Weekly Vulnerabilities Reports > January 17 to 23, 2022
Overview
341 new vulnerabilities reported during this period, including 60 critical vulnerabilities and 106 high severity vulnerabilities. This weekly summary report vulnerabilities in 496 products from 153 vendors including Juniper, Jerryscript, Gitlab, Debian, and Fresenius Kabi. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Reachable Assertion", and "NULL Pointer Dereference".
- 240 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 95 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 216 reported vulnerabilities are exploitable by an anonymous user.
- Juniper has the most reported vulnerabilities, with 27 reported vulnerabilities.
- Mingsoft has the most reported critical vulnerabilities, with 5 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
60 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-01-23 | CVE-2021-46024 | Projectworlds | SQL Injection vulnerability in Projectworlds Online-Shopping-Webvsite-In-PHP 1.0 Projectworlds online-shopping-webvsite-in-php 1.0 suffers from a SQL Injection vulnerability via the "id" parameter in cart_add.php, No login is required. | 9.8 |
2022-01-21 | CVE-2022-23363 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via index.php. | 9.8 |
2022-01-21 | CVE-2022-23364 | HMS Project | SQL Injection vulnerability in HMS Project HMS 1.0 HMS v1.0 was discovered to contain a SQL injection vulnerability via adminlogin.php. | 9.8 |
2022-01-21 | CVE-2022-23365 | HMS Project | SQL Injection vulnerability in HMS Project HMS 1.0 HMS v1.0 was discovered to contain a SQL injection vulnerability via doctorlogin.php. | 9.8 |
2022-01-21 | CVE-2022-23366 | HMS Project | SQL Injection vulnerability in HMS Project HMS 1.0 HMS v1.0 was discovered to contain a SQL injection vulnerability via patientlogin.php. | 9.8 |
2022-01-21 | CVE-2022-22553 | Dell | Improper Restriction of Excessive Authentication Attempts vulnerability in Dell EMC Appsync 3.9.0.0/4.2.0.0/4.3.0.0 Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI. | 9.8 |
2022-01-21 | CVE-2021-23518 | Cached Path Relative Project Debian | The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. | 9.8 |
2022-01-21 | CVE-2021-40595 | Online Leave Management System Project | SQL Injection vulnerability in Online Leave Management System Project Online Leave Management System 1.0 SQL injection vulnerability in Sourcecodester Online Leave Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /leave_system/classes/Login.php. | 9.8 |
2022-01-21 | CVE-2021-23196 | Fresenius Kabi | Improper Authentication vulnerability in Fresenius-Kabi products The web application on Agilia Link+ version 3.0 implements authentication and session management mechanisms exclusively on the client-side and does not protect authentication attributes sufficiently. | 9.8 |
2022-01-21 | CVE-2021-23233 | Fresenius Kabi | Use of Hard-coded Credentials vulnerability in Fresenius-Kabi products Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can be accessed without any authentication information such as the session cookie. | 9.8 |
2022-01-21 | CVE-2021-40247 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Budget and Expense Tracker System 1.0 SQL injection vulnerability in Sourcecodester Budget and Expense Tracker System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username field. | 9.8 |
2022-01-21 | CVE-2021-43355 | Fresenius Kabi | Improper Authentication vulnerability in Fresenius-Kabi products Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 allows user input to be validated on the client side without authentication by the server. | 9.8 |
2022-01-21 | CVE-2022-23128 | Mitsubishielectric Iconics | Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products. | 9.8 |
2022-01-21 | CVE-2020-4877 | IBM | Incorrect Authorization vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable to unauthorized modifications by using public fields in public classes. | 9.8 |
2022-01-21 | CVE-2020-4879 | IBM | Improper Authentication vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote attacker to bypass security restrictions, caused by improper validation of authentication cookies. | 9.8 |
2022-01-21 | CVE-2021-46308 | Online Railway Reservation System Project | SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 An SQL Injection vulnerability exists in Sourcecodester Online Railway Reservation Sysytem 1.0 via the sid parameter. | 9.8 |
2022-01-21 | CVE-2021-46309 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Employee and Visitor Gate Pass Logging System 1.0 An SQL Injection vulnerability exists in Sourcecodester Employee and Visitor Gate Pass Logging System 1.0 via the username parameter. | 9.8 |
2022-01-21 | CVE-2021-35003 | TP Link | Unspecified vulnerability in Tp-Link Archer C90 Firmware 1.0.6 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer C90 1.0.6 Build 20200114 rel.73164(5553) routers. | 9.8 |
2022-01-21 | CVE-2021-35004 | TP Link | Unspecified vulnerability in Tp-Link Tl-Wa1201 Firmware 1.0.1 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link TL-WA1201 1.0.1 Build 20200709 rel.66244(5553) wireless access points. | 9.8 |
2022-01-21 | CVE-2021-40855 | Europa | Improper Certificate Validation vulnerability in Europa Technical Specifications for Digital Covid Certificates 1.0 The EU Technical Specifications for Digital COVID Certificates before 1.1 mishandle certificate governance. | 9.8 |
2022-01-21 | CVE-2021-46198 | Courier Management System Project | SQL Injection vulnerability in Courier Management System Project Courier Management System 1.0 An SQL Injection vulnerability exists in Sourceodester Courier Management System 1.0 via the email parameter in /cms/ajax.php app. | 9.8 |
2022-01-21 | CVE-2021-46200 | Simple Music Cloud Community System Project | SQL Injection vulnerability in Simple Music Cloud Community System Project Simple Music Cloud Community System 1.0 An SQL Injection vulnerability exists in Sourcecodester Simple Music Clour Community System 1.0 via the email parameter in /music/ajax.php. | 9.8 |
2022-01-21 | CVE-2021-46201 | Online Resort Management System Project | SQL Injection vulnerability in Online Resort Management System Project Online Resort Management System 1.0 An SQL Injection vulnerability exists in Sourcecodester Online Resort Management System 1.0 via the id parameterv in /orms/ node. | 9.8 |
2022-01-21 | CVE-2021-46307 | Projectworlds | SQL Injection vulnerability in Projectworlds Online Examination System 1.0 An SQL Injection vulnerability exists in Projectworlds Online Examination System 1.0 via the eid parameter in account.php. | 9.8 |
2022-01-21 | CVE-2022-0318 | VIM Apple Debian | Out-of-bounds Write vulnerability in multiple products Heap-based Buffer Overflow in vim/vim prior to 8.2. | 9.8 |
2022-01-21 | CVE-2022-22928 | Mingsoft | Use of Hard-coded Credentials vulnerability in Mingsoft Mcms 5.2.4 MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code. | 9.8 |
2022-01-21 | CVE-2022-22929 | Mingsoft | Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 5.2.4 MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file. | 9.8 |
2022-01-21 | CVE-2022-22930 | Mingsoft | Unspecified vulnerability in Mingsoft Mcms 5.2.4 A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload. | 9.8 |
2022-01-21 | CVE-2022-23314 | Mingsoft | SQL Injection vulnerability in Mingsoft Mcms 5.2.4 MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do. | 9.8 |
2022-01-21 | CVE-2022-23315 | Mingsoft | Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 5.2.4 MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do. | 9.8 |
2022-01-20 | CVE-2021-46061 | Computer AND Mobile Repair Shop Management System Project | SQL Injection vulnerability in Computer and Mobile Repair Shop Management System Project Computer and Mobile Repair Shop Management System 1.0 An SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0 via the code parameter in /rsms/ node app. | 9.8 |
2022-01-20 | CVE-2021-44090 | Sourcecodester Online Reviewer System Project | SQL Injection vulnerability in Sourcecodester Online Reviewer System Project Sourcecodester Online Reviewer System 1.0 An SQL Injection vulnerability exists in Sourcecodester Online Reviewer System 1.0 via the password parameter. | 9.8 |
2022-01-20 | CVE-2021-44092 | Pharmacy Management Project | SQL Injection vulnerability in Pharmacy Management Project Pharmacy Management 1.0 An SQL Injection vulnerability exists in code-projects Pharmacy Management 1.0 via the username parameter in the administer login form. | 9.8 |
2022-01-20 | CVE-2021-44244 | Sourcecodester Logistic HUB Parcel S Management System Project | SQL Injection vulnerability in Sourcecodester Logistic HUB Parcel'S Management System Project Sourcecodester Logistic HUB Parcel'S Management System 1.0 An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Parcel's Management System 1.0 via the username parameter in login.php. | 9.8 |
2022-01-20 | CVE-2021-44245 | Covid 19 Testing Management System Project | SQL Injection vulnerability in Covid 19 Testing Management System Project Covid 19 Testing Management System 1.0 An SQL Injection vulnerability exists in Courcecodester COVID 19 Testing Management System (CTMS) 1.0 via the (1) username and (2) contactno parameters. | 9.8 |
2022-01-20 | CVE-2021-44734 | Lexmark | Code Injection vulnerability in Lexmark products Embedded web server input sanitization vulnerability in Lexmark devices through 2021-12-07, which can which can lead to remote code execution on the device. | 9.8 |
2022-01-20 | CVE-2021-44735 | Lexmark | Command Injection vulnerability in Lexmark products Embedded web server command injection vulnerability in Lexmark devices through 2021-12-07. | 9.8 |
2022-01-20 | CVE-2021-44736 | Lexmark | Improper Authentication vulnerability in Lexmark Mc3224I Firmware The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature. | 9.8 |
2022-01-20 | CVE-2021-44738 | Lexmark | Classic Buffer Overflow vulnerability in Lexmark products Buffer overflow vulnerability has been identified in Lexmark devices through 2021-12-07 in postscript interpreter. | 9.8 |
2022-01-19 | CVE-2022-21679 | Istio | Always-Incorrect Control Flow Implementation vulnerability in Istio 1.12.0/1.12.1 Istio is an open platform to connect, manage, and secure microservices. | 9.8 |
2022-01-19 | CVE-2021-33912 | Libspf2 Project Debian | Out-of-bounds Write vulnerability in multiple products libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. | 9.8 |
2022-01-19 | CVE-2021-33913 | Libspf2 Project | Out-of-bounds Write vulnerability in Libspf2 Project Libspf2 libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c. | 9.8 |
2022-01-19 | CVE-2021-46204 | Taogogo | SQL Injection vulnerability in Taogogo Taocms 3.0.2 Taocms v3.0.2 was discovered to contain an arbitrary file read vulnerability via the path parameter. | 9.8 |
2022-01-19 | CVE-2022-23221 | H2Database Debian Oracle | Argument Injection or Modification vulnerability in multiple products H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. | 9.8 |
2022-01-19 | CVE-2022-22167 | Juniper | Unspecified vulnerability in Juniper Junos A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. | 9.8 |
2022-01-18 | CVE-2021-46013 | Free School Management Software Project | Unrestricted Upload of File with Dangerous Type vulnerability in Free School Management Software Project Free School Management Software 1.0 An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0. | 9.8 |
2022-01-18 | CVE-2021-29215 | HPE | Unspecified vulnerability in HPE TEZ A potential security vulnerability in HPE Ezmeral Data Fabric that may allow a remote access restriction bypass in the TEZ MapR ecosystem component was discovered in version(s): Prior to Tez-0.8: mapr-tez-0.8.201907081100-1.noarch; prior to Tez-0.9: mapr-tez-0.9.201907090334-1.noarch; prior to Tez-0.9.2: mapr-tez-0.9.2.0.201907081043-1.noarch. | 9.8 |
2022-01-18 | CVE-2021-41807 | M Files | Improper Restriction of Excessive Authentication Attempts vulnerability in M-Files Server and M-Files web Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | 9.8 |
2022-01-18 | CVE-2022-23305 | Apache Netapp Broadcom QOS Oracle | SQL Injection vulnerability in multiple products By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. | 9.8 |
2022-01-18 | CVE-2021-38697 | Softvibe | Unrestricted Upload of File with Dangerous Type vulnerability in Softvibe Saraban 1.1 SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted File Upload, that allows attackers to upload files with any file extension which can lead to arbitrary code execution. | 9.8 |
2022-01-18 | CVE-2021-22566 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Fuchsia An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead to privileged executable pages being mapped as executable from an unprivileged context. | 9.8 | |
2022-01-17 | CVE-2021-4171 | Janeczku | Unspecified vulnerability in Janeczku Calibre-Web calibre-web is vulnerable to Business Logic Errors | 9.8 |
2022-01-17 | CVE-2022-0239 | Stanford | Unspecified vulnerability in Stanford Corenlp corenlp is vulnerable to Improper Restriction of XML External Entity Reference | 9.8 |
2022-01-17 | CVE-2022-23303 | W1 FI Fedoraproject | Information Exposure Through Discrepancy vulnerability in multiple products The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. | 9.8 |
2022-01-17 | CVE-2022-23304 | W1 FI Fedoraproject | Information Exposure Through Discrepancy vulnerability in multiple products The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. | 9.8 |
2022-01-19 | CVE-2022-22157 | Juniper | Incorrect Authorization vulnerability in Juniper Junos A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. | 9.3 |
2022-01-21 | CVE-2021-31562 | Fresenius Kabi | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Fresenius-Kabi products The SSL/TLS configuration of Fresenius Kabi Agilia Link + version 3.0 has serious deficiencies that may allow an attacker to compromise SSL/TLS sessions in different ways. | 9.1 |
2022-01-18 | CVE-2022-23408 | Wolfssl | Use of Insufficiently Random Values vulnerability in Wolfssl 5.0.0/5.1.0 wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. | 9.1 |
2022-01-18 | CVE-2021-44757 | Zohocorp | Unspecified vulnerability in Zohocorp products Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. | 9.1 |
2022-01-19 | CVE-2022-22769 | Tibco | Cross-site Scripting vulnerability in Tibco EBX and EBX Add-Ons The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. | 9.0 |
106 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-01-21 | CVE-2021-46242 | Hdfgroup | Use After Free vulnerability in Hdfgroup Hdf5 1.13.11 HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry. | 8.8 |
2022-01-21 | CVE-2022-22551 | Dell | Session Fixation vulnerability in Dell EMC Appsync 3.9.0.0/4.2.0.0/4.3.0.0 DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. | 8.8 |
2022-01-21 | CVE-2021-44464 | Fresenius Kabi | Use of Hard-coded Credentials vulnerability in Fresenius-Kabi products Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 contains service credentials likely to be common across all instances. | 8.8 |
2022-01-21 | CVE-2022-0323 | Mustache Project | Code Injection vulnerability in Mustache Project Mustache Improper Neutralization of Special Elements Used in a Template Engine in Packagist mustache/mustache prior to 2.14.1. | 8.8 |
2022-01-20 | CVE-2021-44737 | Lexmark | Path Traversal vulnerability in Lexmark products PJL directory traversal vulnerability in Lexmark devices through 2021-12-07 that can be leveraged to overwrite internal configuration files. | 8.8 |
2022-01-20 | CVE-2021-43269 | Code42 | Code Injection vulnerability in Code42 In Code42 app before 8.8.0, eval injection allows an attacker to change a device’s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. | 8.8 |
2022-01-19 | CVE-2022-21699 | Ipython Debian Fedoraproject | IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. | 8.8 |
2022-01-19 | CVE-2022-21701 | Istio | Incorrect Authorization vulnerability in Istio 1.12.0/1.12.1 Istio is an open platform to connect, manage, and secure microservices. | 8.8 |
2022-01-19 | CVE-2021-45808 | Jpress | Unrestricted Upload of File with Dangerous Type vulnerability in Jpress 4.2.0 jpress v4.2.0 allows users to register an account by default. | 8.8 |
2022-01-19 | CVE-2022-21392 | Oracle | Unspecified vulnerability in Oracle Enterprise Manager Base Platform 13.4.0.0/13.5.0.0 Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Policy Framework). | 8.8 |
2022-01-18 | CVE-2021-43353 | Crisp | Cross-Site Request Forgery (CSRF) vulnerability in Crisp Live Chat The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31. | 8.8 |
2022-01-18 | CVE-2022-0215 | Xootix | Cross-Site Request Forgery (CSRF) vulnerability in Xootix products The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. | 8.8 |
2022-01-18 | CVE-2022-23302 | Apache Netapp Broadcom QOS Oracle | Deserialization of Untrusted Data vulnerability in multiple products JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. | 8.8 |
2022-01-18 | CVE-2022-23307 | Apache QOS Oracle | Deserialization of Untrusted Data vulnerability in multiple products CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. | 8.8 |
2022-01-18 | CVE-2021-33965 | Chinamobile | Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1 China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRMesh/set_ZRMesh which receives parameters by POST request, and the parameter mesh_enable and mesh_device have a command injection vulnerability. | 8.8 |
2022-01-18 | CVE-2021-33964 | Chinamobile | Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1 China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability. | 8.8 |
2022-01-18 | CVE-2021-45394 | Html2Pdf Project | Deserialization of Untrusted Data vulnerability in Html2Pdf Project Html2Pdf An issue was discovered in Spipu HTML2PDF before 5.2.4. | 8.8 |
2022-01-17 | CVE-2021-38965 | IBM | OS Command Injection vulnerability in IBM Filenet Content Manager 5.5.4/5.5.6/5.5.7 IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. | 8.8 |
2022-01-17 | CVE-2022-0258 | Pimcore | Unspecified vulnerability in Pimcore pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | 8.8 |
2022-01-17 | CVE-2021-25036 | Aioseo | Improper Handling of Case Sensitivity vulnerability in Aioseo ALL in ONE SEO The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. | 8.8 |
2022-01-17 | CVE-2021-4164 | Janeczku | Unspecified vulnerability in Janeczku Calibre-Web calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) | 8.8 |
2022-01-17 | CVE-2022-0180 | Expresstech | Cross-Site Request Forgery (CSRF) vulnerability in Expresstech Quiz and Survey Master Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to hijack the authentication of administrators and conduct arbitrary operations via a specially crafted web page. | 8.8 |
2022-01-21 | CVE-2020-4875 | IBM | XXE vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 8.2 |
2022-01-21 | CVE-2020-4876 | IBM | XXE vulnerability in IBM Cognos Controller 10.4.0/10.4.1/10.4.2 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 8.2 |
2022-01-21 | CVE-2022-21707 | Wasmcloud | Missing Authorization vulnerability in Wasmcloud Host Runtime wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. | 8.1 |
2022-01-21 | CVE-2021-44593 | Simple College Website Project | SQL Injection vulnerability in Simple College Website Project Simple College Website 1.0 Simple College Website 1.0 is vulnerable to unauthenticated file upload & remote code execution via UNION-based SQL injection in the username parameter on /admin/login.php. | 8.1 |
2022-01-21 | CVE-2021-36338 | Dell | Reliance on Cookies without Validation and Integrity Checking vulnerability in Dell products Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. | 8.0 |
2022-01-18 | CVE-2022-0154 | Gitlab | Cross-Site Request Forgery (CSRF) vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. | 8.0 |
2022-01-23 | CVE-2022-23850 | Epub2Txt Project | Out-of-bounds Write vulnerability in Epub2Txt Project Epub2Txt xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document. | 7.8 |
2022-01-21 | CVE-2021-36339 | Dell | Unspecified vulnerability in Dell products The Dell EMC Virtual Appliances before 9.2.2.2 contain undocumented user accounts. | 7.8 |
2022-01-21 | CVE-2022-23220 | Usbview Project | Missing Authentication for Critical Function vulnerability in Usbview Project Usbview USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. | 7.8 |
2022-01-21 | CVE-2022-21933 | Asus | Out-of-bounds Write vulnerability in Asus products ASUS VivoMini/Mini PC device has an improper input validation vulnerability. | 7.8 |
2022-01-21 | CVE-2022-22893 | Jerryscript | Out-of-bounds Write vulnerability in Jerryscript 3.0.0 Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm.c. | 7.8 |
2022-01-21 | CVE-2022-22894 | Jerryscript | Out-of-bounds Write vulnerability in Jerryscript 3.0.0 Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache.c. | 7.8 |
2022-01-21 | CVE-2022-22895 | Jerryscript | Out-of-bounds Write vulnerability in Jerryscript 3.0.0 Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion.c. | 7.8 |
2022-01-20 | CVE-2022-22888 | Jerryscript | Out-of-bounds Write vulnerability in Jerryscript 3.0.0 Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_op_object_find_own in /ecma/operations/ecma-objects.c. | 7.8 |
2022-01-20 | CVE-2021-46324 | Espruino | Out-of-bounds Write vulnerability in Espruino 2.11.251 Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString. | 7.8 |
2022-01-20 | CVE-2021-46325 | Espruino | Out-of-bounds Write vulnerability in Espruino 2.10.246 Espruino 2v10.246 was discovered to contain a stack buffer overflow via src/jsutils.c in vcbprintf. | 7.8 |
2022-01-20 | CVE-2021-46326 | Moddable | Out-of-bounds Write vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __asan_memcpy. | 7.8 |
2022-01-20 | CVE-2021-46328 | Moddable | Out-of-bounds Write vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __libc_start_main. | 7.8 |
2022-01-20 | CVE-2021-46332 | Moddable | Out-of-bounds Write vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via xs/sources/xsDataView.c in fxUint8Getter. | 7.8 |
2022-01-20 | CVE-2021-46334 | Moddable | Out-of-bounds Write vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a stack buffer overflow via the component __interceptor_strcat. | 7.8 |
2022-01-20 | CVE-2022-23120 | Trendmicro | Code Injection vulnerability in Trendmicro Deep Security Agent 20.0 A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root. | 7.8 |
2022-01-20 | CVE-2021-45417 | Advanced Intrusion Detection Environment Project Redhat Fedoraproject Canonical Debian | Out-of-bounds Write vulnerability in multiple products AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. | 7.8 |
2022-01-19 | CVE-2021-23843 | Bosch | Missing Authentication for Critical Function vulnerability in Bosch products The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. | 7.8 |
2022-01-19 | CVE-2021-42810 | Thalesgroup | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Thalesgroup Safenet Authentication Service Remote Desktop Gateway A flaw in the previous versions of the product may allow an authenticated attacker the ability to execute code as a privileged user on a system where the agent is installed. | 7.8 |
2022-01-19 | CVE-2021-31854 | Mcafee | OS Command Injection vulnerability in Mcafee Agent A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. | 7.8 |
2022-01-19 | CVE-2022-0166 | Mcafee | Uncontrolled Search Path Element vulnerability in Mcafee Agent A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. | 7.8 |
2022-01-19 | CVE-2022-22162 | Juniper | Unspecified vulnerability in Juniper Junos A Generation of Error Message Containing Sensitive Information vulnerability in the CLI of Juniper Networks Junos OS allows a locally authenticated attacker with low privileges to elevate these to the level of any other user logged in via J-Web at this time, potential leading to a full compromise of the device. | 7.8 |
2022-01-18 | CVE-2021-34401 | Nvidia | Unspecified vulnerability in Nvidia Shield Experience NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service. | 7.8 |
2022-01-18 | CVE-2021-34403 | Nvidia | Use After Free vulnerability in Nvidia Shield Experience NVIDIA Linux distributions contain a vulnerability in nvmap ioctl, which allows any user with a local account to exploit a use-after-free condition, leading to code privilege escalation, loss of confidentiality and integrity, or denial of service. | 7.8 |
2022-01-18 | CVE-2020-14110 | MI | Incorrect Authorization vulnerability in MI Ax3600 Firmware 1.0.50 AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background. | 7.8 |
2022-01-18 | CVE-2022-0261 | VIM Debian Apple | Out-of-bounds Write vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. | 7.8 |
2022-01-18 | CVE-2022-0263 | Pimcore | Unspecified vulnerability in Pimcore Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7. | 7.8 |
2022-01-18 | CVE-2021-34404 | Nvidia | Unspecified vulnerability in Nvidia Shield Experience Android images for T210 provided by NVIDIA contain a vulnerability in BROM, where failure to limit access to AHB-DMA when BROM fails may allow an unprivileged attacker with physical access to cause denial of service or impact integrity and confidentiality beyond the security scope of BROM. | 7.6 |
2022-01-21 | CVE-2021-39480 | Bingrep Project | Allocation of Resources Without Limits or Throttling vulnerability in Bingrep Project Bingrep 0.8.5 Bingrep v0.8.5 was discovered to contain a memory allocation failure which can cause a Denial of Service (DoS). | 7.5 |
2022-01-21 | CVE-2022-23837 | Contribsys Debian | Allocation of Resources Without Limits or Throttling vulnerability in multiple products In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. | 7.5 |
2022-01-21 | CVE-2021-23460 | Camunda | Unspecified vulnerability in Camunda Min-Dash The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. | 7.5 |
2022-01-21 | CVE-2021-23631 | Convert SVG Core Project | Path Traversal vulnerability in Convert-Svg-Core Project Convert-Svg-Core This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg. | 7.5 |
2022-01-21 | CVE-2021-23664 | Isomorphic GIT | Server-Side Request Forgery (SSRF) vulnerability in Isomorphic-Git Cors-Proxy The package @isomorphic-git/cors-proxy before 2.7.1 are vulnerable to Server-side Request Forgery (SSRF) due to missing sanitization and validation of the redirection action in middleware.js. | 7.5 |
2022-01-21 | CVE-2021-23236 | Fresenius Kabi | Resource Exhaustion vulnerability in Fresenius-Kabi products Requests may be used to interrupt the normal operation of the device. | 7.5 |
2022-01-21 | CVE-2021-41835 | Fresenius Kabi | Cleartext Transmission of Sensitive Information vulnerability in Fresenius-Kabi products Fresenius Kabi Agilia Link + version 3.0 does not enforce transport layer encryption. | 7.5 |
2022-01-21 | CVE-2020-19861 | Nlnetlabs | Out-of-bounds Read vulnerability in Nlnetlabs Ldns 1.7.1 When a zone file in ldns 1.7.1 is parsed, the function ldns_nsec3_salt_data is too trusted for the length value obtained from the zone file. | 7.5 |
2022-01-21 | CVE-2020-19858 | Plutinosoft | Path Traversal vulnerability in Plutinosoft Platinum Platinum Upnp SDK through 1.2.0 has a directory traversal vulnerability. | 7.5 |
2022-01-20 | CVE-2020-23315 | Microsoft | Unspecified vulnerability in Microsoft Chakracore 1.12.0.0 There is an ASSERTION (pFuncBody->GetYieldRegister() == oldYieldRegister) failed in Js::DebugContext::RundownSourcesAndReparse in ChakraCore version 1.12.0.0-beta. | 7.5 |
2022-01-20 | CVE-2022-23119 | Trendmicro | Path Traversal vulnerability in Trendmicro Deep Security Agent 20.0 A directory traversal vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to read arbitrary files from the file system. | 7.5 |
2022-01-20 | CVE-2022-0282 | Microweber | Unspecified vulnerability in Microweber Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11. | 7.5 |
2022-01-20 | CVE-2022-0281 | Microweber | Unspecified vulnerability in Microweber Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11. | 7.5 |
2022-01-19 | CVE-2021-38789 | Allwinnertech | Missing Authorization vulnerability in Allwinnertech Android Q SDK 1.0 Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller's permission, in which a third-party app could change system settings. | 7.5 |
2022-01-19 | CVE-2021-38788 | Allwinnertech | Unspecified vulnerability in Allwinnertech Android Q SDK 1.0 The Background service in Allwinner R818 SoC Android Q SDK V1.0 is used to manage background applications. | 7.5 |
2022-01-19 | CVE-2021-38787 | Allwinnertech | Integer Overflow or Wraparound vulnerability in Allwinnertech Android Q SDK 1.0 There is an integer overflow in the ION driver "/dev/ion" of Allwinner R818 SoC Android Q SDK V1.0 that could use the ioctl cmd "COMPAT_ION_IOC_SUNXI_FLUSH_RANGE" to cause a system crash (denial of service). | 7.5 |
2022-01-19 | CVE-2021-46104 | Webp | Path Traversal vulnerability in Webp Server GO 0.4.0 An issue was discovered in webp_server_go 0.4.0. | 7.5 |
2022-01-19 | CVE-2021-38786 | Allwinnertech | NULL Pointer Dereference vulnerability in Allwinnertech Android Q SDK 1.0 There is a NULL pointer dereference in media/libcedarc/vdecoder of Allwinner R818 SoC Android Q SDK V1.0, which could cause a media crash (denial of service). | 7.5 |
2022-01-19 | CVE-2022-22153 | Juniper | Unspecified vulnerability in Juniper Junos An Insufficient Algorithmic Complexity combined with an Allocation of Resources Without Limits or Throttling vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX Series and MX Series with SPC3 allows an unauthenticated network attacker to cause latency in transit packet processing and even packet loss. | 7.5 |
2022-01-19 | CVE-2022-22159 | Juniper | Unspecified vulnerability in Juniper Junos A vulnerability in the NETISR network queue functionality of Juniper Networks Junos OS kernel allows an attacker to cause a Denial of Service (DoS) by sending crafted genuine packets to a device. | 7.5 |
2022-01-19 | CVE-2022-22161 | Juniper | Unspecified vulnerability in Juniper Junos An Uncontrolled Resource Consumption vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated network based attacker to cause 100% CPU load and the device to become unresponsive by sending a flood of traffic to the out-of-band management ethernet port. | 7.5 |
2022-01-19 | CVE-2022-22170 | Juniper | Unspecified vulnerability in Juniper Junos A Missing Release of Resource after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause a Denial of Service (DoS) by sending specific packets over VXLAN which cause heap memory to leak and on exhaustion the PFE to reset. | 7.5 |
2022-01-19 | CVE-2022-22171 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause a Denial of Service (DoS) by sending specific packets over VXLAN which cause the PFE to reset. | 7.5 |
2022-01-19 | CVE-2022-22173 | Juniper | Unspecified vulnerability in Juniper Junos A Missing Release of Memory after Effective Lifetime vulnerability in the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS). | 7.5 |
2022-01-19 | CVE-2022-22174 | Juniper | Unspecified vulnerability in Juniper Junos A vulnerability in the processing of inbound IPv6 packets in Juniper Networks Junos OS on QFX5000 Series and EX4600 switches may cause the memory to not be freed, leading to a packet DMA memory leak, and eventual Denial of Service (DoS) condition. | 7.5 |
2022-01-19 | CVE-2022-22175 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Locking vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated networked attacker to cause a flowprocessing daemon (flowd) crash and thereby a Denial of Service (DoS). | 7.5 |
2022-01-19 | CVE-2022-22177 | Juniper | Unspecified vulnerability in Juniper Junos 12.3/15.1/18.3 A release of illegal memory vulnerability in the snmpd daemon of Juniper Networks Junos OS, Junos OS Evolved allows an attacker to halt the snmpd daemon causing a sustained Denial of Service (DoS) to the service until it is manually restarted. | 7.5 |
2022-01-19 | CVE-2022-22178 | Juniper | Unspecified vulnerability in Juniper Junos A Stack-based Buffer Overflow vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on MX Series and SRX series allows an unauthenticated networked attacker to cause a flowd crash and thereby a Denial of Service (DoS). | 7.5 |
2022-01-19 | CVE-2022-22180 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Check for Unusual or Exceptional Conditions vulnerability in the processing of specific IPv6 packets on certain EX Series devices may lead to exhaustion of DMA memory causing a Denial of Service (DoS). | 7.5 |
2022-01-19 | CVE-2022-23435 | Android GIF Drawable Project | Unspecified vulnerability in Android-Gif-Drawable Project Android-Gif-Drawable decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service. | 7.5 |
2022-01-18 | CVE-2022-21689 | Onionshare | Unspecified vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 7.5 |
2022-01-18 | CVE-2020-14107 | MI | Out-of-bounds Write vulnerability in MI Xiaomi Mirror Screen A stack overflow in the HTTP server of Cast can be exploited to make the app crash in LAN. | 7.5 |
2022-01-18 | CVE-2021-29632 | Freebsd | Unspecified vulnerability in Freebsd 12.2/13.0 In FreeBSD 13.0-STABLE before n247428-9352de39c3dc, 12.2-STABLE before r370674, 13.0-RELEASE before p6, and 12.2-RELEASE before p12, certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory. | 7.5 |
2022-01-18 | CVE-2021-37866 | Mattermost | Insufficient Session Expiration vulnerability in Mattermost Boards 0.10.0 Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization. | 7.5 |
2022-01-18 | CVE-2022-0236 | Vjinfotech | Missing Authorization vulnerability in Vjinfotech WP Import Export Lite The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. | 7.5 |
2022-01-18 | CVE-2022-0244 | Gitlab | Files or Directories Accessible to External Parties vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. | 7.5 |
2022-01-18 | CVE-2022-22690 | Umbraco | HTTP Request Smuggling vulnerability in Umbraco CMS Within the Umbraco CMS, a configuration element named "UmbracoApplicationUrl" (or just "ApplicationUrl") is used whenever application code needs to build a URL pointing back to the site. | 7.5 |
2022-01-18 | CVE-2021-38696 | Softvibe | Unspecified vulnerability in Softvibe Saraban 1.1 SoftVibe SARABAN for INFOMA 1.1 has Incorrect Access Control vulnerability, that allows attackers to access signature files on the application without any authentication. | 7.5 |
2022-01-18 | CVE-2021-38694 | Softvibe | SQL Injection vulnerability in Softvibe Saraban 1.1 SoftVibe SARABAN for INFOMA 1.1 allows SQL Injection. | 7.5 |
2022-01-18 | CVE-2021-38784 | Allwinnertech | NULL Pointer Dereference vulnerability in Allwinnertech Android Q SDK 1.0 There is a NULL pointer dereference in the syscall open_exec function of Allwinner R818 SoC Android Q SDK V1.0 that could executable a malicious file to cause a system crash. | 7.5 |
2022-01-18 | CVE-2021-38785 | Allwinnertech | NULL Pointer Dereference vulnerability in Allwinnertech Android Q SDK 1.0 There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash. | 7.5 |
2022-01-18 | CVE-2021-38783 | Allwinnertech | Out-of-bounds Write vulnerability in Allwinnertech Android Q SDK 1.0 There is a Out-of-Bound Write in the Allwinner R818 SoC Android Q SDK V1.0 camera driver "/dev/cedar_dev" through iotcl cmd IOCTL_SET_PROC_INFO and IOCTL_COPY_PROC_INFO, which could cause a system crash or EoP. | 7.5 |
2022-01-17 | CVE-2022-0240 | Mruby | Unspecified vulnerability in Mruby mruby is vulnerable to NULL Pointer Dereference | 7.5 |
2022-01-19 | CVE-2022-22156 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Certificate Validation weakness in the Juniper Networks Junos OS allows an attacker to perform Person-in-the-Middle (PitM) attacks when a system script is fetched from a remote source at a specified HTTPS URL, which may compromise the integrity and confidentiality of the device. | 7.4 |
2022-01-18 | CVE-2022-22691 | Umbraco | HTTP Request Smuggling vulnerability in Umbraco CMS The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. | 7.4 |
2022-01-21 | CVE-2021-33846 | Fresenius Kabi | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Fresenius-Kabi products Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 issues authentication tokens to authenticated users that are signed with a symmetric encryption key. | 7.2 |
2022-01-19 | CVE-2022-23046 | Phpipam | SQL Injection vulnerability in PHPipam 1.4.4 PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php | 7.2 |
2022-01-18 | CVE-2021-41550 | Leostream | Unrestricted Upload of File with Dangerous Type vulnerability in Leostream Connection Broker 9.0.40.17 Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code. | 7.2 |
2022-01-17 | CVE-2022-0242 | Craterapp | Unspecified vulnerability in Craterapp Crater Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0. | 7.2 |
2022-01-19 | CVE-2021-23842 | Bosch | Use of Hard-coded Credentials vulnerability in Bosch products Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. | 7.1 |
2022-01-18 | CVE-2021-4083 | Linux Netapp Debian Oracle | Race Condition vulnerability in multiple products A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. | 7.0 |
171 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-01-19 | CVE-2022-22154 | Juniper | Exposure of Resource to Wrong Sphere vulnerability in Juniper Junos In a Junos Fusion scenario an External Control of Critical State Data vulnerability in the Satellite Device (SD) control state machine of Juniper Networks Junos OS allows an attacker who is able to make physical changes to the cabling of the device to cause a denial of service (DoS). | 6.8 |
2022-01-18 | CVE-2021-34402 | Nvidia | Out-of-bounds Write vulnerability in Nvidia Shield Experience NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, where a user with high privileges might be able to read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service, Information disclosure, loss of Integrity, or possible escalation of privileges. | 6.7 |
2022-01-19 | CVE-2022-0266 | Livehelperchat | Unspecified vulnerability in Livehelperchat Live Helper Chat Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v. | 6.6 |
2022-01-21 | CVE-2022-21708 | Graphql GO Project | Uncontrolled Recursion vulnerability in Graphql-Go Project Graphql-Go 1.0.0/1.1.0/1.2.0 graphql-go is a GraphQL server with a focus on ease of use. | 6.5 |
2022-01-21 | CVE-2021-46243 | Hdfgroup | NULL Pointer Dereference vulnerability in Hdfgroup Hdf5 1.13.11 An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 via the function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c. | 6.5 |
2022-01-21 | CVE-2021-46244 | Hdfgroup | Divide By Zero vulnerability in Hdfgroup Hdf5 1.13.11 A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c. | 6.5 |
2022-01-21 | CVE-2020-19860 | Nlnetlabs | Out-of-bounds Read vulnerability in Nlnetlabs Ldns 1.7.1 When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_internal function has a heap out of bounds read vulnerability. | 6.5 |
2022-01-20 | CVE-2021-45230 | Apache | Unspecified vulnerability in Apache Airflow In Apache Airflow prior to 2.2.0. | 6.5 |
2022-01-20 | CVE-2022-22733 | Apache | Information Exposure vulnerability in Apache Shardingsphere Elasticjob-Ui 3.0.0 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. | 6.5 |
2022-01-20 | CVE-2022-0277 | Microweber | Unspecified vulnerability in Microweber Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11. | 6.5 |
2022-01-19 | CVE-2021-46027 | Mysiteforme Project | Cross-Site Request Forgery (CSRF) vulnerability in Mysiteforme Project Mysiteforme mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. | 6.5 |
2022-01-19 | CVE-2021-46203 | Taogogo | Path Traversal vulnerability in Taogogo Taocms 3.0.2 Taocms v3.0.2 was discovered to contain an arbitrary file read vulnerability via the path parameter. | 6.5 |
2022-01-19 | CVE-2022-22310 | IBM | Unspecified vulnerability in IBM Websphere Application Server 21.0.0.10/21.0.0.12 IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 could provide weaker than expected security. | 6.5 |
2022-01-19 | CVE-2022-22152 | Juniper | Unspecified vulnerability in Juniper Contrail Service Orchestration A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. | 6.5 |
2022-01-19 | CVE-2022-22155 | Juniper | Memory Leak vulnerability in Juniper Junos An Uncontrolled Resource Consumption vulnerability in the handling of IPv6 neighbor state change events in Juniper Networks Junos OS allows an adjacent attacker to cause a memory leak in the Flexible PIC Concentrator (FPC) of an ACX5448 router. | 6.5 |
2022-01-19 | CVE-2022-22160 | Juniper | Unspecified vulnerability in Juniper Junos An Unchecked Error Condition vulnerability in the subscriber management daemon (smgd) of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to cause a crash of and thereby a Denial of Service (DoS). | 6.5 |
2022-01-19 | CVE-2022-22163 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Input Validation vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker to cause a crash of jdhcpd and thereby a Denial of Service (DoS). | 6.5 |
2022-01-19 | CVE-2022-22166 | Juniper | Improper Validation of Specified Quantity in Input vulnerability in Juniper Junos 20.4/21.1 An Improper Validation of Specified Quantity in Input vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause an rdp crash and thereby a Denial of Service (DoS). | 6.5 |
2022-01-19 | CVE-2022-22168 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Validation of Specified Type of Input vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to trigger a Missing Release of Memory after Effective Lifetime vulnerability. | 6.5 |
2022-01-19 | CVE-2022-22172 | Juniper | Unspecified vulnerability in Juniper Junos and Junos OS Evolved A Missing Release of Memory after Effective Lifetime vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a memory leak. | 6.5 |
2022-01-19 | CVE-2022-22176 | Juniper | Improper Input Validation vulnerability in Juniper Junos An Improper Validation of Syntactic Correctness of Input vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker sending a malformed DHCP packet to cause a crash of jdhcpd and thereby a Denial of Service (DoS). | 6.5 |
2022-01-19 | CVE-2022-22179 | Juniper | Improper Input Validation vulnerability in Juniper Junos A Improper Validation of Specified Index, Position, or Offset in Input vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker to cause a crash of jdhcpd and thereby a Denial of Service (DoS). | 6.5 |
2022-01-18 | CVE-2022-21693 | Onionshare | Path Traversal vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 6.5 |
2022-01-18 | CVE-2021-44839 | Deltarm | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Deltarm Delta RM 1.2 An issue was discovered in Delta RM 1.2. | 6.5 |
2022-01-18 | CVE-2021-37864 | Mattermost | Incorrect Authorization vulnerability in Mattermost Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | 6.5 |
2022-01-18 | CVE-2021-39942 | Gitlab | Resource Exhaustion vulnerability in Gitlab A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service. | 6.5 |
2022-01-18 | CVE-2022-0090 | Gitlab | Improper Privilege Management vulnerability in Gitlab An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. | 6.5 |
2022-01-18 | CVE-2022-0152 | Gitlab | Missing Authorization vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. | 6.5 |
2022-01-18 | CVE-2022-0172 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. | 6.5 |
2022-01-17 | CVE-2021-25037 | Aioseo | Unspecified vulnerability in Aioseo ALL in ONE SEO The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). | 6.5 |
2022-01-20 | CVE-2022-21658 | Rust Lang Fedoraproject Apple | Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. | 6.3 |
2022-01-23 | CVE-2021-45380 | Appcms | Cross-site Scripting vulnerability in Appcms 2.0.101 AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php | 6.1 |
2022-01-22 | CVE-2022-23808 | Phpmyadmin | Cross-site Scripting vulnerability in PHPmyadmin 5.1.0/5.1.1 An issue was discovered in phpMyAdmin 5.1 before 5.1.2. | 6.1 |
2022-01-21 | CVE-2022-22552 | Dell | Improper Restriction of Rendered UI Layers or Frames vulnerability in Dell EMC Appsync 3.9.0.0/4.2.0.0/4.3.0.0 Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. | 6.1 |
2022-01-21 | CVE-2021-33848 | Fresenius Kabi | Cross-site Scripting vulnerability in Fresenius-Kabi products Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 is vulnerable to reflected cross-site scripting attacks. | 6.1 |
2022-01-21 | CVE-2022-23127 | Mitsubishielectric Iconics | Cross-site Scripting vulnerability in multiple products Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. | 6.1 |
2022-01-21 | CVE-2022-23728 | Unspecified vulnerability in Google Android Attacker can reset the device with AT Command in the process of rebooting the device. | 6.1 | |
2022-01-20 | CVE-2021-44829 | AFI Solutions | Cross-site Scripting vulnerability in Afi-Solutions Webacms 2.1.0 Cross Site Scripting (XSS) vulnerability exists in index.html in AFI WebACMS through 2.1.0 via the the ID parameter. | 6.1 |
2022-01-19 | CVE-2021-4143 | Bigbluebutton | Unspecified vulnerability in Bigbluebutton Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. | 6.1 |
2022-01-19 | CVE-2021-26247 | Cacti | Cross-site Scripting vulnerability in Cacti 0.8.7G As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. | 6.1 |
2022-01-18 | CVE-2022-23083 | Broadcom | Cross-site Scripting vulnerability in Broadcom products NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transfer Management contain a XSS (Cross-Site Scripting) vulnerability in ReportCenter UI due to insufficient input validation that could potentially allow an attacker to execute code on the affected machine. | 6.1 |
2022-01-18 | CVE-2022-0262 | Pimcore | Unspecified vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7. | 6.1 |
2022-01-18 | CVE-2021-44217 | Ericsson | Cross-site Scripting vulnerability in Ericsson Codechecker In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API. | 6.1 |
2022-01-17 | CVE-2021-42357 | Apache | Cross-site Scripting vulnerability in Apache Knox When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. | 6.1 |
2022-01-17 | CVE-2021-33040 | Futurepress | Cross-site Scripting vulnerability in Futurepress Epub.Js managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS. | 6.1 |
2022-01-17 | CVE-2021-24838 | Bologer | Unspecified vulnerability in Bologer Anycomment The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature. | 6.1 |
2022-01-17 | CVE-2021-24909 | Navz | Unspecified vulnerability in Navz ACF Photo Gallery Field The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue | 6.1 |
2022-01-17 | CVE-2021-25024 | Theeventscalendar | Unspecified vulnerability in Theeventscalendar Eventcalendar The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues | 6.1 |
2022-01-17 | CVE-2021-3853 | Chaskiq | Unspecified vulnerability in Chaskiq chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 6.1 |
2022-01-17 | CVE-2022-0181 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-01-20 | CVE-2021-29785 | IBM | Unspecified vulnerability in IBM Soar IBM Security SOAR V42 and V43could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. | 5.9 |
2022-01-19 | CVE-2022-22169 | Juniper | Unspecified vulnerability in Juniper Junos 15.1/18.3 An Improper Initialization vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker who sends specific packets in certain orders and at specific timings to force OSPFv3 to unexpectedly enter graceful-restart (GR helper mode) even though there is not any Grace-LSA received in OSPFv3 causing a Denial of Service (DoS). | 5.9 |
2022-01-18 | CVE-2021-37865 | Mattermost | Resource Exhaustion vulnerability in Mattermost Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service. | 5.7 |
2022-01-21 | CVE-2021-46234 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.1.0 A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c. | 5.5 |
2022-01-21 | CVE-2021-46236 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.1.0 A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_vrml_field_pointer_del () at scenegraph/vrml_tools.c. | 5.5 |
2022-01-21 | CVE-2021-46237 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.1.0 An untrusted pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c. | 5.5 |
2022-01-21 | CVE-2021-46238 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.1.0 GPAC v1.1.0 was discovered to contain a stack overflow via the function gf_node_get_name () at scenegraph/base_scenegraph.c. | 5.5 |
2022-01-21 | CVE-2021-46239 | Gpac | Use After Free vulnerability in Gpac 1.1.0 The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid free vulnerability via the function gf_free () at utils/alloc.c. | 5.5 |
2022-01-21 | CVE-2021-46240 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.1.0 A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_dump_vrml_sffield () at scene_manager/scene_dump.c. | 5.5 |
2022-01-21 | CVE-2021-46311 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.1.0 A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_destroy_routes () at scenegraph/vrml_route.c. | 5.5 |
2022-01-21 | CVE-2021-46313 | Gpac | Unspecified vulnerability in Gpac 1.1.0 The binary MP4Box in GPAC v1.0.1 was discovered to contain a segmentation fault via the function __memmove_avx_unaligned_erms (). | 5.5 |
2022-01-21 | CVE-2021-23207 | Fresenius Kabi | Insufficiently Protected Credentials vulnerability in Fresenius-Kabi products An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users. | 5.5 |
2022-01-21 | CVE-2022-23129 | Mitsubishielectric Iconics | Cleartext Storage of Sensitive Information vulnerability in multiple products Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. | 5.5 |
2022-01-21 | CVE-2022-23130 | Mitsubishielectric Iconics | Out-of-bounds Read vulnerability in multiple products Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.97 and prior and ICONICS Hyper Historian versions 10.97 and prior allows an attacker to cause a DoS condition in the database server by getting a legitimate user to import a configuration file containing specially crafted stored procedures into GENESIS64 or MC Works64 and execute commands against the database from GENESIS64 or MC Works64. | 5.5 |
2022-01-21 | CVE-2022-0319 | VIM Debian Apple | Out-of-bounds Read in vim/vim prior to 8.2. | 5.5 |
2022-01-21 | CVE-2022-0326 | Mruby | Unspecified vulnerability in Mruby NULL Pointer Dereference in Homebrew mruby prior to 3.2. | 5.5 |
2022-01-21 | CVE-2022-22891 | Jerryscript | Unspecified vulnerability in Jerryscript 3.0.0 Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc.c. | 5.5 |
2022-01-21 | CVE-2022-22892 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_value_null (value) || ecma_is_value_boolean (value) || ecma_is_value_number (value) || ecma_is_value_string (value) || ecma_is_value_bigint (value) || ecma_is_value_symbol (value) || ecma_is_value_object (value)' failed at jerry-core/ecma/base/ecma-helpers-value.c in Jerryscripts 3.0.0. | 5.5 |
2022-01-20 | CVE-2022-22890 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT && arguments_type != SCANNER_ARGUMENTS_PRESENT_NO_REG' failed at /jerry-core/parser/js/js-scanner-util.c in Jerryscript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46322 | Duktape Project | Improper Resource Shutdown or Release vulnerability in Duktape Project Duktape 2.99.99 Duktape v2.99.99 was discovered to contain a SEGV vulnerability via the component duk_push_tval in duktape/duk_api_stack.c. | 5.5 |
2022-01-20 | CVE-2021-46323 | Espruino | Unspecified vulnerability in Espruino 2.11.251 Espruino 2v11.251 was discovered to contain a SEGV vulnerability via src/jsinteractive.c in jsiGetDeviceFromClass. | 5.5 |
2022-01-20 | CVE-2021-46327 | Moddable | Unspecified vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsArray.c in fx_Array_prototype_sort. | 5.5 |
2022-01-20 | CVE-2021-46329 | Moddable | Unspecified vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via the component _fini. | 5.5 |
2022-01-20 | CVE-2021-46330 | Moddable | Unspecified vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsDataView.c in fx_ArrayBuffer_prototype_concat. | 5.5 |
2022-01-20 | CVE-2021-46331 | Moddable | Unspecified vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsProxy.c in fxProxyGetPrototype. | 5.5 |
2022-01-20 | CVE-2021-46333 | Moddable | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain an invalid memory access vulnerability via the component __asan_memmove. | 5.5 |
2022-01-20 | CVE-2021-46335 | Moddable | NULL Pointer Dereference vulnerability in Moddable SDK 11.5.0 Moddable SDK v11.5.0 was discovered to contain a NULL pointer dereference in the component fx_Function_prototype_hasInstance. | 5.5 |
2022-01-20 | CVE-2021-46336 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' failed at /parser/js/js-parser-expr.c(parser_parse_class_body) in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46337 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'page_p != NULL' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46338 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'ecma_is_lexical_environment (object_p)' failed at /base/ecma-helpers.c(ecma_get_lex_env_type) in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46339 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'lit_is_valid_cesu8_string (string_p, string_size)' failed at /base/ecma-helpers-string.c(ecma_new_ecma_string_from_utf8) in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46340 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'context_p->stack_top_uint8 == SCAN_STACK_TRY_STATEMENT || context_p->stack_top_uint8 == SCAN_STACK_CATCH_STATEMENT' failed at /parser/js/js-scanner.c(scanner_scan_statement_end) in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46342 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'ecma_is_lexical_environment (obj_p) || !ecma_op_object_is_fast_array (obj_p)' failed at /jerry-core/ecma/base/ecma-helpers.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46343 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'context_p->token.type == LEXER_LITERAL' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46344 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'flags & PARSER_PATTERN_HAS_REST_ELEMENT' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46345 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'cesu8_cursor_p == cesu8_end_p' failed at /jerry-core/lit/lit-strings.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46346 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46347 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'ecma_object_check_class_name_is_object (obj_p)' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46348 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46349 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'type == ECMA_OBJECT_TYPE_GENERAL || type == ECMA_OBJECT_TYPE_PROXY' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46350 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2021-46351 | Jerryscript | Reachable Assertion vulnerability in Jerryscript 3.0.0 There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0. | 5.5 |
2022-01-20 | CVE-2022-0219 | Jadx Project | Unspecified vulnerability in Jadx Project Jadx Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. | 5.5 |
2022-01-20 | CVE-2021-32039 | Mongodb | Insufficiently Protected Credentials vulnerability in Mongodb Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. | 5.5 |
2022-01-20 | CVE-2022-22820 | Linecorp | Improper Input Validation vulnerability in Linecorp Line Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4. | 5.5 |
2022-01-19 | CVE-2022-21704 | Log4Js Project Debian | log4js-node is a port of log4js to node.js. | 5.5 |
2022-01-19 | CVE-2021-31821 | Octopus | Cleartext Storage of Sensitive Information vulnerability in Octopus Tentacle When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. | 5.5 |
2022-01-18 | CVE-2022-21688 | Onionshare | Out-of-bounds Read vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 5.5 |
2022-01-18 | CVE-2021-34405 | Nvidia | Unchecked Return Value vulnerability in Nvidia Shield Experience NVIDIA Linux distributions contain a vulnerability in TrustZone’s TEE_Malloc function, where an unchecked return value causing a null pointer dereference may lead to denial of service. | 5.5 |
2022-01-17 | CVE-2022-22703 | Stormshield | Information Exposure Through Log Files vulnerability in Stormshield Network Security 2.0.0/3.0.0 In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer. | 5.5 |
2022-01-23 | CVE-2021-4103 | B3Log | Unspecified vulnerability in B3Log Vditor 0.2.0/1.0.0 Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 1.0.34. | 5.4 |
2022-01-22 | CVE-2021-4172 | Showdoc | Unspecified vulnerability in Showdoc Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2. | 5.4 |
2022-01-21 | CVE-2021-33966 | Spotweb Project | Cross-site Scripting vulnerability in Spotweb Project Spotweb 1.4.9 Cross site scripting (XSS) vulnerability in spotweb 1.4.9, allows authenticated attackers to execute arbitrary code via crafted GET request to the login page. | 5.4 |
2022-01-20 | CVE-2021-44091 | Multi Restaurant Table Reservation System Project | Cross-site Scripting vulnerability in Multi Restaurant Table Reservation System Project Multi Restaurant Table Reservation System 1.0 A Cross-Site Scripting (XSS) vulnerability exists in Courcecodester Multi Restaurant Table Reservation System 1.0 in register.php via the (1) fullname, (2) phone, and (3) address parameters. | 5.4 |
2022-01-20 | CVE-2022-0285 | Pimcore | Unspecified vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9. | 5.4 |
2022-01-20 | CVE-2021-3866 | Zulip | Unspecified vulnerability in Zulip Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b153d and prior to 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6. | 5.4 |
2022-01-20 | CVE-2022-0278 | Microweber | Unspecified vulnerability in Microweber Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | 5.4 |
2022-01-20 | CVE-2021-46026 | Mysiteforme | Cross-site Scripting vulnerability in Mysiteforme mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting (XSS) via the add blog tag function in the blog tag in the background blog management. | 5.4 |
2022-01-19 | CVE-2021-46025 | Oneblog Project | Cross-site Scripting vulnerability in Oneblog Project Oneblog A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2.8. | 5.4 |
2022-01-19 | CVE-2021-23225 | Cacti Debian | Cross-site Scripting vulnerability in multiple products Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. | 5.4 |
2022-01-19 | CVE-2021-3816 | Cacti | Cross-site Scripting vulnerability in Cacti 1.1.38 Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. | 5.4 |
2022-01-19 | CVE-2022-0243 | Orchardcore | Cross-site Scripting vulnerability in Orchardcore Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2. | 5.4 |
2022-01-19 | CVE-2021-44299 | Naviwebs | Cross-site Scripting vulnerability in Naviwebs Navigate CMS 2.9.4 A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | 5.4 |
2022-01-19 | CVE-2022-0274 | Orchardcore | Unspecified vulnerability in Orchardcore Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2. | 5.4 |
2022-01-19 | CVE-2021-46030 | Javaquarkbbs Project | Cross-site Scripting vulnerability in Javaquarkbbs Project Javaquarkbbs There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuarkBBS <= v2. | 5.4 |
2022-01-18 | CVE-2022-21690 | Onionshare | Cross-site Scripting vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 5.4 |
2022-01-18 | CVE-2021-46005 | CAR Rental Management System Project | Cross-site Scripting vulnerability in CAR Rental Management System Project CAR Rental Management System 1.0 Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter. | 5.4 |
2022-01-18 | CVE-2021-29872 | IBM | Improper Encoding or Escaping of Output vulnerability in IBM Cloud PAK for Automation IBM Cloud Pak for Automation 21.0.1 and 21.0.2 - Business Automation Studio Component is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. | 5.4 |
2022-01-18 | CVE-2021-39946 | Gitlab | Cross-site Scripting vulnerability in Gitlab Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis | 5.4 |
2022-01-18 | CVE-2021-4074 | I Plugins | Cross-site Scripting vulnerability in I-Plugins Whmcs Bridge The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. | 5.4 |
2022-01-18 | CVE-2022-0233 | Metagauss | Cross-site Scripting vulnerability in Metagauss Profilegrid The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pm_user_avatar and pm_cover_image parameters found in the ~/admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts into their profile, in versions up to and including 1.2.7. | 5.4 |
2022-01-18 | CVE-2021-38695 | Softvibe | Cross-site Scripting vulnerability in Softvibe Saraban 1.1 SoftVibe SARABAN for INFOMA 1.1 is vulnerable to stored cross-site scripting (XSS) that allows users to store scripts in certain fields (e.g. | 5.4 |
2022-01-18 | CVE-2022-0260 | Pimcore | Unspecified vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7. | 5.4 |
2022-01-17 | CVE-2022-0256 | Pimcore | Unspecified vulnerability in Pimcore pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 5.4 |
2022-01-17 | CVE-2022-0257 | Pimcore | Unspecified vulnerability in Pimcore pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 5.4 |
2022-01-17 | CVE-2022-0253 | Livehelperchat | Cross-site Scripting vulnerability in Livehelperchat livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 5.4 |
2022-01-17 | CVE-2021-25046 | Webnus | Unspecified vulnerability in Webnus Modern Events Calendar Lite The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS. | 5.4 |
2022-01-17 | CVE-2021-25061 | Wpbookingsystem | Unspecified vulnerability in Wpbookingsystem WP Booking System The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. | 5.4 |
2022-01-17 | CVE-2021-25065 | Smashballoon | Unspecified vulnerability in Smashballoon Smash Balloon Social Post Feed The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. | 5.4 |
2022-01-17 | CVE-2021-25067 | Pluginops | Unspecified vulnerability in Pluginops Landing Page The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page. | 5.4 |
2022-01-17 | CVE-2021-3857 | Chaskiq | Unspecified vulnerability in Chaskiq chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 5.4 |
2022-01-17 | CVE-2022-0182 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master Stored cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote authenticated attacker to inject an arbitrary script via an website that uses Quiz And Survey Master. | 5.4 |
2022-01-21 | CVE-2021-23195 | Fresenius Kabi | Information Exposure vulnerability in Fresenius-Kabi products Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 has the option for automated indexing (directory listing) activated. | 5.3 |
2022-01-21 | CVE-2021-33843 | Fresenius Kabi | Missing Authentication for Critical Function vulnerability in Fresenius-Kabi Agilia SP MC Wifi Firmware D25 Fresenius Kabi Agilia SP MC WiFi vD25 and prior has a default configuration page accessible without authentication. | 5.3 |
2022-01-19 | CVE-2022-22164 | Juniper | Improper Initialization vulnerability in Juniper Junos OS Evolved 20.4/21.1/21.2 An Improper Initialization vulnerability in Juniper Networks Junos OS Evolved may cause a commit operation for disabling the telnet service to not take effect as expected, resulting in the telnet service staying enabled. | 5.3 |
2022-01-18 | CVE-2022-21694 | Onionshare | Incorrect Permission Assignment for Critical Resource vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 5.3 |
2022-01-18 | CVE-2022-21700 | Objectcomputing | Resource Exhaustion vulnerability in Objectcomputing Micronaut Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. | 5.3 |
2022-01-18 | CVE-2022-21695 | Onionshare | Improper Authentication vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 5.3 |
2022-01-18 | CVE-2022-0151 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. | 4.9 |
2022-01-18 | CVE-2021-41551 | Leostream | Link Following vulnerability in Leostream Connection Broker 9.0.40.17 Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading z ZIP file that contains a symbolic link. | 4.9 |
2022-01-19 | CVE-2022-23045 | Phpipam | Cross-site Scripting vulnerability in PHPipam 1.4.4 PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. | 4.8 |
2022-01-18 | CVE-2022-0210 | Buffercode | Improper Encoding or Escaping of Output vulnerability in Buffercode Random Banner The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. | 4.8 |
2022-01-18 | CVE-2022-0232 | Metagauss | Cross-site Scripting vulnerability in Metagauss Leadmagic The User Registration, Login & Landing Pages WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the loader_text parameter found in the ~/includes/templates/landing-page.php file which allows attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.2.7. | 4.8 |
2022-01-17 | CVE-2021-3862 | Icecoder | Unspecified vulnerability in Icecoder icecoder is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.8 |
2022-01-17 | CVE-2021-25005 | Seur Oficial Project | Cross-site Scripting vulnerability in Seur Oficial Project Seur Oficial The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2022-01-18 | CVE-2021-34406 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Shield Experience NVIDIA Tegra kernel driver contains a vulnerability in NVHost, where a specific race condition can lead to a null pointer dereference, which may lead to a system reboot. | 4.7 |
2022-01-17 | CVE-2022-0183 | Kingjim | Missing Encryption of Sensitive Data vulnerability in Kingjim Mirupass Pw10 Firmware and Mirupass Pw20 Firmware Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 firmware all versions and 'MIRUPASS' PW20 firmware all versions allows an attacker who can physically access the device to obtain the stored passwords. | 4.6 |
2022-01-21 | CVE-2021-4032 | Linux | Incomplete Cleanup vulnerability in Linux Kernel A vulnerability was found in the Linux kernel's KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. | 4.4 |
2022-01-22 | CVE-2022-23807 | Phpmyadmin | Improper Authentication vulnerability in PHPmyadmin An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. | 4.3 |
2022-01-20 | CVE-2021-46028 | Mblog Project | Cross-Site Request Forgery (CSRF) vulnerability in Mblog Project Mblog In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. | 4.3 |
2022-01-19 | CVE-2021-44777 | Email Tracker Project | Cross-Site Request Forgery (CSRF) vulnerability in Email Tracker Project Email Tracker Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6). | 4.3 |
2022-01-19 | CVE-2021-44837 | Deltarm | Unspecified vulnerability in Deltarm Delta RM 1.2 An issue was discovered in Delta RM 1.2. | 4.3 |
2022-01-18 | CVE-2022-21692 | Onionshare | Improper Authentication vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 4.3 |
2022-01-18 | CVE-2022-21673 | Grafana Fedoraproject | Grafana is an open-source platform for monitoring and observability. | 4.3 |
2022-01-18 | CVE-2022-21691 | Onionshare | Missing Authentication for Critical Function vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 4.3 |
2022-01-18 | CVE-2021-44836 | Deltarm | Authorization Bypass Through User-Controlled Key vulnerability in Deltarm Delta RM 1.2 An issue was discovered in Delta RM 1.2. | 4.3 |
2022-01-18 | CVE-2021-44838 | Deltarm | Unspecified vulnerability in Deltarm Delta RM 1.2 An issue was discovered in Delta RM 1.2. | 4.3 |
2022-01-18 | CVE-2022-21696 | Onionshare | Improper Input Validation vulnerability in Onionshare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. | 4.3 |
2022-01-18 | CVE-2022-21683 | Torchbox | Information Exposure vulnerability in Torchbox Wagtail Wagtail is a Django based content management system focused on flexibility and user experience. | 4.3 |
2022-01-18 | CVE-2021-37867 | Mattermost | Information Exposure vulnerability in Mattermost Boards 0.10.0 Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure. | 4.3 |
2022-01-18 | CVE-2021-39892 | Gitlab | Unspecified vulnerability in Gitlab In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users. | 4.3 |
2022-01-18 | CVE-2021-39927 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443 | 4.3 |
2022-01-18 | CVE-2021-41809 | M Files | Server-Side Request Forgery (SSRF) vulnerability in M-Files Server SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities. | 4.3 |
2022-01-18 | CVE-2022-0093 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. | 4.3 |
2022-01-18 | CVE-2022-0124 | Gitlab | Improper Encoding or Escaping of Output vulnerability in Gitlab An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. | 4.3 |
2022-01-18 | CVE-2022-0125 | Gitlab | Missing Authorization vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. | 4.3 |
2022-01-18 | CVE-2021-4146 | Pimcore | Unspecified vulnerability in Pimcore Business Logic Errors in GitHub repository pimcore/pimcore prior to 10.2.6. | 4.3 |
2022-01-18 | CVE-2022-0245 | Livehelperchat | Unspecified vulnerability in Livehelperchat Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0. | 4.3 |
2022-01-17 | CVE-2021-25025 | Theeventscalendar | Unspecified vulnerability in Theeventscalendar Eventcalendar The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events | 4.3 |
2022-01-17 | CVE-2022-0184 | Kingjim | Insufficiently Protected Credentials vulnerability in Kingjim products Insufficiently protected credentials vulnerability in 'TEPRA' PRO SR5900P Ver.1.080 and earlier and 'TEPRA' PRO SR-R7900P Ver.1.030 and earlier allows an attacker on the adjacent network to obtain credentials for connecting to the Wi-Fi access point with the infrastructure mode. | 4.3 |
2022-01-21 | CVE-2021-4001 | Linux | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Linux Kernel A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. | 4.1 |
4 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-01-21 | CVE-2021-4016 | Rapid7 | Unspecified vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. | 3.3 |
2022-01-17 | CVE-2022-0131 | Jmty | Use of Hard-coded Credentials vulnerability in Jmty Jimoty Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. | 3.3 |
2022-01-18 | CVE-2021-44840 | Deltarm | Missing Authorization vulnerability in Deltarm Delta RM 1.2 An issue was discovered in Delta RM 1.2. | 2.7 |
2022-01-18 | CVE-2021-41808 | M Files | Information Exposure Through Log Files vulnerability in M-Files Server In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. | 2.3 |