Weekly Vulnerabilities Reports > January 24 to 30, 2022

Overview

499 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 86 high severity vulnerabilities. This weekly summary report vulnerabilities in 674 products from 191 vendors including Reolink, Cesanta, Jsish, F5, and Schneider Electric. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "SQL Injection", "Out-of-bounds Write", and "Use After Free".

  • 463 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 152 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 343 reported vulnerabilities are exploitable by an anonymous user.
  • Reolink has the most reported vulnerabilities, with 79 reported vulnerabilities.
  • Advantech has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-28 CVE-2022-22992 Westerndigital Command Injection vulnerability in Westerndigital MY Cloud OS

A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device.

10.0
2022-01-25 CVE-2021-46089 Jeecg SQL Injection vulnerability in Jeecg Boot 3.0

In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges.

10.0
2022-01-24 CVE-2020-17383 Telosalliance Path Traversal vulnerability in Telosalliance Z/Ip ONE Firmware

A directory traversal vulnerability on Telos Z/IP One devices through 4.0.0r grants an unauthenticated individual root level access to the device's file system.

10.0
2022-01-28 CVE-2021-40388 Advantech Incorrect Default Permissions vulnerability in Advantech SQ Manager 1.0.6

A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6.

9.3
2022-01-28 CVE-2021-40389 Advantech Incorrect Default Permissions vulnerability in Advantech Deviceon/Iedge 1.0.2

A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2.

9.3
2022-01-28 CVE-2021-40396 Advantech Incorrect Default Permissions vulnerability in Advantech Deviceon/Iservice 1.1.7

A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7.

9.3
2022-01-28 CVE-2021-40397 Advantech Incorrect Default Permissions vulnerability in Advantech Wise-Paas/Ota 3.0.9

A privilege escalation vulnerability exists in the installation of Advantech WISE-PaaS/OTA Server 3.0.9.

9.3
2022-01-25 CVE-2021-45341 Librecad
Fedoraproject
Debian
Classic Buffer Overflow vulnerability in multiple products

A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

9.3
2022-01-28 CVE-2020-28884 Liferay OS Command Injection vulnerability in Liferay Portal 7.2/7.3.5

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection.

9.0
2022-01-28 CVE-2020-28885 Liferay OS Command Injection vulnerability in Liferay Portal 7.2/7.3.5

** DISPUTED ** Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection.

9.0
2022-01-26 CVE-2021-32849 Gerapy Command Injection vulnerability in Gerapy

Gerapy is a distributed crawler management framework.

9.0
2022-01-25 CVE-2021-36295 Dell OS Command Injection vulnerability in Dell EMC Unity Operating Environment

Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authenticated remote code execution vulnerability.

9.0
2022-01-25 CVE-2021-36296 Dell OS Command Injection vulnerability in Dell EMC Unity Operating Environment

Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authenticated remote code execution vulnerability.

9.0
2022-01-25 CVE-2021-36347 Dell Out-of-bounds Write vulnerability in Dell products

iDRAC9 versions prior to 5.00.20.00 and iDRAC8 versions prior to 2.82.82.82 contain a stack-based buffer overflow vulnerability.

9.0
2022-01-25 CVE-2022-23009 F5 Incorrect Authorization vulnerability in F5 Big-Iq Centralized Management 8.0.0

On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated administrative role user on a BIG-IQ managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system.

9.0
2022-01-24 CVE-2021-44981 Quickbox Improper Privilege Management vulnerability in Quickbox

In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible.

9.0
2022-01-24 CVE-2022-23858 Starwindsoftware Unspecified vulnerability in Starwindsoftware Command Center 2

In StarWind Command Center before V2 build 6021, an authenticated read-only user can elevate privileges to administrator through the REST API.

9.0

86 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-28 CVE-2022-22993 Westerndigital Server-Side Request Forgery (SSRF) vulnerability in Westerndigital MY Cloud OS

A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls.

8.3
2022-01-25 CVE-2021-34865 Netgear Improper Authentication vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of multiple NETGEAR routers.

8.3
2022-01-28 CVE-2021-44384 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

7.8
2022-01-28 CVE-2021-22816 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a Denial of Service of the RTU when receiving a specially crafted request over Modbus, and the RTU is configured as a Modbus server.

7.8
2022-01-28 CVE-2021-40406 Reolink Resource Exhaustion vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi session creation functionality of reolink RLC-410W v3.0.0.136_20121102.

7.8
2022-01-28 CVE-2021-40423 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi API command parser functionality of Reolink RLC-410W v3.0.0.136_20121102.

7.8
2022-01-28 CVE-2022-21801 Reolink Resource Exhaustion vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the netserver recv_command functionality of reolink RLC-410W v3.0.0.136_20121102.

7.8
2022-01-26 CVE-2022-23968 Xerox Infinite Loop vulnerability in Xerox Versalink Firmware

Xerox VersaLink devices on specific versions of firmware before 2022-01-26 allow remote attackers to brick the device via a crafted TIFF file in an unauthenticated HTTP POST request.

7.8
2022-01-25 CVE-2021-45844 Freecadweb
Debian
OS Command Injection vulnerability in multiple products

Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename.

7.6
2022-01-25 CVE-2022-23935 Exiftool Project Command Injection vulnerability in Exiftool Project Exiftool

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.

7.6
2022-01-30 CVE-2022-0339 Calibre WEB Project Server-Side Request Forgery (SSRF) vulnerability in Calibre-Web Project Calibre-Web

Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.

7.5
2022-01-30 CVE-2021-46660 Signiant XXE vulnerability in Signiant Manager+Agents

Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.

7.5
2022-01-28 CVE-2021-23484 ZIP Local Project Exposure of Resource to Wrong Sphere vulnerability in Zip-Local Project Zip-Local

The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.

7.5
2022-01-28 CVE-2021-23558 Bmoor Project Unspecified vulnerability in Bmoor Project Bmoor

The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function.

7.5
2022-01-28 CVE-2021-23760 Keyget Project Unspecified vulnerability in Keyget Project Keyget

The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution.

7.5
2022-01-28 CVE-2021-46444 HHG Multistore SQL Injection vulnerability in Hhg-Multistore Multistore 4.10.3/5.1.0

H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/admin.php?module=admin_group_edit&agID.

7.5
2022-01-28 CVE-2021-46445 HHG Multistore SQL Injection vulnerability in Hhg-Multistore Multistore 4.10.3/5.1.0

H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/categories.php?box_group_id.

7.5
2022-01-28 CVE-2021-46446 HHG Multistore SQL Injection vulnerability in Hhg-Multistore Multistore 4.10.3/5.1.0

H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/admin.php?module=admin_access_group_edit&aagID.

7.5
2022-01-28 CVE-2021-46448 HHG Multistore SQL Injection vulnerability in Hhg-Multistore Multistore 4.10.3/5.1.0

H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/customers.php?page=1&cID.

7.5
2022-01-28 CVE-2021-22820 Schneider Electric Insufficient Session Expiration vulnerability in Schneider-Electric products

A CWE-614 Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain an unauthorized access over a hijacked session to the charger station web server even after the legitimate user account holder has changed his password.

7.5
2022-01-28 CVE-2021-40407 Reolink OS Command Injection vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102.

7.5
2022-01-28 CVE-2021-40408 Reolink OS Command Injection vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102.

7.5
2022-01-28 CVE-2021-40409 Reolink OS Command Injection vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102.

7.5
2022-01-28 CVE-2022-21217 Reolink Out-of-bounds Write vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An out-of-bounds write vulnerability exists in the device TestEmail functionality of reolink RLC-410W v3.0.0.136_20121102.

7.5
2022-01-28 CVE-2022-22994 Westerndigital Insufficient Verification of Data Authenticity vulnerability in Westerndigital MY Cloud OS

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call.

7.5
2022-01-28 CVE-2021-41609 Classapps SQL Injection vulnerability in Classapps Selectsurvey.Net

SQL injection in the ID parameter of the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve data from the application's backend database via boolean-based blind and UNION injection.

7.5
2022-01-28 CVE-2021-44971 Tenda Improper Authentication vulnerability in Tenda Ac15 Firmware and AC5 Firmware

Multiple Tenda devices are affected by authentication bypass, such as AC15V1.0 Firmware V15.03.05.20_multi?AC5V1.0 Firmware V15.03.06.48_multi and so on.

7.5
2022-01-28 CVE-2021-45898 Salesagility Unspecified vulnerability in Salesagility Suitecrm

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.

7.5
2022-01-28 CVE-2021-45899 Salesagility Deserialization of Untrusted Data vulnerability in Salesagility Suitecrm

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.

7.5
2022-01-28 CVE-2022-22294 Zfaka Project SQL Injection vulnerability in Zfaka Project Zfaka

A SQL injection vulnerability exists in ZFAKA<=1.43 which an attacker can use to complete SQL injection in the foreground and add a background administrator account.

7.5
2022-01-28 CVE-2020-25905 Mobile Shop System Project SQL Injection vulnerability in Mobile Shop System Project Mobile Shop System 1.0

An SQL Injection vulnerabilty exists in Sourcecodester Mobile Shop System in PHP MySQL 1.0 via the email parameter in (1) login.php or (2) LoginAsAdmin.php.

7.5
2022-01-28 CVE-2021-44249 Online Motorcycle Bike Rental System Project SQL Injection vulnerability in Online Motorcycle (Bike) Rental System Project Online Motorcycle (Bike) Rental System 1.0

Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Time-Based SQL Injection attack within the login portal.

7.5
2022-01-28 CVE-2021-45435 Simple Cold Storage Management System Project SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Management System 1.0

An SQL Injection vulnerability exists in Sourcecodester Simple Cold Storage Management System using PHP/OOP 1.0 via the username field in login.php.

7.5
2022-01-27 CVE-2021-46427 Simple Chatbot Application Project SQL Injection vulnerability in Simple Chatbot Application Project Simple Chatbot Application 1.0

An SQL Injection vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 via the message parameter in Master.php.

7.5
2022-01-27 CVE-2021-46428 Simple Chatbot Application Project Unrestricted Upload of File with Dangerous Type vulnerability in Simple Chatbot Application Project Simple Chatbot Application 1.0

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 ( and previous versions via the bot_avatar parameter in SystemSettings.php.

7.5
2022-01-27 CVE-2021-46377 Cskaza SQL Injection vulnerability in Cskaza Cszcms 1.2.9

There is a front-end sql injection vulnerability in cszcms 1.2.9 via cszcms/controllers/Member.php#viewUser

7.5
2022-01-26 CVE-2021-32840 Sharpziplib Project Path Traversal vulnerability in Sharpziplib Project Sharpziplib

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library.

7.5
2022-01-26 CVE-2022-23967 Tightvnc Out-of-bounds Write vulnerability in Tightvnc 1.3.10

In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitialiseRFBConnection in rfbproto.c (for the vncviewer component).

7.5
2022-01-26 CVE-2022-21686 Prestashop Code Injection vulnerability in Prestashop

PrestaShop is an Open Source e-commerce platform.

7.5
2022-01-26 CVE-2022-23990 Libexpat Project
Tenable
Oracle
Debian
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

7.5
2022-01-26 CVE-2021-46386 Mingsoft Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 4.6.5/5.2.4/5.2.5

https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: File Upload.

7.5
2022-01-26 CVE-2022-0362 Showdoc SQL Injection vulnerability in Showdoc

SQL Injection in Packagist showdoc/showdoc prior to 2.10.3.

7.5
2022-01-26 CVE-2021-46560 Moxa Command Injection vulnerability in Moxa Tn-5900 Firmware 3.1

The firmware on Moxa TN-5900 devices through 3.1 allows command injection that could lead to device damage.

7.5
2022-01-25 CVE-2021-36294 Dell Use of Insufficiently Random Values vulnerability in Dell EMC Unity Operating Environment

Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authentication bypass vulnerability.

7.5
2022-01-25 CVE-2022-0332 Moodle SQL Injection vulnerability in Moodle

A flaw was found in Moodle in versions 3.11 to 3.11.4.

7.5
2022-01-25 CVE-2021-46033 Forestblog Project Unrestricted Upload of File with Dangerous Type vulnerability in Forestblog Project Forestblog

In ForestBlog, as of 2021-12-28, File upload can bypass verification.

7.5
2022-01-25 CVE-2021-45029 Apache Code Injection vulnerability in Apache Shenyu 2.4.0/2.4.1

Groovy Code Injection & SpEL Injection which lead to Remote Code Execution.

7.5
2022-01-25 CVE-2021-45802 Iresturant Project SQL Injection vulnerability in Iresturant Project Iresturant 1.0

MartDevelopers iResturant 1.0 is vulnerable to SQL Injection.

7.5
2022-01-24 CVE-2021-43394 Unisys Improper Authentication vulnerability in Unisys Messaging Integration Services

Unisys OS 2200 Messaging Integration Services (NTSI) 7R3B IC3 and IC4, 7R3C, and 7R3D has an Incorrect Implementation of an Authentication Algorithm.

7.5
2022-01-24 CVE-2021-46451 Online Project Time Management System Project SQL Injection vulnerability in Online Project Time Management System Project Online Project Time Management System 1.0

An SQL Injection vulnerabilty exists in Sourcecodester Online Project Time Management System 1.0 via the pid parameter in the load_file function.

7.5
2022-01-24 CVE-2021-41928 TRY MY Recipe Project SQL Injection vulnerability in TRY MY Recipe Project TRY MY Recipe 1.0

SQL injection in Sourcecodester Try My Recipe (Recipe Sharing Website - CMS) 1.0 by oretnom23, allows attackers to execute arbitrary code via the rid parameter to the view_recipe page.

7.5
2022-01-24 CVE-2021-43420 Online Payment HUB Project SQL Injection vulnerability in Online Payment HUB Project Online Payment HUB 1.0

SQL injection vulnerability in Login.php in Sourcecodester Online Payment Hub v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.

7.5
2022-01-24 CVE-2022-23126 Teslamate Project Improper Authentication vulnerability in Teslamate Project Teslamate

TeslaMate before 1.25.1 (when using the default Docker configuration) allows attackers to open doors of Tesla vehicles, start Keyless Driving, and interfere with vehicle operation en route.

7.5
2022-01-24 CVE-2021-41659 Banking System Project SQL Injection vulnerability in Banking System Project Banking System 1.0

SQL injection vulnerability in Sourcecodester Banking System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username or password field.

7.5
2022-01-24 CVE-2021-41660 Patient Appointment Scheduler System Project SQL Injection vulnerability in Patient Appointment Scheduler System Project Patient Appointment Scheduler System 1.0

SQL injection vulnerability in Sourcecodester Patient Appointment Scheduler System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password fields to login.php.

7.5
2022-01-24 CVE-2021-41471 South Gate INN Online Reservation System Project SQL Injection vulnerability in South Gate INN Online Reservation System Project South Gate INN Online Reservation System 1.0

SQL injection vulnerability in Sourcecodester South Gate Inn Online Reservation System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the email and Password parameters.

7.5
2022-01-24 CVE-2021-41472 Simple Membership System Using PHP AND Ajax Project SQL Injection vulnerability in Simple Membership System Using PHP and Ajax Project Simple Membership System Using PHP and Ajax 1.0

SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters.

7.5
2022-01-24 CVE-2021-40596 Online Learning System Project SQL Injection vulnerability in Online Learning System Project Online Learning System 2.0

SQL injection vulnerability in Login.php in sourcecodester Online Learning System v2 by oretnom23, allows attackers to execute arbitrary SQL commands via the faculty_id parameter.

7.5
2022-01-24 CVE-2021-40907 Storage Unit Rental Management System Project SQL Injection vulnerability in Storage Unit Rental Management System Project Storage Unit Rental Management System 1.0

SQL injection vulnerability in Sourcecodester Storage Unit Rental Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /storage/classes/Login.php.

7.5
2022-01-24 CVE-2021-40908 Purchase Order Management System Project SQL Injection vulnerability in Purchase Order Management System Project Purchase Order Management System 1.0

SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.

7.5
2022-01-24 CVE-2022-23852 Libexpat Project
Netapp
Tenable
Oracle
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

7.5
2022-01-24 CVE-2022-23855 Saviynt Improper Authentication vulnerability in Saviynt Enterprise Identity Cloud

An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x.

7.5
2022-01-24 CVE-2021-26706 Micrium Integer Overflow or Wraparound vulnerability in Micrium Uc/Lib

An issue was discovered in lib_mem.c in Micrium uC/OS uC/LIB 1.38.x and 1.39.00.

7.5
2022-01-24 CVE-2021-30636 Mediatek Integer Overflow or Wraparound vulnerability in Mediatek Linkit Software Development KIT

In MediaTek LinkIt SDK before 4.6.1, there is a possible memory corruption due to an integer overflow during mishandled memory allocation by pvPortCalloc and pvPortRealloc.

7.5
2022-01-28 CVE-2021-44463 Emerson Uncontrolled Search Path Element vulnerability in Emerson products

Missing DLLs, if replaced by an insider, could allow an attacker to achieve local privilege escalation on the DeltaV Distributed Control System Controllers and Workstations (All versions) when some DeltaV services are started.

7.2
2022-01-28 CVE-2021-4034 Polkit Project
Redhat
Canonical
Suse
Out-of-bounds Write vulnerability in multiple products

A local privilege escalation vulnerability was found on polkit's pkexec utility.

7.2
2022-01-26 CVE-2021-22600 Linux Double Free vulnerability in Linux Kernel

A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service.

7.2
2022-01-26 CVE-2022-21944 Opensuse Link Following vulnerability in Opensuse Factory Watchman

A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root.

7.2
2022-01-25 CVE-2021-34866 Linux
Netapp
Type Confusion vulnerability in multiple products

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3.

7.2
2022-01-25 CVE-2021-34867 Parallels Uncontrolled Memory Allocation vulnerability in Parallels 16.1.349160

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3-49160.

7.2
2022-01-25 CVE-2021-34868 Parallels Uncontrolled Memory Allocation vulnerability in Parallels 16.1.349160

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3-49160.

7.2
2022-01-25 CVE-2021-34869 Parallels Uncontrolled Memory Allocation vulnerability in Parallels 16.1.349160

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3-49160.

7.2
2022-01-24 CVE-2021-36342 Dell Improper Input Validation vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.2
2022-01-24 CVE-2021-36343 Dell Improper Input Validation vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.2
2022-01-24 CVE-2021-43589 Dell OS Command Injection vulnerability in Dell products

Dell EMC Unity, Dell EMC UnityVSA and Dell EMC Unity XT versions prior to 5.1.2.0.5.007 contain an operating system (OS) command injection Vulnerability.

7.2
2022-01-25 CVE-2022-23010 F5 Improper Resource Shutdown or Release vulnerability in F5 products

On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile and an HTTP profile are configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.

7.1
2022-01-25 CVE-2022-23012 F5 Double Free vulnerability in F5 products

On BIG-IP versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5, when the HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.1
2022-01-25 CVE-2022-23015 F5 Resource Exhaustion vulnerability in F5 products

On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, and 14.1.2.6-14.1.4.4, when a Client SSL profile is configured on a virtual server with Client Certificate Authentication set to request/require and Session Ticket enabled and configured, processing SSL traffic can cause an increase in memory resource utilization.

7.1
2022-01-25 CVE-2022-23016 F5 NULL Pointer Dereference vulnerability in F5 products

On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.1
2022-01-25 CVE-2022-23017 F5 NULL Pointer Dereference vulnerability in F5 products

On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when a virtual server is configured with a DNS profile with the Rapid Response Mode setting enabled and is configured on a BIG-IP system, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.1
2022-01-25 CVE-2022-23018 F5 Improper Handling of Exceptional Conditions vulnerability in F5 Big-Ip Advanced Firewall Manager

On BIG-IP AFM version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and 13.1.x beginning in 13.1.3.4, when a virtual server is configured with both HTTP protocol security and HTTP Proxy Connect profiles, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.1
2022-01-25 CVE-2022-23019 F5 Improper Input Validation vulnerability in F5 products

On BIG-IP version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x, when a message routing type virtual server is configured with both Diameter Session and Router Profiles, undisclosed traffic can cause an increase in memory resource utilization.

7.1
2022-01-25 CVE-2022-23020 F5 NULL Pointer Dereference vulnerability in F5 products

On BIG-IP version 16.1.x before 16.1.2, when the 'Respond on Error' setting is enabled on the Request Logging profile and configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.1
2022-01-25 CVE-2022-23021 F5 NULL Pointer Dereference vulnerability in F5 products

On BIG-IP version 16.1.x before 16.1.2, when any of the following configurations are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate: HTTP redirect rule in an LTM policy, BIG-IP APM Access Profile, and Explicit HTTP Proxy in HTTP Profile.

7.1
2022-01-25 CVE-2022-23022 F5 NULL Pointer Dereference vulnerability in F5 products

On BIG-IP version 16.1.x before 16.1.2, when an HTTP profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.1
2022-01-24 CVE-2022-23437 Apache XML Injection (aka Blind XPath Injection) vulnerability in Apache Xerces-J

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads.

7.1

348 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-29 CVE-2022-24122 Linux
Netapp
Fedoraproject
Use After Free vulnerability in multiple products

kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.

6.9
2022-01-26 CVE-2021-45975 Acer Untrusted Search Path vulnerability in Acer Care Center

In ListCheck.exe in Acer Care Center 4.x before 4.00.3038, a vulnerability in the loading mechanism of Windows DLLs could allow a local attacker to perform a DLL hijacking attack.

6.9
2022-01-30 CVE-2022-0408 VIM
Fedoraproject
Debian
Stack-based Buffer Overflow vulnerability in multiple products

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

6.8
2022-01-30 CVE-2022-0413 VIM
Fedoraproject
Use After Free vulnerability in multiple products

Use After Free in GitHub repository vim/vim prior to 8.2.

6.8
2022-01-30 CVE-2022-0407 VIM Heap-based Buffer Overflow vulnerability in VIM

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

6.8
2022-01-29 CVE-2022-24123 Marktext Cross-site Scripting vulnerability in Marktext

MarkText through 0.16.3 does not sanitize the input of a mermaid block before rendering.

6.8
2022-01-28 CVE-2021-44358 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44359 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44360 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44361 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44362 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44363 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44364 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44365 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44367 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44368 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44369 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44370 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44371 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44372 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44373 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44374 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44376 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44377 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44378 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44379 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44380 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44381 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44382 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44383 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44385 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44386 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44387 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44388 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44389 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44390 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44391 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44392 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44393 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44395 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44396 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44397 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44398 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44399 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44400 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44401 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44402 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44403 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44404 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44405 Reolink Unspecified vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44406 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44407 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44408 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44409 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44410 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44411 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44412 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44413 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44414 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44415 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44416 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44417 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44418 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2021-44419 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-28 CVE-2022-0392 VIM Heap-based Buffer Overflow vulnerability in VIM

Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.

6.8
2022-01-28 CVE-2022-23888 Yzmcms Cross-Site Request Forgery (CSRF) vulnerability in Yzmcms 6.3

YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSRF) via the component /yzmcms/comment/index/init.html.

6.8
2022-01-28 CVE-2016-3735 Piwigo Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Piwigo

Piwigo is image gallery software written in PHP.

6.8
2022-01-28 CVE-2021-22724 SE Cross-Site Request Forgery (CSRF) vulnerability in SE products

A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server.

6.8
2022-01-28 CVE-2021-22725 SE Cross-Site Request Forgery (CSRF) vulnerability in SE products

A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server.

6.8
2022-01-28 CVE-2021-22807 Schneider Electric Out-of-bounds Write vulnerability in Schneider-Electric Guicon 2.0

A CWE-787: Out-of-bounds Write vulnerability exists that could cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool.

6.8
2022-01-28 CVE-2021-22808 Schneider Electric Use After Free vulnerability in Schneider-Electric Guicon 2.0

A CWE-416: Use After Free vulnerability exists that could cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool.

6.8
2022-01-28 CVE-2021-22826 Schneider Electric Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert

A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload.

6.8
2022-01-28 CVE-2021-22827 Schneider Electric Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert

A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload.

6.8
2022-01-28 CVE-2021-31567 Wpchill Information Exposure vulnerability in Wpchill Download Monitor

Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6).

6.8
2022-01-28 CVE-2021-40415 Reolink Incorrect Default Permissions vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102.

6.8
2022-01-27 CVE-2021-46509 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a stack overflow via snquote at mjs/src/mjs_json.c.

6.8
2022-01-27 CVE-2021-46513 Cesanta Classic Buffer Overflow vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow via mjs_mk_string at mjs/src/mjs_string.c.

6.8
2022-01-27 CVE-2021-46518 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_disown at src/mjs_core.c.

6.8
2022-01-27 CVE-2021-46519 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_array_length at src/mjs_array.c.

6.8
2022-01-27 CVE-2021-46520 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_jprintf at src/mjs_util.c.

6.8
2022-01-27 CVE-2021-46521 Cesanta Classic Buffer Overflow vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow via c_vsnprintf at mjs/src/common/str_util.c.

6.8
2022-01-27 CVE-2021-46522 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via /usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53.

6.8
2022-01-27 CVE-2021-46523 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via to_json_or_debug at mjs/src/mjs_json.c.

6.8
2022-01-27 CVE-2021-46524 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via snquote at mjs/src/mjs_json.c.

6.8
2022-01-27 CVE-2021-46525 Cesanta Use After Free vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap-use-after-free via mjs_apply at src/mjs_exec.c.

6.8
2022-01-27 CVE-2021-46526 Cesanta Classic Buffer Overflow vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow via snquote at src/mjs_json.c.

6.8
2022-01-27 CVE-2021-46527 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_get_cstring at src/mjs_string.c.

6.8
2022-01-26 CVE-2022-0368 VIM
Debian
Opensuse
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

6.8
2022-01-26 CVE-2022-0361 VIM
Debian
Heap-based Buffer Overflow vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

6.8
2022-01-26 CVE-2021-44122 Spip Cross-Site Request Forgery (CSRF) vulnerability in Spip 4.0.0

SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php.

6.8
2022-01-26 CVE-2022-0359 VIM
Debian
Heap-based Buffer Overflow vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

6.8
2022-01-26 CVE-2021-41766 Apache Deserialization of Untrusted Data vulnerability in Apache Karaf

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX).

6.8
2022-01-25 CVE-2021-40158 Autodesk Out-of-bounds Read vulnerability in Autodesk products

A maliciously crafted JT file in Autodesk Inventor 2022, 2021, 2020, 2019 may be forced to read beyond allocated boundaries when parsing the JT file.

6.8
2022-01-25 CVE-2021-40159 Autodesk Information Exposure vulnerability in Autodesk Inventor

An Information Disclosure vulnerability for JT files in Autodesk Inventor 2022, 2021, 2020, 2019 may lead to code execution through maliciously crafted JT files.

6.8
2022-01-25 CVE-2021-40167 Autodesk Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Autodesk Design Review

A malicious crafted dwf file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation.

6.8
2022-01-25 CVE-2021-41598 Github Unspecified vulnerability in Github Enterprise Server

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval.

6.8
2022-01-25 CVE-2022-0335 Moodle Cross-Site Request Forgery (CSRF) vulnerability in Moodle

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions.

6.8
2022-01-25 CVE-2022-23014 F5 Improper Input Validation vulnerability in F5 Big-Ip Access Policy Manager

On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP APM portal access is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

6.8
2022-01-25 CVE-2021-45342 Librecad
Fedoraproject
Debian
Classic Buffer Overflow vulnerability in multiple products

A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

6.8
2022-01-25 CVE-2021-45845 Freecadweb OS Command Injection vulnerability in Freecadweb Freecad 0.19

The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS command injection, allowing an attacker to execute arbitrary commands via a crafted FCStd document.

6.8
2022-01-25 CVE-2021-44988 Jerryscript Out-of-bounds Write vulnerability in Jerryscript 3.0.0

Jerryscript v3.0.0 and below was discovered to contain a stack overflow via ecma_find_named_property in ecma-helpers.c.

6.8
2022-01-25 CVE-2021-46482 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap buffer overflow via NumberConstructor at src/jsiNumber.c.

6.8
2022-01-25 CVE-2021-46483 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap buffer overflow via BooleanConstructor at src/jsiBool.c.

6.8
2022-01-24 CVE-2021-40909 PHP Crud Without Refresh Reload Using Ajax AND Datatables Tutorial Project SQL Injection vulnerability in PHP Crud Without Refresh/Reload Using Ajax and Datatables Tutorial Project PHP Crud Without Refresh/Reload Using Ajax and Datatables Tutorial 1.0

Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email parameters to /ajax_crud.

6.8
2022-01-24 CVE-2021-24696 Tipsandtricks HQ Cross-Site Request Forgery (CSRF) vulnerability in Tipsandtricks-Hq Simple Download Monitor

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads

6.8
2022-01-24 CVE-2021-25073 Webmaster Source Cross-Site Request Forgery (CSRF) vulnerability in Webmaster-Source Wp125

The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack

6.8
2022-01-28 CVE-2021-40410 Reolink OS Command Injection vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102.

6.5
2022-01-28 CVE-2021-40411 Reolink OS Command Injection vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102.

6.5
2022-01-28 CVE-2021-40412 Reolink OS Command Injection vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102.

6.5
2022-01-28 CVE-2021-40413 Reolink Incorrect Default Permissions vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102.

6.5
2022-01-28 CVE-2021-40414 Reolink Incorrect Default Permissions vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102.

6.5
2022-01-28 CVE-2021-40416 Reolink Incorrect Default Permissions vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102.

6.5
2022-01-28 CVE-2021-45897 Salesagility Unspecified vulnerability in Salesagility Suitecrm

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.

6.5
2022-01-27 CVE-2021-46097 Dolphinphp Unrestricted Upload of File with Dangerous Type vulnerability in Dolphinphp 1.5.0

Dolphinphp v1.5.0 contains a remote code execution vulnerability in /application/common.php#action_log

6.5
2022-01-27 CVE-2021-46088 Zabbix Unspecified vulnerability in Zabbix

Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE).

6.5
2022-01-26 CVE-2021-46114 Jpress Code Injection vulnerability in Jpress 4.2.0

jpress v 4.2.0 is vulnerable to RCE via io.jpress.module.product.ProductNotifyKit#doSendEmail.

6.5
2022-01-26 CVE-2021-29845 IBM Improper Input Validation vulnerability in IBM Security Guardium Insights 3.0.0

IBM Security Guardium Insights 3.0 could allow an authenticated user to perform unauthorized actions due to improper input validation.

6.5
2022-01-26 CVE-2021-46561 Mitre Incorrect Permission Assignment for Critical Resource vulnerability in Mitre CVE Services 1.1.1

controller/org.controller/org.controller.js in the CVE Services API 1.1.1 before 5c50baf3bda28133a3bc90b854765a64fb538304 allows an organizational administrator to transfer a user account to an arbitrary new organization, and thereby achieve unintended access within the context of that new organization.

6.5
2022-01-26 CVE-2021-46115 Jpress Unrestricted Upload of File with Dangerous Type vulnerability in Jpress 4.2.0

jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateController#doUploadFile.

6.5
2022-01-26 CVE-2021-46116 Jpress Unrestricted Upload of File with Dangerous Type vulnerability in Jpress 4.2.0

jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall.

6.5
2022-01-26 CVE-2021-46118 Jpress Code Injection vulnerability in Jpress 4.2.0

jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail.

6.5
2022-01-26 CVE-2021-46117 Jpress Code Injection vulnerability in Jpress 4.2.0

jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail.

6.5
2022-01-26 CVE-2021-44123 Spip Unrestricted Upload of File with Dangerous Type vulnerability in Spip 4.0.0

SPIP 4.0.0 is affected by a remote command execution vulnerability.

6.5
2022-01-25 CVE-2021-4133 Redhat Incorrect Authorization vulnerability in Redhat Keycloak

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

6.5
2022-01-25 CVE-2022-0270 Mirantis Incorrect Permission Assignment for Critical Resource vulnerability in Mirantis Bored-Agent

Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes impersonation headers allowing a user to override assigned user name and groups.

6.5
2022-01-25 CVE-2021-39031 IBM Injection vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection.

6.5
2022-01-25 CVE-2021-45803 Iresturant Project SQL Injection vulnerability in Iresturant Project Iresturant 1.0

MartDevelopers iResturant 1.0 is vulnerable to SQL Injection.

6.5
2022-01-25 CVE-2021-46113 KEA Hotel ERP Project Unrestricted Upload of File with Dangerous Type vulnerability in Kea-Hotel-Erp Project Kea-Hotel-Erp

In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote code execution vulnerability can be exploited by uploading PHP files using the file upload vulnerability in this service.

6.5
2022-01-24 CVE-2021-45222 Coins Global Improper Privilege Management vulnerability in Coins-Global Construction Cloud 11.12

An issue was discovered in COINS Construction Cloud 11.12.

6.5
2022-01-24 CVE-2021-4088 Mcafee SQL Injection vulnerability in Mcafee Data Loss Prevention 11.6.401

SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.101, and 11.6.401 allows a remote authenticated attacker to inject unfiltered SQL into the DLP part of the ePO database.

6.5
2022-01-24 CVE-2021-24858 Accesspressthemes SQL Injection vulnerability in Accesspressthemes WP Cookie User Info

The Cookie Notification Plugin for WordPress plugin before 1.0.9 does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection

6.5
2022-01-24 CVE-2021-24865 ACF Extended SQL Injection vulnerability in Acf-Extended Advanced Custom Fields:Extended

The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue

6.5
2022-01-24 CVE-2021-25045 Asgaros SQL Injection vulnerability in Asgaros Forum

The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue

6.5
2022-01-24 CVE-2021-25076 Wedevs SQL Injection vulnerability in Wedevs WP User Frontend

The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection.

6.5
2022-01-28 CVE-2021-40404 Reolink Improper Authentication vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An authentication bypass vulnerability exists in the cgiserver.cgi Login functionality of reolink RLC-410W v3.0.0.136_20121102.

6.4
2022-01-28 CVE-2022-21796 Reolink Improper Input Validation vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A memory corruption vulnerability exists in the netserver parse_command_list functionality of reolink RLC-410W v3.0.0.136_20121102.

6.4
2022-01-28 CVE-2022-23096 Intel
Debian
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in the DNS proxy in Connman through 1.40.

6.4
2022-01-28 CVE-2022-23097 Intel
Debian
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in the DNS proxy in Connman through 1.40.

6.4
2022-01-27 CVE-2022-21722 Teluu Out-of-bounds Read vulnerability in Teluu Pjsip

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

6.4
2022-01-27 CVE-2022-21723 Teluu
Asterisk
Sangoma
Debian
Out-of-bounds Read vulnerability in multiple products

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

6.4
2022-01-26 CVE-2022-23959 Varnish Software
Fedoraproject
Debian
HTTP Request Smuggling vulnerability in multiple products

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.

6.4
2022-01-25 CVE-2021-3850 Adodb Project
Debian
Improper Authentication vulnerability in multiple products

Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.

6.4
2022-01-25 CVE-2022-23944 Apache Missing Authentication for Critical Function vulnerability in Apache Shenyu 2.4.0/2.4.1

User can access /plugin api without authentication.

6.4
2022-01-28 CVE-2021-22825 Schneider Electric Information Exposure vulnerability in Schneider-Electric products

A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could allow an attacker to access the system with elevated privileges when a privileged account clicks on a malicious URL that compromises the security token.

6.0
2022-01-24 CVE-2022-0269 Yetiforce Cross-Site Request Forgery (CSRF) vulnerability in Yetiforce Customer Relationship Management

Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0.

6.0
2022-01-24 CVE-2021-24936 WP Extra File Types Project Cross-Site Request Forgery (CSRF) vulnerability in WP Extra File Types Project WP Extra File Types

The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

6.0
2022-01-30 CVE-2022-22919 Adenza Open Redirect vulnerability in Adenza Axiomsl Controllerview

Adenza AxiomSL ControllerView through 10.8.1 allows redirection for SSO login URLs.

5.8
2022-01-28 CVE-2022-0393 VIM
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

5.8
2022-01-24 CVE-2022-21711 Elfspirit Project Out-of-bounds Read vulnerability in Elfspirit Project Elfspirit

elfspirit is an ELF static analysis and injection framework that parses, manipulates, and camouflages ELF files.

5.8
2022-01-24 CVE-2021-25028 TRI Open Redirect vulnerability in TRI Event Tickets

The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue

5.8
2022-01-24 CVE-2021-25074 Webp Converter FOR Media Project Open Redirect vulnerability in Webp Converter for Media Project Webp Converter for Media

The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue

5.8
2022-01-25 CVE-2021-36348 Dell Injection vulnerability in Dell Integrated Dell Remote Access Controller 9 Firmware

iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability.

5.5
2022-01-25 CVE-2021-45729 Srmilon Improper Privilege Management vulnerability in Srmilon WP Google MAP

The Privilege Escalation vulnerability discovered in the WP Google Map WordPress plugin (versions <= 1.8.0) allows authenticated low-role users to create, edit, and delete maps.

5.5
2022-01-25 CVE-2022-0333 Moodle Incorrect Authorization vulnerability in Moodle

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions.

5.5
2022-01-25 CVE-2022-23008 F5 Code Injection vulnerability in F5 Nginx Controller API Management

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.

5.5
2022-01-25 CVE-2022-21697 Jupyter Server-Side Request Forgery (SSRF) vulnerability in Jupyter Server Proxy

Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services.

5.5
2022-01-30 CVE-2022-24032 Adenza Exposure of Resource to Wrong Sphere vulnerability in Adenza Axiomsl Controllerview

Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to user enumeration.

5.0
2022-01-29 CVE-2022-24124 Casbin SQL Injection vulnerability in Casbin Casdoor

The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.

5.0
2022-01-28 CVE-2022-23889 Yzmcms Uncontrolled Recursion vulnerability in Yzmcms 6.3

The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments.

5.0
2022-01-28 CVE-2021-22815 Schneider Electric Information Exposure vulnerability in Schneider-Electric products

A CWE-200: Information Exposure vulnerability exists which could cause the troubleshooting archive to be accessed.

5.0
2022-01-28 CVE-2021-22818 Schneider Electric Improper Restriction of Excessive Authentication Attempts vulnerability in Schneider-Electric products

A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to gain unauthorized access to the charging station web interface by performing brute force attacks.

5.0
2022-01-28 CVE-2021-22821 Schneider Electric Server-Side Request Forgery (SSRF) vulnerability in Schneider-Electric products

A CWE-918 Server-Side Request Forgery (SSRF) vulnerability exists that could cause the station web server to forward requests to unintended network targets when crafted malicious parameters are submitted to the charging station web server.

5.0
2022-01-28 CVE-2021-40338 Hitachi Improper Authentication vulnerability in Hitachi Linkone

Hitachi Energy LinkOne product, has a vulnerability due to a web server misconfiguration, that enables debug mode and reveals the full path of the filesystem directory when an attacker generates errors during a query operation.

5.0
2022-01-28 CVE-2021-40339 Hitachi Unspecified vulnerability in Hitachi Linkone

Configuration vulnerability in Hitachi Energy LinkOne application due to the lack of HTTP Headers, allows an attacker that manages to exploit this vulnerability to retrieve sensitive information.

5.0
2022-01-28 CVE-2021-40340 Hitachi Information Exposure vulnerability in Hitachi Linkone

Information Exposure vulnerability in Hitachi Energy LinkOne application, due to a misconfiguration in the ASP server exposes server and ASP.net information, an attacker that manages to exploit this vulnerability can use the exposed information as a reconnaissance for further exploitation.

5.0
2022-01-28 CVE-2021-40419 Reolink Unspecified vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A firmware update vulnerability exists in the 'factory' binary of reolink RLC-410W v3.0.0.136_20121102.

5.0
2022-01-28 CVE-2022-21134 Reolink Unspecified vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

A firmware update vulnerability exists in the &quot;update&quot; firmware checks functionality of reolink RLC-410W v3.0.0.136_20121102.

5.0
2022-01-28 CVE-2022-21236 Reolink Information Exposure vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An information disclosure vulnerability exists due to a web server misconfiguration in the Reolink RLC-410W v3.0.0.136_20121102.

5.0
2022-01-28 CVE-2022-22790 Synel Path Traversal vulnerability in Synel Eharmony 8.0.2.3

SYNEL - eharmony Directory Traversal.

5.0
2022-01-28 CVE-2021-41608 Classapps Incorrect Authorization vulnerability in Classapps Selectsurvey.Net

A file disclosure vulnerability in the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve survey user submitted data by modifying the value of the ID parameter in sequential order beginning from 1.

5.0
2022-01-28 CVE-2022-23098 Intel
Debian
Infinite Loop vulnerability in multiple products

An issue was discovered in the DNS proxy in Connman through 1.40.

5.0
2022-01-27 CVE-2021-46102 Solana Integer Overflow or Wraparound vulnerability in Solana Rbpf 0.2.14/0.2.15/0.2.16

From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking.

5.0
2022-01-27 CVE-2021-44792 Krontech Missing Authorization vulnerability in Krontech Single Connect

Single Connect does not perform an authorization check when using the "log-monitor" module.

5.0
2022-01-27 CVE-2021-44793 Krontech Missing Authorization vulnerability in Krontech Single Connect

Single Connect does not perform an authorization check when using the sc-reports-ui" module.

5.0
2022-01-27 CVE-2021-44794 Krontech Missing Authorization vulnerability in Krontech Single Connect

Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module.

5.0
2022-01-27 CVE-2021-44795 Krontech Missing Authorization vulnerability in Krontech Single Connect

Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module.

5.0
2022-01-27 CVE-2022-22828 Synametrics Authorization Bypass Through User-Controlled Key vulnerability in Synametrics Synaman

An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.

5.0
2022-01-26 CVE-2021-41166 Nextcloud Incorrect Default Permissions vulnerability in Nextcloud

The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform.

5.0
2022-01-26 CVE-2021-32841 Sharpziplib Project Path Traversal vulnerability in Sharpziplib Project Sharpziplib 1.3.0/1.3.1/1.3.2

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library.

5.0
2022-01-26 CVE-2021-32842 Sharpziplib Project Path Traversal vulnerability in Sharpziplib Project Sharpziplib

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library.

5.0
2022-01-26 CVE-2021-46385 Mingsoft SQL Injection vulnerability in Mingsoft Mcms 4.6.5/5.2.4/5.2.5

https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection.

5.0
2022-01-26 CVE-2021-46383 Mingsoft SQL Injection vulnerability in Mingsoft Mcms 4.6.5/5.2.4/5.2.5

https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection.

5.0
2022-01-26 CVE-2021-44692 Buddyboss Information Exposure vulnerability in Buddyboss

BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user.

5.0
2022-01-26 CVE-2021-22570 Google
Debian
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

Nullptr dereference when a null char is present in a proto symbol.

5.0
2022-01-26 CVE-2022-0203 Craterapp Missing Authorization vulnerability in Craterapp Crater

Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.

5.0
2022-01-26 CVE-2022-22932 Apache Path Traversal vulnerability in Apache Karaf

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder.

5.0
2022-01-26 CVE-2019-25056 Bromite Information Exposure Through Discrepancy vulnerability in Bromite

In Bromite through 78.0.3904.130, there are adblock rules in the release APK; therefore, probing which resources are blocked and which aren't can identify the application version and defeat the User-Agent protection mechanism.

5.0
2022-01-26 CVE-2022-0355 Simple GET Project Information Exposure vulnerability in Simple-Get Project Simple-Get

Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.

5.0
2022-01-26 CVE-2021-46559 Moxa Use of a Broken or Risky Cryptographic Algorithm vulnerability in Moxa Tn-5900 Firmware 3.1

The firmware on Moxa TN-5900 devices through 3.1 has a weak algorithm that allows an attacker to defeat an inspection mechanism for integrity protection.

5.0
2022-01-25 CVE-2021-36346 Dell Unspecified vulnerability in Dell Integrated Dell Remote Access Controller 8 Firmware

Dell iDRAC 8 prior to version 2.82.82.82 contain a denial of service vulnerability.

5.0
2022-01-25 CVE-2021-43799 Zulip Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Zulip

Zulip is an open-source team collaboration tool.

5.0
2022-01-25 CVE-2021-43298 Embedthis Improper Restriction of Excessive Authentication Attempts vulnerability in Embedthis Goahead

The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting.

5.0
2022-01-25 CVE-2022-23011 F5 Incorrect Calculation vulnerability in F5 products

On certain hardware BIG-IP platforms, in version 15.1.x before 15.1.4 and 14.1.x before 14.1.3, virtual servers may stop responding while processing TCP traffic due to an issue in the SYN Cookie Protection feature.

5.0
2022-01-25 CVE-2022-23027 F5 Incorrect Comparison vulnerability in F5 products

On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections.

5.0
2022-01-25 CVE-2022-23029 F5 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in F5 products

On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization.

5.0
2022-01-25 CVE-2022-23032 F5 Origin Validation Error vulnerability in F5 Big-Ip Access Policy Manager

In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack.

5.0
2022-01-25 CVE-2021-43863 Nextcloud SQL Injection vulnerability in Nextcloud

The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform.

5.0
2022-01-25 CVE-2021-46086 Mindskip Incorrect Default Permissions vulnerability in Mindskip Xzs-Mysql T3.4.0

xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions.

5.0
2022-01-25 CVE-2022-23223 Apache Insufficiently Protected Credentials vulnerability in Apache Shenyu 2.4.0/2.4.1

The HTTP response will disclose the user password.

5.0
2022-01-25 CVE-2022-23945 Apache Missing Authentication for Critical Function vulnerability in Apache Shenyu 2.4.0/2.4.1

Missing authentication on ShenYu Admin when register by HTTP.

5.0
2022-01-24 CVE-2021-43588 Dell Improper Input Validation vulnerability in Dell EMC Data Protection Central

Dell EMC Data Protection Central version 19.5 contains an Improper Input Validation Vulnerability.

5.0
2022-01-24 CVE-2022-22296 Hospital S Patient Records Management System Project Incorrect Default Permissions vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0

Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint.

5.0
2022-01-24 CVE-2021-24906 WP Experts Incorrect Authorization vulnerability in Wp-Experts Protect WP Admin

The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request

5.0
2022-01-24 CVE-2022-23856 Saviynt Exposure of Resource to Wrong Sphere vulnerability in Saviynt Enterprise Identity Cloud

An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x.

5.0
2022-01-24 CVE-2021-39293 Golang
Netapp
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic.

5.0
2022-01-28 CVE-2021-26264 Emerson Missing Authentication for Critical Function vulnerability in Emerson products

A specially crafted script could cause the DeltaV Distributed Control System Controllers (All Versions) to restart and cause a denial-of-service condition.

4.9
2022-01-28 CVE-2021-42791 Veridiumid HTTP Request Smuggling vulnerability in Veridiumid Veridiumad 2.5.3.0

An issue was discovered in VeridiumID VeridiumAD 2.5.3.0.

4.9
2022-01-25 CVE-2021-4145 Qemu
Redhat
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0.

4.9
2022-01-25 CVE-2022-23035 XEN
Fedoraproject
Incomplete Cleanup vulnerability in multiple products

Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device.

4.7
2022-01-28 CVE-2021-27654 Pega Weak Password Recovery Mechanism for Forgotten Password vulnerability in Pega Infinity

Forgotten password reset functionality for local accounts can be used to bypass local authentication checks.

4.6
2022-01-28 CVE-2022-23727 LG Improper Privilege Management vulnerability in LG Webos 3.0/5.0

There is a privilege escalation vulnerability in some webOS TVs.

4.6
2022-01-25 CVE-2021-36289 Dell Information Exposure Through Log Files vulnerability in Dell EMC Unity Operating Environment

Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain a sensitive information disclosure vulnerability.

4.6
2022-01-25 CVE-2022-22789 Charactell Cleartext Storage of Sensitive Information vulnerability in Charactell Formstorm 9.00.065

Charactell - FormStorm Enterprise Account takeover – An attacker can modify (add, remove and update) passwords file for all the users.

4.6
2022-01-25 CVE-2022-0351 VIM Access of Memory Location Before Start of Buffer vulnerability in VIM

Access of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2.

4.6
2022-01-25 CVE-2022-23033 XEN
Fedoraproject
Incorrect Authorization vulnerability in multiple products

arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set.

4.6
2022-01-28 CVE-2021-4160 Openssl
Debian
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure.
4.3
2022-01-28 CVE-2022-0352 Calibre WEB Project Cross-site Scripting vulnerability in Calibre-Web Project Calibre-Web

Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.

4.3
2022-01-28 CVE-2022-21721 Vercel Resource Exhaustion vulnerability in Vercel Next.Js

Next.js is a React framework.

4.3
2022-01-28 CVE-2022-23598 Getlaminas
Fedoraproject
Cross-site Scripting vulnerability in multiple products

laminas-form is a package for validating and displaying simple and complex forms.

4.3
2022-01-28 CVE-2022-23887 Yzmcms Cross-Site Request Forgery (CSRF) vulnerability in Yzmcms 6.3

YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete.

4.3
2022-01-28 CVE-2021-22809 Schneider Electric Out-of-bounds Read vulnerability in Schneider-Electric Guicon 2.0

A CWE-125:Out-of-Bounds Read vulnerability exists that could cause unintended data disclosure when a malicious *.gd1 configuration file is loaded into the GUIcon tool.

4.3
2022-01-28 CVE-2021-22810 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause arbritrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to a delete policy file.

4.3
2022-01-28 CVE-2021-22811 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause script execution when the request of a privileged account accessing the vulnerable web page is intercepted.

4.3
2022-01-28 CVE-2021-22812 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause arbritrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC.

4.3
2022-01-28 CVE-2021-22813 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause arbritrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to an edit policy file.

4.3
2022-01-28 CVE-2021-22814 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists which could cause arbritrary script execution when a malicious file is read and displayed.

4.3
2022-01-28 CVE-2021-22819 Schneider Electric Improper Restriction of Rendered UI Layers or Frames vulnerability in Schneider-Electric products

A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes.

4.3
2022-01-28 CVE-2021-22822 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79 Improper Neutralization of Input During Web Page Generation (?Cross-site Scripting?) vulnerability exists that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server.

4.3
2022-01-28 CVE-2021-23863 Bosch Cross-site Scripting vulnerability in Bosch Video Security

HTML code injection vulnerability in Android Application, Bosch Video Security, version 3.2.3.

4.3
2022-01-28 CVE-2022-21199 Reolink Information Exposure vulnerability in Reolink Rlc-410W Firmware 3.0.0.13620121102

An information disclosure vulnerability exists due to the hardcoded TLS key of reolink RLC-410W v3.0.0.136_20121102.

4.3
2022-01-28 CVE-2022-24071 Navercorp Unspecified vulnerability in Navercorp Whale

A Built-in extension in Whale browser before 3.12.129.46 allows attackers to compromise the rendering process which could lead to controlling browser internal APIs.

4.3
2022-01-28 CVE-2022-21719 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi

GLPI is a free asset and IT management software package.

4.3
2022-01-27 CVE-2021-46484 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_IncrRefCount in src/jsiValue.c.

4.3
2022-01-27 CVE-2021-46485 Jsish Unspecified vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_ValueIsNumber at src/jsiValue.c.

4.3
2022-01-27 CVE-2021-46486 Jsish Unspecified vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_ArraySpliceCmd at src/jsiArray.c.

4.3
2022-01-27 CVE-2021-46487 Jsish Unspecified vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via /lib/x86_64-linux-gnu/libc.so.6+0x18e506.

4.3
2022-01-27 CVE-2021-46488 Jsish Unspecified vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_ArrayConcatCmd at src/jsiArray.c.

4.3
2022-01-27 CVE-2021-46489 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_DecrRefCount in src/jsiValue.c.

4.3
2022-01-27 CVE-2021-46490 Jsish Unspecified vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via NumberConstructor at src/jsiNumber.c.

4.3
2022-01-27 CVE-2021-46491 Jsish Unspecified vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_CommandPkgOpts at src/jsiCmds.c.

4.3
2022-01-27 CVE-2021-46492 Jsish Unspecified vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_FunctionInvoke at src/jsiFunc.c.

4.3
2022-01-27 CVE-2021-46494 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ValueLookupBase in src/jsiValue.c.

4.3
2022-01-27 CVE-2021-46495 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via DeleteTreeValue in src/jsiObj.c.

4.3
2022-01-27 CVE-2021-46496 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_ObjFree in src/jsiObj.c.

4.3
2022-01-27 CVE-2021-46497 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_UserObjDelete in src/jsiUserObj.c.

4.3
2022-01-27 CVE-2021-46498 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_wswebsocketObjFree in src/jsiWebSocket.c.

4.3
2022-01-27 CVE-2021-46499 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ValueCopyMove in src/jsiValue.c.

4.3
2022-01-27 CVE-2021-46500 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ArgTypeCheck in src/jsiFunc.c.

4.3
2022-01-27 CVE-2021-46501 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via SortSubCmd in src/jsiArray.c.

4.3
2022-01-27 CVE-2021-46502 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d.

4.3
2022-01-27 CVE-2021-46503 Jsish Use After Free vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732.

4.3
2022-01-27 CVE-2021-46504 Jsish Reachable Assertion vulnerability in Jsish 3.5.0

There is an Assertion 'vp != resPtr' failed at jsiEval.c in Jsish v3.5.0.

4.3
2022-01-27 CVE-2021-46505 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a stack overflow via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b1e5.

4.3
2022-01-27 CVE-2021-46506 Jsish Reachable Assertion vulnerability in Jsish 3.5.0

There is an Assertion 'v->d.lval != v' failed at src/jsiValue.c in Jsish v3.5.0.

4.3
2022-01-27 CVE-2021-46507 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a stack overflow via Jsi_LogMsg at src/jsiUtils.c.

4.3
2022-01-27 CVE-2021-46508 Cesanta Reachable Assertion vulnerability in Cesanta MJS 2.20.0

There is an Assertion `i < parts_cnt' failed at src/mjs_bcode.c in Cesanta MJS v2.20.0.

4.3
2022-01-27 CVE-2021-46510 Cesanta Reachable Assertion vulnerability in Cesanta MJS 2.20.0

There is an Assertion `s < mjs->owned_strings.buf + mjs->owned_strings.len' failed at src/mjs_gc.c in Cesanta MJS v2.20.0.

4.3
2022-01-27 CVE-2021-46511 Cesanta Reachable Assertion vulnerability in Cesanta MJS 2.20.0

There is an Assertion `m->len >= sizeof(v)' failed at src/mjs_core.c in Cesanta MJS v2.20.0.

4.3
2022-01-27 CVE-2021-46512 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_apply at src/mjs_exec.c.

4.3
2022-01-27 CVE-2021-46514 Cesanta Reachable Assertion vulnerability in Cesanta MJS 2.20.0

There is an Assertion 'ppos != NULL && mjs_is_number(*ppos)' failed at src/mjs_core.c in Cesanta MJS v2.20.0.

4.3
2022-01-27 CVE-2021-46515 Cesanta Reachable Assertion vulnerability in Cesanta MJS 2.20.0

There is an Assertion `mjs_stack_size(&mjs->scopes) >= scopes_len' failed at src/mjs_exec.c in Cesanta MJS v2.20.0.

4.3
2022-01-27 CVE-2021-46516 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_stack_size at mjs/src/mjs_core.c.

4.3
2022-01-27 CVE-2021-46517 Cesanta Reachable Assertion vulnerability in Cesanta MJS 2.20.0

There is an Assertion `mjs_stack_size(&mjs->scopes) > 0' failed at src/mjs_exec.c in Cesanta MJS v2.20.0.

4.3
2022-01-27 CVE-2021-46528 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x5361e.

4.3
2022-01-27 CVE-2021-46529 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x8814e.

4.3
2022-01-27 CVE-2021-46530 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_execute at src/mjs_exec.c.

4.3
2022-01-27 CVE-2021-46531 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x8d28e.

4.3
2022-01-27 CVE-2021-46532 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via exec_expr at src/mjs_exec.c.

4.3
2022-01-27 CVE-2021-46534 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via getprop_builtin_foreign at src/mjs_exec.c.

4.3
2022-01-27 CVE-2021-46535 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0xe533e.

4.3
2022-01-27 CVE-2021-46537 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x9a30e.

4.3
2022-01-27 CVE-2021-46538 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_compact_strings at src/mjs_gc.c.

4.3
2022-01-27 CVE-2021-46539 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /lib/x86_64-linux-gnu/libc.so.6+0x45a1f.

4.3
2022-01-27 CVE-2021-46540 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_get_mjs at src/mjs_builtin.c.

4.3
2022-01-27 CVE-2021-46541 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c6ae.

4.3
2022-01-27 CVE-2021-46542 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_print at src/mjs_builtin.c.

4.3
2022-01-27 CVE-2021-46543 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /lib/x86_64-linux-gnu/libc.so.6+0x18e810.

4.3
2022-01-27 CVE-2021-46544 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19.

4.3
2022-01-27 CVE-2021-46545 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /lib/x86_64-linux-gnu/libc.so.6+0x4b44b.

4.3
2022-01-27 CVE-2021-46546 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_next at src/mjs_object.c.

4.3
2022-01-27 CVE-2021-46547 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c17e.

4.3
2022-01-27 CVE-2021-46548 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via add_lineno_map_item at src/mjs_bcode.c.

4.3
2022-01-27 CVE-2021-46549 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via parse_cval_type at src/mjs_ffi.c.

4.3
2022-01-27 CVE-2021-46550 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c.

4.3
2022-01-27 CVE-2021-46553 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_set_internal at src/mjs_object.c.

4.3
2022-01-27 CVE-2021-46554 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_json_stringify at src/mjs_json.c.

4.3
2022-01-27 CVE-2021-46556 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_bcode_insert_offset at src/mjs_bcode.c.

4.3
2022-01-27 CVE-2021-28096 Stormshield Allocation of Resources Without Limits or Throttling vulnerability in Stormshield Network Security

An issue was discovered in Stormshield SNS before 4.2.3 (when the proxy is used).

4.3
2022-01-26 CVE-2022-22852 Hospital S Patient Records Management System Project Cross-site Scripting vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_list.

4.3
2022-01-26 CVE-2022-23993 Pfsense Cross-site Scripting vulnerability in Pfsense and Pfsense Plus

/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.

4.3
2022-01-26 CVE-2021-29838 IBM Information Exposure vulnerability in IBM Security Guardium Insights 3.0.0

IBM Security Guardium Insights 3.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

4.3
2022-01-26 CVE-2022-0378 Microweber Cross-site Scripting vulnerability in Microweber

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

4.3
2022-01-25 CVE-2022-23258 Microsoft Unspecified vulnerability in Microsoft Edge

Microsoft Edge for Android Spoofing Vulnerability.

4.3
2022-01-25 CVE-2022-23013 F5 Cross-site Scripting vulnerability in F5 Big-Ip Domain Name System

On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

4.3
2022-01-25 CVE-2022-23024 F5 Resource Exhaustion vulnerability in F5 Big-Ip Advanced Firewall Manager

On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.2, and all versions of 13.1.x, when the IPsec application layer gateway (ALG) logging profile is configured on an IPsec ALG virtual server, undisclosed IPsec traffic can cause the Traffic Management Microkernel (TMM) to terminate.

4.3
2022-01-25 CVE-2022-23025 F5 NULL Pointer Dereference vulnerability in F5 products

On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

4.3
2022-01-25 CVE-2022-23028 F5 Incorrect Calculation vulnerability in F5 Big-Ip Advanced Firewall Manager

On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when global AFM SYN cookie protection (TCP Half Open flood vector) is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail.

4.3
2022-01-25 CVE-2022-23030 F5 Resource Exhaustion vulnerability in F5 products

On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization.

4.3
2022-01-25 CVE-2021-46034 Forestblog Project Cross-site Scripting vulnerability in Forestblog Project Forestblog

A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vulnerability that can be injected through the nickname input box.

4.3
2022-01-25 CVE-2021-45846 Slic3R NULL Pointer Dereference vulnerability in Slic3R 1.3.0

A flaw in the AMF parser of Slic3r libslic3r 1.3.0 allows an attacker to cause an application crash using a crafted AMF document, where a metadata tag lacks a "type" attribute.

4.3
2022-01-25 CVE-2021-45847 Slic3R NULL Pointer Dereference vulnerability in Slic3R 1.3.0

Several missing input validations in the 3MF parser component of Slic3r libslic3r 1.3.0 can each allow an attacker to cause an application crash using a crafted 3MF input file.

4.3
2022-01-25 CVE-2021-45343 Librecad
Fedoraproject
Debian
NULL Pointer Dereference vulnerability in multiple products

In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document.

4.3
2022-01-25 CVE-2021-45340 Libsixel Project NULL Pointer Dereference vulnerability in Libsixel Project Libsixel

In Libsixel prior to and including v1.10.3, a NULL pointer dereference in the stb_image.h component of libsixel allows attackers to cause a denial of service (DOS) via a crafted PICT file.

4.3
2022-01-25 CVE-2021-44992 Jerryscript Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Jerryscript 3.0.0

There is an Assertion ''ecma_object_is_typedarray (obj_p)'' failed at /jerry-core/ecma/operations/ecma-typedarray-object.c in Jerryscript 3.0.0.

4.3
2022-01-25 CVE-2021-44993 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion ''ecma_is_value_boolean (base_value)'' failed at /jerry-core/ecma/operations/ecma-get-put-value.c in Jerryscript 3.0.0.

4.3
2022-01-25 CVE-2021-44994 Jerryscript Reachable Assertion vulnerability in Jerryscript 3.0.0

There is an Assertion ''JERRY_CONTEXT (jmem_heap_allocated_size) == 0'' failed at /jerry-core/jmem/jmem-heap.c in Jerryscript 3.0.0.

4.3
2022-01-25 CVE-2021-46474 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiEvalCodeSub in src/jsiEval.c.

4.3
2022-01-25 CVE-2021-46475 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsi_ArraySliceCmd in src/jsiArray.c.

4.3
2022-01-25 CVE-2021-46477 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap buffer overflow via RegExp_constructor in src/jsiRegexp.c.

4.3
2022-01-25 CVE-2021-46478 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiClearStack in src/jsiEval.c.

4.3
2022-01-25 CVE-2021-46480 Jsish Out-of-bounds Write vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiValueObjDelete in src/jsiEval.c.

4.3
2022-01-25 CVE-2021-46481 Jsish Memory Leak vulnerability in Jsish 3.5.0

Jsish v3.5.0 was discovered to contain a memory leak via linenoise at src/linenoise.c.

4.3
2022-01-24 CVE-2021-45224 Coins Global Cross-site Scripting vulnerability in Coins-Global Construction Cloud 11.12

An issue was discovered in COINS Construction Cloud 11.12.

4.3
2022-01-24 CVE-2021-45225 Coins Global Cross-site Scripting vulnerability in Coins-Global Construction Cloud 11.12

An issue was discovered in COINS Construction Cloud 11.12.

4.3
2022-01-24 CVE-2021-45226 Coins Global Improper Input Validation vulnerability in Coins-Global Construction Cloud 11.12

An issue was discovered in COINS Construction Cloud 11.12.

4.3
2022-01-24 CVE-2022-21710 Mediawiki Cross-site Scripting vulnerability in Mediawiki Shortdescription

ShortDescription is a MediaWiki extension that provides local short description support.

4.3
2022-01-24 CVE-2022-21715 Codeigniter Cross-site Scripting vulnerability in Codeigniter

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework.

4.3
2022-01-24 CVE-2021-41930 Online Covid Vaccination Scheduler System Project Cross-site Scripting vulnerability in Online Covid Vaccination Scheduler System Project Online Covid Vaccination Scheduler System 1.0

Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid Vaccination Scheduler System v1 by oretnom23, allows attackers to execute arbitrary code via the lid parameter to /scheduler/addSchedule.php.

4.3
2022-01-24 CVE-2021-42168 TRY MY Recipe Project Cross-site Scripting vulnerability in TRY MY Recipe Project TRY MY Recipe

Cross Site Scripting (XSS) in Sourcecodester Try My Recipe (Recipe Sharing Website - CMS) by oretnom23, allows attackers to gain the PHPSESID or other unspecified impacts via the fullname parameter to the login_registration page.

4.3
2022-01-24 CVE-2021-41929 THE Electric Billing Management System Project Cross-site Scripting vulnerability in the Electric Billing Management System Project the Electric Billing Management System 1.0

Cross Site Scripting (XSS) in Sourcecodester The Electric Billing Management System 1.0 by oretnom23, allows attackers to execute arbitrary code via the about page.

4.3
2022-01-24 CVE-2021-24923 Sendinblue Cross-site Scripting vulnerability in Sendinblue Newsletter, Smtp, Email Marketing and Subscribe

The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

4.3
2022-01-24 CVE-2021-24985 Yikesinc Cross-site Scripting vulnerability in Yikesinc Easy Forms for Mailchimp

The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

4.3
2022-01-24 CVE-2021-24989 Wpplugin Cross-Site Request Forgery (CSRF) vulnerability in Wpplugin Accept Donations With Paypal

The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog

4.3
2022-01-24 CVE-2021-25008 Codesnippets Cross-site Scripting vulnerability in Codesnippets Code Snippets

The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue

4.3
2022-01-24 CVE-2021-25015 Mycred Cross-site Scripting vulnerability in Mycred

The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue

4.3
2022-01-24 CVE-2021-25017 Themeum Cross-site Scripting vulnerability in Themeum Tutor LMS

The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-01-24 CVE-2021-25031 Oxilab Cross-site Scripting vulnerability in Oxilab Image Hover Effects Ultimate

The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-01-24 CVE-2021-25035 Revmakx Cross-site Scripting vulnerability in Revmakx Backup and Staging BY WP Time Capsule

The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-01-24 CVE-2021-25062 Villatheme Cross-site Scripting vulnerability in Villatheme Orders Tracking for Woocommerce

The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-01-24 CVE-2021-25078 Wpaffiliatemanager Cross-site Scripting vulnerability in Wpaffiliatemanager Affiliates Manager

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

4.3
2022-01-24 CVE-2021-25079 Crmperks Cross-site Scripting vulnerability in Crmperks Contact Form Entries

The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page

4.3
2022-01-24 CVE-2021-25080 Crmperks Cross-site Scripting vulnerability in Crmperks Contact Form Entries

The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry

4.3
2022-01-24 CVE-2021-25083 Roundupwp Cross-site Scripting vulnerability in Roundupwp Registrations for the Events Calendar 2.7.6

The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting

4.3
2022-01-30 CVE-2022-0273 Calibre WEB Project Improper Access Control vulnerability in Calibre-Web Project Calibre-Web

Improper Access Control in Pypi calibreweb prior to 0.6.16.

4.0
2022-01-28 CVE-2022-23863 Zohocorp Improper Privilege Management vulnerability in Zohocorp Manageengine Desktop Central

Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.

4.0
2022-01-28 CVE-2022-21720 Glpi Project SQL Injection vulnerability in Glpi-Project Glpi

GLPI is a free asset and IT management software package.

4.0
2022-01-26 CVE-2021-29846 IBM Information Exposure vulnerability in IBM Security Guardium Insights 3.0.0

IBM Security Guardium Insights 3.0 could allow an authenticated user to obtain sensitive information due to insufficient session expiration.

4.0
2022-01-25 CVE-2022-0334 Moodle Exposure of Resource to Wrong Sphere vulnerability in Moodle

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions.

4.0
2022-01-25 CVE-2022-23023 F5 Resource Exhaustion vulnerability in F5 products

On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization.

4.0
2022-01-25 CVE-2022-23026 F5 Unrestricted Upload of File with Dangerous Type vulnerability in F5 products

On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization.

4.0
2022-01-25 CVE-2022-23031 F5 XXE vulnerability in F5 products

On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests.

4.0
2022-01-25 CVE-2021-46085 Oneblog Project Incorrect Default Permissions vulnerability in Oneblog Project Oneblog

OneBlog <= 2.2.8 is vulnerable to Insecure Permissions.

4.0
2022-01-25 CVE-2022-0338 Conda Loguru Project Improper Privilege Management vulnerability in Conda Loguru Project Conda Loguru

Improper Privilege Management in Conda loguru prior to 0.5.3.

4.0
2022-01-24 CVE-2021-36349 Dell Server-Side Request Forgery (SSRF) vulnerability in Dell EMC Data Protection Central

Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing.

4.0
2022-01-24 CVE-2021-45223 Coins Global Improper Input Validation vulnerability in Coins-Global Construction Cloud 11.12

An issue was discovered in COINS Construction Cloud 11.12.

4.0
2022-01-24 CVE-2021-24733 WP Post Page Clone Project Incorrect Authorization vulnerability in WP Post Page Clone Project WP Post Page Clone 1.1

The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.

4.0
2022-01-24 CVE-2021-25013 Themeum Missing Authorization vulnerability in Themeum Qubely

The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts

4.0
2022-01-24 CVE-2022-23857 Navidrome SQL Injection vulnerability in Navidrome

model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists.

4.0

48 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-01-27 CVE-2022-23181 Apache Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using.

3.7
2022-01-28 CVE-2021-46447 HHG Multistore Cross-site Scripting vulnerability in Hhg-Multistore Multistore 4.10.3/5.1.0

A cross-site scripting (XSS) vulnerability in H.H.G Multistore v5.1.0 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the State parameter under the Address Book module.

3.5
2022-01-28 CVE-2022-0395 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

3.5
2022-01-28 CVE-2021-23174 Wpchill Cross-site Scripting vulnerability in Wpchill Download Monitor

Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, &downloadable_file_version[0].

3.5
2022-01-28 CVE-2022-22791 Synel Cross-site Scripting vulnerability in Synel Eharmony 8.0.2.3

SYNEL - eharmony Authenticated Blind & Stored XSS.

3.5
2022-01-28 CVE-2022-23979 Etoilewebdesign Cross-site Scripting vulnerability in Etoilewebdesign Ultimate Reviews

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability discovered in Ultimate Reviews WordPress plugin (versions <= 3.0.15).

3.5
2022-01-28 CVE-2022-22868 Gibbonedu Cross-site Scripting vulnerability in Gibbonedu Gibbon 22.0.01

Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters.

3.5
2022-01-28 CVE-2021-34073 Gadget Works Online Ordering System Project Cross-site Scripting vulnerability in Gadget Works Online Ordering System Project Gadget Works Online Ordering System 1.0

A Cross Site Scripting (XSS) vulnerabilty exists in Sourcecodester Gadget Works Online Ordering System in PHP/MySQLi 1.0 via the Category parameter in an add function in category/index.php.

3.5
2022-01-28 CVE-2022-0394 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

3.5
2022-01-27 CVE-2021-46065 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus 11.3

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

3.5
2022-01-27 CVE-2022-0348 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.

3.5
2022-01-27 CVE-2022-0372 Craterapp Cross-site Scripting vulnerability in Craterapp Crater

Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior to 6.0.2.

3.5
2022-01-27 CVE-2022-0370 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

3.5
2022-01-27 CVE-2022-0387 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

3.5
2022-01-26 CVE-2022-22850 Hospital S Patient Records Management System Project Cross-site Scripting vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types.

3.5
2022-01-26 CVE-2021-43334 Buddyboss Cross-site Scripting vulnerability in Buddyboss

BuddyBoss Platform through 1.8.0 allows XSS via the Group Name or Group Description field.

3.5
2022-01-26 CVE-2022-0379 Microweber Cross-site Scripting vulnerability in Microweber

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

3.5
2022-01-26 CVE-2022-22851 Hospital S Patient Records Management System Project Cross-site Scripting vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the specialization parameter in doctors.php

3.5
2022-01-26 CVE-2021-44118 Spip Cross-site Scripting vulnerability in Spip 4.0.0

SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability.

3.5
2022-01-26 CVE-2021-44120 Spip Cross-site Scripting vulnerability in Spip 4.0.0

SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields.

3.5
2022-01-26 CVE-2022-0251 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.10.

3.5
2022-01-26 CVE-2022-0374 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

3.5
2022-01-26 CVE-2022-0375 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

3.5
2022-01-25 CVE-2021-40337 Hitachi Cross-site Scripting vulnerability in Hitachi Linkone

Cross-site Scripting (XSS) vulnerability in Hitachi Energy LinkOne allows an attacker that manages to exploit the vulnerability can take advantage to exploit multiple web attacks and stole sensitive information.

3.5
2022-01-25 CVE-2021-46083 Uscat Project Cross-site Scripting vulnerability in Uscat Project Uscat

uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code.

3.5
2022-01-25 CVE-2021-46084 Uscat Project Cross-site Scripting vulnerability in Uscat Project Uscat

uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via "close registration information" input box.

3.5
2022-01-25 CVE-2021-46087 Jflyfox Cross-site Scripting vulnerability in Jflyfox Jfinal CMS 5.1.0

In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS.

3.5
2022-01-25 CVE-2022-0268 Getgrav Cross-site Scripting vulnerability in Getgrav Grav

Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28.

3.5
2022-01-24 CVE-2021-41658 Student Quarterly Grading System Project Cross-site Scripting vulnerability in Student Quarterly Grading System Project Student Quarterly Grading System 1.0

Cross Site Scripting (XSS) in Sourcecodester Student Quarterly Grading System by oretnom23, allows attackers to execute arbitrary code via the fullname and username parameters to the users page.

3.5
2022-01-24 CVE-2021-24423 Updraftplus Cross-site Scripting vulnerability in Updraftplus

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue

3.5
2022-01-24 CVE-2021-24694 Tipsandtricks HQ Cross-site Scripting vulnerability in Tipsandtricks-Hq Simple Download Monitor

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.

3.5
2022-01-24 CVE-2021-24965 Fivestarplugins Cross-site Scripting vulnerability in Fivestarplugins Five Star Restaurant Reservations

The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it.

3.5
2022-01-24 CVE-2021-24968 Etoilewebdesign Missing Authorization vulnerability in Etoilewebdesign Ultimate FAQ

The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users.

3.5
2022-01-24 CVE-2021-24974 Adtribes Cross-site Scripting vulnerability in Adtribes Product Feed PRO for Woocommerce

The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.

3.5
2022-01-24 CVE-2021-25049 Mobile Events Manager Project Cross-site Scripting vulnerability in Mobile Events Manager Project Mobile Events Manager

The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-01-25 CVE-2021-34870 Netgear Missing Authentication for Critical Function vulnerability in Netgear Xr1000 1.0.0.521.0.38

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers.

3.3
2022-01-28 CVE-2022-23599 Plone Cross-site Scripting vulnerability in Plone

Products.ATContentTypes are the core content types for Plone 2.1 - 4.3.

2.6
2022-01-24 CVE-2021-24976 Wbolt Cross-site Scripting vulnerability in Wbolt Smart SEO Tool

The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting

2.6
2022-01-29 CVE-2021-46657 Mariadb Resource Exhaustion vulnerability in Mariadb

get_sort_by_table in MariaDB before 10.6.2 allows an application crash via certain subquery uses of ORDER BY.

2.1
2022-01-29 CVE-2021-46658 Mariadb Resource Exhaustion vulnerability in Mariadb

save_window_function_values in MariaDB before 10.6.3 allows an application crash because of incorrect handling of with_window_func=true for a subquery.

2.1
2022-01-29 CVE-2021-46659 Mariadb Unspecified vulnerability in Mariadb

MariaDB before 10.7.2 allows an application crash because it does not recognize that SELECT_LEX::nest_level is local to each VIEW.

2.1
2022-01-28 CVE-2021-22799 Schneider Electric Insufficient Entropy vulnerability in Schneider-Electric Software Update

A CWE-331: Insufficient Entropy vulnerability exists that could cause unintended connection from an internal network to an external network when an attacker manages to decrypt the SESU proxy password from the registry.

2.1
2022-01-28 CVE-2022-22938 Vmware Unspecified vulnerability in VMWare Horizon and Workstation

VMware Workstation (16.x prior to 16.2.2) and Horizon Client for Windows (5.x prior to 5.5.3) contains a denial-of-service vulnerability in the Cortado ThinPrint component.

2.1
2022-01-28 CVE-2022-23456 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50/8.7.50.3

Potential arbitrary file deletion vulnerability has been identified in HP Support Assistant software.

2.1
2022-01-25 CVE-2021-38129 Microfocus Improper Privilege Management vulnerability in Microfocus Operations Agent

Escalation of privileges vulnerability in Micro Focus in Micro Focus Operations Agent, affecting versions 12.x up to and including 12.21.

2.1
2022-01-25 CVE-2022-23034 XEN
Fedoraproject
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled.

2.1
2022-01-24 CVE-2022-22554 Dell Insufficiently Protected Credentials vulnerability in Dell EMC System Update

Dell EMC System Update, version 1.9.2 and prior, contain an Unprotected Storage of Credentials vulnerability.

2.1
2022-01-24 CVE-2021-35005 Teamviewer Improper Validation of Array Index vulnerability in Teamviewer

This vulnerability allows local attackers to disclose sensitive information on affected installations of TeamViewer.

2.1