in the component fx_Function_prototype_hasInstance.

5.5
2022-01-20 CVE-2021-46336 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' failed at /parser/js/js-parser-expr.c(parser_parse_class_body) in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46337 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'page_p != NULL' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46338 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'ecma_is_lexical_environment (object_p)' failed at /base/ecma-helpers.c(ecma_get_lex_env_type) in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46339 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'lit_is_valid_cesu8_string (string_p, string_size)' failed at /base/ecma-helpers-string.c(ecma_new_ecma_string_from_utf8) in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46340 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'context_p->stack_top_uint8 == SCAN_STACK_TRY_STATEMENT || context_p->stack_top_uint8 == SCAN_STACK_CATCH_STATEMENT' failed at /parser/js/js-scanner.c(scanner_scan_statement_end) in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46342 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'ecma_is_lexical_environment (obj_p) || !ecma_op_object_is_fast_array (obj_p)' failed at /jerry-core/ecma/base/ecma-helpers.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46343 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'context_p->token.type == LEXER_LITERAL' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46344 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'flags & PARSER_PATTERN_HAS_REST_ELEMENT' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46345 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'cesu8_cursor_p == cesu8_end_p' failed at /jerry-core/lit/lit-strings.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46346 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46347 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'ecma_object_check_class_name_is_object (obj_p)' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46348 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46349 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'type == ECMA_OBJECT_TYPE_GENERAL || type == ECMA_OBJECT_TYPE_PROXY' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46350 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2021-46351 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0.

5.5
2022-01-20 CVE-2022-0219 Jadx Project Unspecified vulnerability in Jadx Project Jadx

Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.

5.5
2022-01-20 CVE-2021-32039 Mongodb Insufficiently Protected Credentials vulnerability in Mongodb

Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file.

5.5
2022-01-20 CVE-2022-22820 Linecorp Improper Input Validation vulnerability in Linecorp Line

Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4.

5.5
2022-01-19 CVE-2022-21704 Log4Js Project
Debian
log4js-node is a port of log4js to node.js.
5.5
2022-01-19 CVE-2021-31821 Octopus Cleartext Storage of Sensitive Information vulnerability in Octopus Tentacle

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext.

5.5
2022-01-18 CVE-2022-21688 Onionshare Out-of-bounds Read vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

5.5
2022-01-18 CVE-2021-34405 Nvidia Unchecked Return Value vulnerability in Nvidia Shield Experience

NVIDIA Linux distributions contain a vulnerability in TrustZone’s TEE_Malloc function, where an unchecked return value causing a null pointer dereference may lead to denial of service.

5.5
2022-01-17 CVE-2022-22703 Stormshield Information Exposure Through Log Files vulnerability in Stormshield Network Security 2.0.0/3.0.0

In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer.

5.5
2022-01-23 CVE-2021-4103 B3Log Unspecified vulnerability in B3Log Vditor 0.2.0/1.0.0

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 1.0.34.

5.4
2022-01-22 CVE-2021-4172 Showdoc Unspecified vulnerability in Showdoc

Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2.

5.4
2022-01-21 CVE-2021-33966 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb 1.4.9

Cross site scripting (XSS) vulnerability in spotweb 1.4.9, allows authenticated attackers to execute arbitrary code via crafted GET request to the login page.

5.4
2022-01-20 CVE-2021-44091 Multi Restaurant Table Reservation System Project Cross-site Scripting vulnerability in Multi Restaurant Table Reservation System Project Multi Restaurant Table Reservation System 1.0

A Cross-Site Scripting (XSS) vulnerability exists in Courcecodester Multi Restaurant Table Reservation System 1.0 in register.php via the (1) fullname, (2) phone, and (3) address parameters.

5.4
2022-01-20 CVE-2022-0285 Pimcore Unspecified vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9.

5.4
2022-01-20 CVE-2021-3866 Zulip Unspecified vulnerability in Zulip

Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b153d and prior to 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6.

5.4
2022-01-20 CVE-2022-0278 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

5.4
2022-01-20 CVE-2021-46026 Mysiteforme Cross-site Scripting vulnerability in Mysiteforme

mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting (XSS) via the add blog tag function in the blog tag in the background blog management.

5.4
2022-01-19 CVE-2021-46025 Oneblog Project Cross-site Scripting vulnerability in Oneblog Project Oneblog

A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2.8.

5.4
2022-01-19 CVE-2021-23225 Cacti
Debian
Cross-site Scripting vulnerability in multiple products

Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.

5.4
2022-01-19 CVE-2021-3816 Cacti Cross-site Scripting vulnerability in Cacti 1.1.38

Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.

5.4
2022-01-19 CVE-2022-0243 Orchardcore Cross-site Scripting vulnerability in Orchardcore

Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2.

5.4
2022-01-19 CVE-2021-44299 Naviwebs Cross-site Scripting vulnerability in Naviwebs Navigate CMS 2.9.4

A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

5.4
2022-01-19 CVE-2022-0274 Orchardcore Unspecified vulnerability in Orchardcore

Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2.

5.4
2022-01-19 CVE-2021-46030 Javaquarkbbs Project Cross-site Scripting vulnerability in Javaquarkbbs Project Javaquarkbbs

There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuarkBBS <= v2.

5.4
2022-01-18 CVE-2022-21690 Onionshare Cross-site Scripting vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

5.4
2022-01-18 CVE-2021-46005 CAR Rental Management System Project Cross-site Scripting vulnerability in CAR Rental Management System Project CAR Rental Management System 1.0

Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.

5.4
2022-01-18 CVE-2021-29872 IBM Improper Encoding or Escaping of Output vulnerability in IBM Cloud PAK for Automation

IBM Cloud Pak for Automation 21.0.1 and 21.0.2 - Business Automation Studio Component is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

5.4
2022-01-18 CVE-2021-39946 Gitlab Cross-site Scripting vulnerability in Gitlab

Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis

5.4
2022-01-18 CVE-2021-4074 I Plugins Cross-site Scripting vulnerability in I-Plugins Whmcs Bridge

The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1.

5.4
2022-01-18 CVE-2022-0233 Metagauss Cross-site Scripting vulnerability in Metagauss Profilegrid

The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pm_user_avatar and pm_cover_image parameters found in the ~/admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts into their profile, in versions up to and including 1.2.7.

5.4
2022-01-18 CVE-2021-38695 Softvibe Cross-site Scripting vulnerability in Softvibe Saraban 1.1

SoftVibe SARABAN for INFOMA 1.1 is vulnerable to stored cross-site scripting (XSS) that allows users to store scripts in certain fields (e.g.

5.4
2022-01-18 CVE-2022-0260 Pimcore Unspecified vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.

5.4
2022-01-17 CVE-2022-0256 Pimcore Unspecified vulnerability in Pimcore

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4
2022-01-17 CVE-2022-0257 Pimcore Unspecified vulnerability in Pimcore

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4
2022-01-17 CVE-2022-0253 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4
2022-01-17 CVE-2021-25046 Webnus Unspecified vulnerability in Webnus Modern Events Calendar Lite

The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS.

5.4
2022-01-17 CVE-2021-25061 Wpbookingsystem Unspecified vulnerability in Wpbookingsystem WP Booking System

The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.

5.4
2022-01-17 CVE-2021-25065 Smashballoon Unspecified vulnerability in Smashballoon Smash Balloon Social Post Feed

The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.

5.4
2022-01-17 CVE-2021-25067 Pluginops Unspecified vulnerability in Pluginops Landing Page

The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page.

5.4
2022-01-17 CVE-2021-3857 Chaskiq Unspecified vulnerability in Chaskiq

chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4
2022-01-17 CVE-2022-0182 Expresstech Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master

Stored cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote authenticated attacker to inject an arbitrary script via an website that uses Quiz And Survey Master.

5.4
2022-01-21 CVE-2021-23195 Fresenius Kabi Information Exposure vulnerability in Fresenius-Kabi products

Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 has the option for automated indexing (directory listing) activated.

5.3
2022-01-21 CVE-2021-33843 Fresenius Kabi Missing Authentication for Critical Function vulnerability in Fresenius-Kabi Agilia SP MC Wifi Firmware D25

Fresenius Kabi Agilia SP MC WiFi vD25 and prior has a default configuration page accessible without authentication.

5.3
2022-01-19 CVE-2022-22164 Juniper Improper Initialization vulnerability in Juniper Junos OS Evolved 20.4/21.1/21.2

An Improper Initialization vulnerability in Juniper Networks Junos OS Evolved may cause a commit operation for disabling the telnet service to not take effect as expected, resulting in the telnet service staying enabled.

5.3
2022-01-18 CVE-2022-21694 Onionshare Incorrect Permission Assignment for Critical Resource vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

5.3
2022-01-18 CVE-2022-21700 Objectcomputing Resource Exhaustion vulnerability in Objectcomputing Micronaut

Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language.

5.3
2022-01-18 CVE-2022-21695 Onionshare Improper Authentication vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

5.3
2022-01-18 CVE-2022-0151 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2.

4.9
2022-01-18 CVE-2021-41551 Leostream Link Following vulnerability in Leostream Connection Broker 9.0.40.17

Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading z ZIP file that contains a symbolic link.

4.9
2022-01-19 CVE-2022-23045 Phpipam Cross-site Scripting vulnerability in PHPipam 1.4.4

PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings.

4.8
2022-01-18 CVE-2022-0210 Buffercode Improper Encoding or Escaping of Output vulnerability in Buffercode Random Banner

The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4.

4.8
2022-01-18 CVE-2022-0232 Metagauss Cross-site Scripting vulnerability in Metagauss Leadmagic

The User Registration, Login & Landing Pages WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the loader_text parameter found in the ~/includes/templates/landing-page.php file which allows attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.2.7.

4.8
2022-01-17 CVE-2021-3862 Icecoder Unspecified vulnerability in Icecoder

icecoder is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8
2022-01-17 CVE-2021-25005 Seur Oficial Project Cross-site Scripting vulnerability in Seur Oficial Project Seur Oficial

The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-01-18 CVE-2021-34406 Nvidia NULL Pointer Dereference vulnerability in Nvidia Shield Experience

NVIDIA Tegra kernel driver contains a vulnerability in NVHost, where a specific race condition can lead to a null pointer dereference, which may lead to a system reboot.

4.7
2022-01-17 CVE-2022-0183 Kingjim Missing Encryption of Sensitive Data vulnerability in Kingjim Mirupass Pw10 Firmware and Mirupass Pw20 Firmware

Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 firmware all versions and 'MIRUPASS' PW20 firmware all versions allows an attacker who can physically access the device to obtain the stored passwords.

4.6
2022-01-21 CVE-2021-4032 Linux Incomplete Cleanup vulnerability in Linux Kernel

A vulnerability was found in the Linux kernel's KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected.

4.4
2022-01-22 CVE-2022-23807 Phpmyadmin Improper Authentication vulnerability in PHPmyadmin

An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2.

4.3
2022-01-20 CVE-2021-46028 Mblog Project Cross-Site Request Forgery (CSRF) vulnerability in Mblog Project Mblog

In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management.

4.3
2022-01-19 CVE-2021-44777 Email Tracker Project Cross-Site Request Forgery (CSRF) vulnerability in Email Tracker Project Email Tracker

Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6).

4.3
2022-01-19 CVE-2021-44837 Deltarm Unspecified vulnerability in Deltarm Delta RM 1.2

An issue was discovered in Delta RM 1.2.

4.3
2022-01-18 CVE-2022-21692 Onionshare Improper Authentication vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

4.3
2022-01-18 CVE-2022-21673 Grafana
Fedoraproject
Grafana is an open-source platform for monitoring and observability.
4.3
2022-01-18 CVE-2022-21691 Onionshare Missing Authentication for Critical Function vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

4.3
2022-01-18 CVE-2021-44836 Deltarm Authorization Bypass Through User-Controlled Key vulnerability in Deltarm Delta RM 1.2

An issue was discovered in Delta RM 1.2.

4.3
2022-01-18 CVE-2021-44838 Deltarm Unspecified vulnerability in Deltarm Delta RM 1.2

An issue was discovered in Delta RM 1.2.

4.3
2022-01-18 CVE-2022-21696 Onionshare Improper Input Validation vulnerability in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

4.3
2022-01-18 CVE-2022-21683 Torchbox Information Exposure vulnerability in Torchbox Wagtail

Wagtail is a Django based content management system focused on flexibility and user experience.

4.3
2022-01-18 CVE-2021-37867 Mattermost Information Exposure vulnerability in Mattermost Boards 0.10.0

Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure.

4.3
2022-01-18 CVE-2021-39892 Gitlab Unspecified vulnerability in Gitlab

In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.

4.3
2022-01-18 CVE-2021-39927 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443

4.3
2022-01-18 CVE-2021-41809 M Files Server-Side Request Forgery (SSRF) vulnerability in M-Files Server

SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities.

4.3
2022-01-18 CVE-2022-0093 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1.

4.3
2022-01-18 CVE-2022-0124 Gitlab Improper Encoding or Escaping of Output vulnerability in Gitlab

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1.

4.3
2022-01-18 CVE-2022-0125 Gitlab Missing Authorization vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2.

4.3
2022-01-18 CVE-2021-4146 Pimcore Unspecified vulnerability in Pimcore

Business Logic Errors in GitHub repository pimcore/pimcore prior to 10.2.6.

4.3
2022-01-18 CVE-2022-0245 Livehelperchat Unspecified vulnerability in Livehelperchat

Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0.

4.3
2022-01-17 CVE-2021-25025 Theeventscalendar Unspecified vulnerability in Theeventscalendar Eventcalendar

The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events

4.3
2022-01-17 CVE-2022-0184 Kingjim Insufficiently Protected Credentials vulnerability in Kingjim products

Insufficiently protected credentials vulnerability in 'TEPRA' PRO SR5900P Ver.1.080 and earlier and 'TEPRA' PRO SR-R7900P Ver.1.030 and earlier allows an attacker on the adjacent network to obtain credentials for connecting to the Wi-Fi access point with the infrastructure mode.

4.3
2022-01-21 CVE-2021-4001 Linux Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Linux Kernel

A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c.

4.1

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-21 CVE-2021-4016 Rapid7 Unspecified vulnerability in Rapid7 Insight Agent

Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory.

3.3
2022-01-17 CVE-2022-0131 Jmty Use of Hard-coded Credentials vulnerability in Jmty Jimoty

Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service.

3.3
2022-01-18 CVE-2021-44840 Deltarm Missing Authorization vulnerability in Deltarm Delta RM 1.2

An issue was discovered in Delta RM 1.2.

2.7
2022-01-18 CVE-2021-41808 M Files Information Exposure Through Log Files vulnerability in M-Files Server

In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log.

2.3