Weekly Vulnerabilities Reports > January 31 to February 6, 2022
Overview
407 new vulnerabilities reported during this period, including 30 critical vulnerabilities and 145 high severity vulnerabilities. This weekly summary report vulnerabilities in 499 products from 155 vendors including Google, Tenda, Fedoraproject, Debian, and Tendacn. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Command Injection", "SQL Injection", and "Integer Overflow or Wraparound".
- 336 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 131 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 296 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 57 reported vulnerabilities.
- Totolink has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
30 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-04 | CVE-2021-21960 | Sealevel | Improper Validation of Specified Quantity in Input vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 A stack-based buffer overflow vulnerability exists in both the LLMNR functionality of Sealevel Systems, Inc. | 10.0 |
2022-02-04 | CVE-2022-0365 | Riconmobile | OS Command Injection vulnerability in Riconmobile S9922L Firmware and S9922Xl Firmware The affected product is vulnerable to an authenticated OS command injection, which may allow an attacker to inject and execute arbitrary shell commands as the Admin (root) user. | 10.0 |
2022-02-04 | CVE-2021-29393 | Globalnorthstar | OS Command Injection vulnerability in Globalnorthstar Northstar Club Management 6.3 Remote Code Execution in cominput.jsp and comoutput.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to inject and execute arbitrary system commands via the unsanitized user-controlled "command" and "commandvalues" parameters. | 10.0 |
2022-02-04 | CVE-2022-24260 | Voipmonitor | SQL Injection vulnerability in Voipmonitor A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level. | 10.0 |
2022-02-04 | CVE-2021-44880 | Dlink | Command Injection vulnerability in Dlink Dir-878 Firmware and Dir-882 Firmware D-Link devices DIR_878 DIR_878_FW1.30B08_Hotfix_02 and DIR_882 DIR_882_FW1.30B06_Hotfix_02 were discovered to contain a command injection vulnerability in the system function. | 10.0 |
2022-02-04 | CVE-2021-44881 | Dlink | Command Injection vulnerability in Dlink Dir-882 Firmware 1.10B04/1.20B06/1.30B06 D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function. | 10.0 |
2022-02-04 | CVE-2021-44882 | Dlink | Command Injection vulnerability in Dlink Dir-878 Firmware D-Link device DIR_878_FW1.30B08_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function. | 10.0 |
2022-02-04 | CVE-2021-45733 | Totolink | Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102 TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function NTPSyncWithHost. | 10.0 |
2022-02-04 | CVE-2021-45738 | Totolink | Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102 TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile. | 10.0 |
2022-02-04 | CVE-2021-45742 | Totolink | Command Injection vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a command injection vulnerability in the "Main" function. | 10.0 |
2022-02-06 | CVE-2021-41816 | Ruby Lang Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. | 9.8 |
2022-02-06 | CVE-2022-22832 | Servisnet | Authorization Bypass Through User-Controlled Key vulnerability in Servisnet Tessa 0.0.2 An issue was discovered in Servisnet Tessa 0.0.2. | 9.8 |
2022-02-06 | CVE-2022-24552 | Starwindsoftware | OS Command Injection vulnerability in Starwindsoftware NAS and SAN A flaw was found in the REST API in StarWind Stack. | 9.8 |
2022-02-04 | CVE-2022-23614 | Symfony Fedoraproject Debian | Code Injection vulnerability in multiple products Twig is an open source template language for PHP. | 9.8 |
2022-02-04 | CVE-2021-45740 | Totolink | Unspecified vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. | 9.8 |
2022-02-02 | CVE-2022-21724 | Postgresql Fedoraproject Quarkus Debian | Improper Initialization vulnerability in multiple products pgjdbc is the offical PostgreSQL JDBC Driver. | 9.8 |
2022-02-02 | CVE-2022-24300 | Minetest Debian | Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection. | 9.8 |
2022-01-31 | CVE-2022-24263 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Hospital Management System 4.0 Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter. | 9.8 |
2022-01-31 | CVE-2021-31617 | Stormshield | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Stormshield Network Security In ASQ in Stormshield Network Security (SNS) 1.0.0 through 2.7.8, 2.8.0 through 2.16.0, 3.0.0 through 3.7.20, 3.8.0 through 3.11.8, and 4.0.1 through 4.2.2, mishandling of memory management can lead to remote code execution. | 9.8 |
2022-02-02 | CVE-2022-21817 | Nvidia | Unspecified vulnerability in Nvidia Omniverse Launcher NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire access tokens allowing them to access resources in other security domains, which may lead to code execution, escalation of privileges, and impact to confidentiality and integrity. | 9.3 |
2022-02-01 | CVE-2021-42638 | Printerlogic | Command Injection vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below do not sanitize user input resulting in pre-auth remote code execution. | 9.3 |
2022-01-31 | CVE-2021-42631 | Printerlogic | Deserialization of Untrusted Data vulnerability in Printerlogic Virtual Appliance and web Stack PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution. | 9.3 |
2022-01-31 | CVE-2021-42635 | Printerlogic | Use of Hard-coded Credentials vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcoded APP_KEY value, leading to pre-auth remote code execution. | 9.3 |
2022-02-03 | CVE-2022-23357 | Mozilo | Path Traversal vulnerability in Mozilo Mozilocms 2.0 mozilo2.0 was discovered to be vulnerable to directory traversal attacks via the parameter curent_dir. | 9.1 |
2022-01-31 | CVE-2021-45079 | Strongswan Debian Fedoraproject Canonical | NULL Pointer Dereference vulnerability in multiple products In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. | 9.1 |
2022-02-06 | CVE-2021-39280 | Korenix | Unspecified vulnerability in Korenix products Certain Korenix JetWave devices allow authenticated users to execute arbitrary code as root via /syscmd.asp. | 9.0 |
2022-02-06 | CVE-2022-24551 | Starwindsoftware | Improper Authentication vulnerability in Starwindsoftware NAS and SAN A flaw was found in StarWind Stack. | 9.0 |
2022-02-02 | CVE-2022-22509 | Phoenixcontact | Improper Privilege Management vulnerability in Phoenixcontact products In Phoenix Contact FL SWITCH Series 2xxx in version 3.00 an incorrect privilege assignment allows an low privileged user to enable full access to the device configuration. | 9.0 |
2022-02-02 | CVE-2021-41018 | Fortinet | OS Command Injection vulnerability in Fortinet Fortiweb A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. | 9.0 |
2022-02-02 | CVE-2021-41016 | Fortinet | OS Command Injection vulnerability in Fortinet Fortiextender Firmware A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7.0.1 and below, 4.2.3 and below, 4.1.7 and below allows an authenticated attacker to execute privileged shell commands via CLI commands including special characters | 9.0 |
145 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-04 | CVE-2020-7534 | Schneider Electric | Cross-Site Request Forgery (CSRF) vulnerability in Schneider-Electric products A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user is logged in. | 8.8 |
2022-02-04 | CVE-2021-4154 | Linux Redhat Netapp | Use After Free vulnerability in multiple products A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. | 8.8 |
2022-02-04 | CVE-2022-22727 | Schneider Electric | Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user?s local machine when the user clicks a specially crafted link. | 8.8 |
2022-02-03 | CVE-2021-45268 | Backdropcms | Cross-Site Request Forgery (CSRF) vulnerability in Backdropcms Backdrop 1.20.0 A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. | 8.8 |
2022-02-02 | CVE-2022-0366 | Capsule8 | SQL Injection vulnerability in Capsule8 4.6.0/4.9.1 An authenticated and authorized agent user could potentially gain administrative access via an SQLi vulnerability to Capsule8 Console between versions 4.6.0 and 4.9.1. | 8.8 |
2022-02-04 | CVE-2021-40401 | Gerbv Project Fedoraproject Debian | Unchecked Return Value vulnerability in multiple products A use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and Gerbv forked 2.7.1. | 8.6 |
2022-02-02 | CVE-2021-42753 | Fortinet | Path Traversal vulnerability in Fortinet Fortiweb An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem. | 8.5 |
2022-02-04 | CVE-2021-21968 | Sealevel | Unspecified vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 A file write vulnerability exists in the OTA update task functionality of Sealevel Systems, Inc. | 8.3 |
2022-02-04 | CVE-2022-22723 | Schneider Electric | Classic Buffer Overflow vulnerability in Schneider-Electric Easergy P5 Firmware A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. | 8.3 |
2022-02-04 | CVE-2022-22725 | Schneider Electric | Classic Buffer Overflow vulnerability in Schneider-Electric Easergy P3 Firmware A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. | 8.3 |
2022-02-03 | CVE-2021-33627 | Insyde Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.09.11, 5.1 before 05.17.11, 5.2 before 05.27.11, 5.3 before 05.36.11, 5.4 before 05.44.11, and 5.5 before 05.52.11 affecting FwBlockServiceSmm. | 8.2 |
2022-02-03 | CVE-2021-41839 | Insyde | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Insyde Insydeh2O An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. | 8.2 |
2022-02-04 | CVE-2021-21969 | Sealevel | Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 An out-of-bounds write vulnerability exists in the HandleSeaCloudMessage functionality of Sealevel Systems, Inc. | 8.1 |
2022-02-04 | CVE-2021-21970 | Sealevel | Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 An out-of-bounds write vulnerability exists in the HandleSeaCloudMessage functionality of Sealevel Systems, Inc. | 8.1 |
2022-02-01 | CVE-2022-23602 | NIM Lang | Path Traversal vulnerability in Nim-Lang Docutils and Nimforum Nimforum is a lightweight alternative to Discourse written in Nim. | 8.1 |
2022-02-04 | CVE-2013-20003 | Silabs | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Silabs products Z-Wave devices from Sierra Designs (circa 2013) and Silicon Labs (using S0 security) may use a known, shared network key of all zeros, allowing an attacker within radio range to spoof Z-Wave traffic. | 7.9 |
2022-02-04 | CVE-2022-0481 | Mruby | NULL Pointer Dereference vulnerability in Mruby NULL Pointer Dereference in Homebrew mruby prior to 3.2. | 7.8 |
2022-02-04 | CVE-2022-23946 | Kicad Fedoraproject Debian | Stack-based Buffer Overflow vulnerability in multiple products A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon GCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. | 7.8 |
2022-02-04 | CVE-2022-23947 | Kicad Fedoraproject Debian | Stack-based Buffer Overflow vulnerability in multiple products A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon DCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. | 7.8 |
2022-02-04 | CVE-2021-45988 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDnsForward. | 7.8 |
2022-02-04 | CVE-2021-45989 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function guestWifiRuleRefresh. | 7.8 |
2022-02-04 | CVE-2021-45991 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddVpnUsers. | 7.8 |
2022-02-04 | CVE-2021-45992 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetQvlanList. | 7.8 |
2022-02-04 | CVE-2021-45993 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formIPMacBindModify. | 7.8 |
2022-02-04 | CVE-2021-45994 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formDelDhcpRule. | 7.8 |
2022-02-04 | CVE-2021-45995 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetStaticRoute. | 7.8 |
2022-02-04 | CVE-2021-45996 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetPortMapping. | 7.8 |
2022-02-04 | CVE-2021-45997 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetPortMapping. | 7.8 |
2022-02-04 | CVE-2022-24142 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetFirewallCfg. | 7.8 |
2022-02-04 | CVE-2022-24143 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware and AX3 Firmware Tenda AX3 v16.03.12.10_CN and AX12 22.03.01.2_CN was discovered to contain a stack overflow in the function form_fast_setting_wifi_set. | 7.8 |
2022-02-04 | CVE-2022-24145 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formWifiBasicSet. | 7.8 |
2022-02-04 | CVE-2022-24146 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetQosBand. | 7.8 |
2022-02-04 | CVE-2022-24147 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromAdvSetMacMtuWan. | 7.8 |
2022-02-04 | CVE-2022-24149 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetWirelessRepeat. | 7.8 |
2022-02-04 | CVE-2022-24151 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetWifiGusetBasic. | 7.8 |
2022-02-04 | CVE-2022-24152 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetRouteStatic. | 7.8 |
2022-02-04 | CVE-2022-24153 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formAddMacfilterRule. | 7.8 |
2022-02-04 | CVE-2022-24154 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetRebootTimer. | 7.8 |
2022-02-04 | CVE-2022-24155 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function setSchedWifi. | 7.8 |
2022-02-04 | CVE-2022-24156 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetVirtualSer. | 7.8 |
2022-02-04 | CVE-2022-24157 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetMacFilterCfg. | 7.8 |
2022-02-04 | CVE-2022-24158 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetIpMacBind. | 7.8 |
2022-02-04 | CVE-2022-24159 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetPPTPServer. | 7.8 |
2022-02-04 | CVE-2022-24160 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetDeviceName. | 7.8 |
2022-02-04 | CVE-2022-24161 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function GetParentControlInfo. | 7.8 |
2022-02-04 | CVE-2022-24162 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function saveParentControlInfo. | 7.8 |
2022-02-04 | CVE-2022-24163 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetSysTime. | 7.8 |
2022-02-04 | CVE-2022-24164 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetVirtualSer. | 7.8 |
2022-02-04 | CVE-2022-24166 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetSysTime. | 7.8 |
2022-02-04 | CVE-2022-24169 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formIPMacBindAdd. | 7.8 |
2022-02-04 | CVE-2022-24172 | Tendacn | Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDhcpBindRule. | 7.8 |
2022-02-02 | CVE-2022-0443 | VIM Fedoraproject Debian | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 8.2. | 7.8 |
2022-02-01 | CVE-2022-0417 | VIM Fedoraproject Debian | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2. | 7.8 |
2022-01-31 | CVE-2022-24264 | Cuppacms | SQL Injection vulnerability in Cuppacms 1.0 Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter. | 7.8 |
2022-01-31 | CVE-2022-24265 | Cuppacms | SQL Injection vulnerability in Cuppacms 1.0 Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter. | 7.8 |
2022-01-31 | CVE-2022-24266 | Cuppacms | SQL Injection vulnerability in Cuppacms 1.0 Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter. | 7.8 |
2022-01-31 | CVE-2021-27971 | Alpsalpine | Unspecified vulnerability in Alpsalpine Touchpad Driver 10.3201.101.215 Alps Alpine Touchpad Driver 10.3201.101.215 is vulnerable to DLL Injection. | 7.8 |
2022-01-31 | CVE-2021-34805 | Land Software | Path Traversal vulnerability in Land-Software Faust Iserver An issue was discovered in FAUST iServer before 9.0.019.019.7. | 7.8 |
2022-02-04 | CVE-2022-24348 | Argoproj | Path Traversal vulnerability in Argoproj Argo CD Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. | 7.7 |
2022-02-06 | CVE-2013-20004 | Starwindsoftware | Resource Exhaustion vulnerability in Starwindsoftware Iscsi SAN A flaw was found in StarWind iSCSI target. | 7.5 |
2022-02-06 | CVE-2022-22831 | Servisnet | Improper Authentication vulnerability in Servisnet Tessa 0.0.2 An issue was discovered in Servisnet Tessa 0.0.2. | 7.5 |
2022-02-05 | CVE-2021-38172 | Debian | Classic Buffer Overflow vulnerability in Debian Perm 0.4.0 perM 0.4.0 has a Buffer Overflow related to strncpy. | 7.5 |
2022-02-04 | CVE-2020-12965 | AMD | Injection vulnerability in AMD products When combined with specific software sequences, AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits potentially resulting in data leakage. | 7.5 |
2022-02-04 | CVE-2021-21961 | Sealevel | Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 A stack-based buffer overflow vulnerability exists in the NBNS functionality of Sealevel Systems, Inc. | 7.5 |
2022-02-04 | CVE-2021-22285 | ABB | Improper Handling of Exceptional Conditions vulnerability in ABB Pni800 Firmware and Spiet800 Firmware Improper Handling of Exceptional Conditions, Improper Check for Unusual or Exceptional Conditions vulnerability in the ABB SPIET800 and PNI800 module that allows an attacker to cause the denial of service or make the module unresponsive. | 7.5 |
2022-02-04 | CVE-2021-36152 | Apache | Unspecified vulnerability in Apache Gobblin Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service. | 7.5 |
2022-02-04 | CVE-2021-44779 | GWA Autoresponder Project | SQL Injection vulnerability in [Gwa] Autoresponder Project [Gwa] Autoresponder 2.3 Unauthenticated SQL Injection (SQLi) vulnerability discovered in [GWA] AutoResponder WordPress plugin (versions <= 2.3), vulnerable at (&listid). | 7.5 |
2022-02-04 | CVE-2022-22987 | Advantech | Use of Hard-coded Credentials vulnerability in Advantech Adam-3600 Firmware 2.6.2 The affected product has a hardcoded private key available inside the project folder, which may allow an attacker to achieve Web Server login and perform further actions. | 7.5 |
2022-02-04 | CVE-2022-23379 | Emlog | SQL Injection vulnerability in Emlog 6.0.0 Emlog v6.0 was discovered to contain a SQL injection vulnerability via the $TagID parameter of getblogidsfromtagid(). | 7.5 |
2022-02-04 | CVE-2022-23587 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 7.5 | |
2022-02-04 | CVE-2022-23591 | Uncontrolled Recursion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 7.5 | |
2022-02-04 | CVE-2022-23611 | Itunesrpc Remastered Project | OS Command Injection vulnerability in Itunesrpc-Remastered Project Itunesrpc-Remastered iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. | 7.5 |
2022-02-04 | CVE-2022-23913 | Apache Netapp | Allocation of Resources Without Limits or Throttling vulnerability in multiple products In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. | 7.5 |
2022-02-04 | CVE-2022-23329 | Ujcms | Unrestricted Upload of File with Dangerous Type vulnerability in Ujcms Jspxcms 10.2.0 A vulnerability in ${"freemarker.template.utility.Execute"?new() of UJCMS Jspxcms v10.2.0 allows attackers to execute arbitrary commands via uploading malicious files. | 7.5 |
2022-02-04 | CVE-2021-23470 | Putil Merge Project | Unspecified vulnerability in Putil-Merge Project Putil-Merge This affects the package putil-merge before 3.8.0. | 7.5 |
2022-02-04 | CVE-2021-23497 | SET Project | Unspecified vulnerability in SET Project SET 1.0.0/1.0.1 This affects the package @strikeentco/set before 1.0.2. | 7.5 |
2022-02-04 | CVE-2021-23507 | Skratchdot | Unspecified vulnerability in Skratchdot Object-Path-Set The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. | 7.5 |
2022-02-04 | CVE-2021-29396 | Globalnorthstar | Incorrect Permission Assignment for Critical Resource vulnerability in Globalnorthstar Northstar Club Management 6.3 Systemic Insecure Permissions in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to use various functionalities without authentication. | 7.5 |
2022-02-04 | CVE-2022-24259 | Voipmonitor | Improper Authentication vulnerability in Voipmonitor An incorrect check in the component cdr.php of Voipmonitor GUI before v24.96 allows unauthenticated attackers to escalate privileges via a crafted request. | 7.5 |
2022-02-04 | CVE-2021-44978 | Idreamsoft | Code Injection vulnerability in Idreamsoft Icms iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. | 7.5 |
2022-02-04 | CVE-2021-44246 | Totolink | Unspecified vulnerability in Totolink A3100R Firmware, A720R Firmware and A830R Firmware Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. | 7.5 |
2022-02-04 | CVE-2021-44247 | Totolink | Command Injection vulnerability in Totolink A3100R Firmware, A720R Firmware and A830R Firmware Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. | 7.5 |
2022-02-04 | CVE-2021-45734 | Totolink | Unspecified vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102 TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules. | 7.5 |
2022-02-04 | CVE-2021-45736 | Totolink | Unspecified vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102 TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg. | 7.5 |
2022-02-04 | CVE-2021-45737 | Totolink | Unspecified vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. | 7.5 |
2022-02-04 | CVE-2021-45739 | Totolink | Unspecified vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. | 7.5 |
2022-02-04 | CVE-2021-45741 | Totolink | Unspecified vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102 TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. | 7.5 |
2022-02-04 | CVE-2021-45986 | Tendacn | OS Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. | 7.5 |
2022-02-04 | CVE-2021-45987 | Tendacn | OS Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. | 7.5 |
2022-02-04 | CVE-2021-45990 | Tendacn | Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function uploadPicture. | 7.5 |
2022-02-04 | CVE-2021-45998 | Dlink | Command Injection vulnerability in Dlink Dir-882 Firmware 1.10B04/1.30B06 D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to contain a command injection vulnerability in the LocalIPAddress parameter. | 7.5 |
2022-02-04 | CVE-2021-46226 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function wget_test.asp. | 7.5 |
2022-02-04 | CVE-2021-46227 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function proxy_client.asp. | 7.5 |
2022-02-04 | CVE-2021-46228 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function httpd_debug.asp. | 7.5 |
2022-02-04 | CVE-2021-46229 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function usb_paswd.asp. | 7.5 |
2022-02-04 | CVE-2021-46230 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function upgrade_filter. | 7.5 |
2022-02-04 | CVE-2021-46231 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function urlrd_opt.asp. | 7.5 |
2022-02-04 | CVE-2021-46232 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function version_upgrade.asp. | 7.5 |
2022-02-04 | CVE-2021-46233 | Dlink | Command Injection vulnerability in Dlink Di-7200Gv2 Firmware D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function msp_info.htm. | 7.5 |
2022-02-04 | CVE-2021-46452 | Dlink | Command Injection vulnerability in Dlink Dir-823 PRO Firmware D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetNetworkTomographySettings. | 7.5 |
2022-02-04 | CVE-2021-46453 | Dlink | Command Injection vulnerability in Dlink Dir-823 PRO Firmware D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetStaticRouteSettings. | 7.5 |
2022-02-04 | CVE-2021-46454 | Dlink | Command Injection vulnerability in Dlink Dir-823 PRO Firmware D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetWLanApcliSettings. | 7.5 |
2022-02-04 | CVE-2021-46455 | Dlink | Command Injection vulnerability in Dlink Dir-823 PRO Firmware D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetStationSettings. | 7.5 |
2022-02-04 | CVE-2021-46456 | Dlink | Command Injection vulnerability in Dlink Dir-823 PRO Firmware D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetWLanACLSettings. | 7.5 |
2022-02-04 | CVE-2021-46457 | Dlink | Command Injection vulnerability in Dlink Dir-823 PRO Firmware D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function ChgSambaUserSettings. | 7.5 |
2022-02-04 | CVE-2022-24144 | Tenda | Command Injection vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function WanParameterSetting. | 7.5 |
2022-02-04 | CVE-2022-24148 | Tenda | Command Injection vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function mDMZSetCfg. | 7.5 |
2022-02-04 | CVE-2022-24150 | Tenda | Command Injection vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function formSetSafeWanWebMan. | 7.5 |
2022-02-04 | CVE-2022-24165 | Tendacn | Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetQvlanList. | 7.5 |
2022-02-04 | CVE-2022-24167 | Tendacn | Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetDMZ. | 7.5 |
2022-02-04 | CVE-2022-24168 | Tendacn | Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpGroup. | 7.5 |
2022-02-04 | CVE-2022-24170 | Tendacn | Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpSecTunnel. | 7.5 |
2022-02-04 | CVE-2022-24171 | Tendacn | Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetPppoeServer. | 7.5 |
2022-02-03 | CVE-2022-24307 | Joinmastodon | Incorrect Authorization vulnerability in Joinmastodon Mastodon Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. | 7.5 |
2022-02-03 | CVE-2022-23833 | Djangoproject Fedoraproject Debian | Infinite Loop vulnerability in multiple products An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. | 7.5 |
2022-02-02 | CVE-2021-42637 | Printerlogic | Server-Side Request Forgery (SSRF) vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use user-controlled input to craft a URL, resulting in a Server Side Request Forgery (SSRF) vulnerability. | 7.5 |
2022-02-01 | CVE-2021-46093 | Elitecms | Incorrect Default Permissions vulnerability in Elitecms Elite CMS 1.0 eliteCMS v1.0 is vulnerable to Insecure Permissions via manage_uploads.php. | 7.5 |
2022-02-01 | CVE-2022-24219 | Elitecms | SQL Injection vulnerability in Elitecms Elite CMS 1.0 eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_page.php. | 7.5 |
2022-02-01 | CVE-2022-24220 | Elitecms | SQL Injection vulnerability in Elitecms Elite CMS 1.0 eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_post.php. | 7.5 |
2022-02-01 | CVE-2022-24221 | Elitecms | SQL Injection vulnerability in Elitecms Elite CMS 1.0 eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/functions/functions.php. | 7.5 |
2022-02-01 | CVE-2022-24222 | Elitecms | SQL Injection vulnerability in Elitecms Elite CMS 1.0 eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_user.php. | 7.5 |
2022-02-01 | CVE-2022-24223 | Thedigitalcraft | SQL Injection vulnerability in Thedigitalcraft Atomcms 2.0 AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php. | 7.5 |
2022-02-01 | CVE-2021-43509 | Simple Client Management System Project | SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0 SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php. | 7.5 |
2022-02-01 | CVE-2021-43510 | Simple Client Management System Project | SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0 SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php. | 7.5 |
2022-02-01 | CVE-2021-24762 | Getperfectsurvey | SQL Injection vulnerability in Getperfectsurvey Perfect Survey The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. | 7.5 |
2022-02-01 | CVE-2021-25093 | Ylefebvre | Missing Authorization vulnerability in Ylefebvre Link Library The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request | 7.5 |
2022-02-01 | CVE-2022-0320 | Wpdeveloper | Path Traversal vulnerability in Wpdeveloper Essential Addons for Elementor The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques. | 7.5 |
2022-02-01 | CVE-2022-0401 | W ZIP Project | Path Traversal vulnerability in W-Zip Project W-Zip Path Traversal in NPM w-zip prior to 1.0.12. | 7.5 |
2022-02-01 | CVE-2021-43859 | Xstream Project Fedoraproject Debian Oracle | Resource Exhaustion vulnerability in multiple products XStream is an open source java library to serialize objects to XML and back again. | 7.5 |
2022-02-01 | CVE-2021-46669 | Mariadb Fedoraproject Debian | Use After Free vulnerability in multiple products MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used. | 7.5 |
2022-01-31 | CVE-2021-23520 | Juce | Path Traversal vulnerability in Juce The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp. | 7.5 |
2022-02-04 | CVE-2021-21964 | Sealevel | Missing Authentication for Critical Function vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. | 7.4 |
2022-02-03 | CVE-2021-41837 | Insyde Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. | 7.2 |
2022-02-03 | CVE-2021-41838 | Insyde Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in SdHostDriver in the kernel 5.0 through 5.5 in Insyde InsydeH2O. | 7.2 |
2022-02-03 | CVE-2021-41840 | Insyde | Allocation of Resources Without Limits or Throttling vulnerability in Insyde Insydeh2O An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. | 7.2 |
2022-02-03 | CVE-2021-41841 | Insyde | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Insyde Insydeh2O An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. | 7.2 |
2022-02-03 | CVE-2021-42059 | Insyde Siemens | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.08.41, Kernel 5.1 before 05.16.41, Kernel 5.2 before 05.26.41, Kernel 5.3 before 05.35.41, and Kernel 5.4 before 05.42.20. | 7.2 |
2022-02-03 | CVE-2021-42060 | Insyde | Unspecified vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O Kernel 5.0 through 05.08.41, Kernel 5.1 through 05.16.41, Kernel 5.2 before 05.23.22, and Kernel 5.3 before 05.32.22. | 7.2 |
2022-02-03 | CVE-2021-42554 | Insyde Siemens | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Insyde InsydeH2O with Kernel 5.0 before 05.08.42, Kernel 5.1 before 05.16.42, Kernel 5.2 before 05.26.42, Kernel 5.3 before 05.35.42, Kernel 5.4 before 05.42.51, and Kernel 5.5 before 05.50.51. | 7.2 |
2022-02-03 | CVE-2021-43323 | Insyde | Unspecified vulnerability in Insyde Insydeh2O An issue was discovered in UsbCoreDxe in Insyde InsydeH2O with kernel 5.5 before 05.51.45, 5.4 before 05.43.45, 5.3 before 05.35.45, 5.2 before 05.26.45, 5.1 before 05.16.45, and 5.0 before 05.08.45. | 7.2 |
2022-02-03 | CVE-2021-43615 | Insyde | Out-of-bounds Write vulnerability in Insyde Insydeh2O An issue was discovered in HddPassword in Insyde InsydeH2O with kernel 5.1 before 05.16.23, 5.2 before 05.26.23, 5.3 before 05.35.23, 5.4 before 05.43.22, and 5.5 before 05.51.22. | 7.2 |
2022-02-03 | CVE-2022-24031 | Insyde | Out-of-bounds Write vulnerability in Insyde Insydeh2O An issue was discovered in NvmExpressDxe in Insyde InsydeH2O with kernel 5.1 through 5.5. | 7.2 |
2022-02-03 | CVE-2022-24069 | Insyde | Unspecified vulnerability in Insyde Insydeh2O An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.0 before 05.08.41, 5.1 before 05.16.29, 5.2 before 05.26.29, 5.3 before 05.35.29, 5.4 before 05.43.29, and 5.5 before 05.51.29. | 7.2 |
2022-01-31 | CVE-2021-28962 | Stormshield | Unspecified vulnerability in Stormshield Network Security Stormshield Network Security (SNS) before 4.2.2 allows a read-only administrator to gain privileges via CLI commands. | 7.2 |
2022-02-04 | CVE-2021-32036 | Mongodb | Allocation of Resources Without Limits or Throttling vulnerability in Mongodb An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. | 7.1 |
210 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-03 | CVE-2021-33625 | Insyde Netapp Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword. | 6.9 |
2022-02-03 | CVE-2022-24030 | Insyde | Out-of-bounds Write vulnerability in Insyde Insydeh2O An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 through 5.5. | 6.9 |
2022-02-03 | CVE-2020-5953 | Insyde Siemens | A vulnerability exists in System Management Interrupt (SWSMI) handler of InsydeH2O UEFI Firmware code located in SWSMI handler that dereferences gRT (EFI_RUNTIME_SERVICES) pointer to call a GetVariable service, which is located outside of SMRAM. | 6.9 |
2022-02-03 | CVE-2021-43522 | Insyde | Out-of-bounds Write vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 2021-11-08, 5.2 through 2021-11-08, and 5.3 through 2021-11-08. | 6.9 |
2022-02-04 | CVE-2021-21959 | Sealevel | Improper Certificate Validation vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc. | 6.8 |
2022-02-04 | CVE-2021-21962 | Sealevel | Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 A heap-based buffer overflow vulnerability exists in the OTA Update u-download functionality of Sealevel Systems, Inc. | 6.8 |
2022-02-04 | CVE-2021-28503 | Arista | Improper Authentication vulnerability in Arista EOS The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI. | 6.8 |
2022-02-04 | CVE-2021-40420 | Foxit | Use After Free vulnerability in Foxit PDF Reader 11.1.0.52543 A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543. | 6.8 |
2022-02-04 | CVE-2022-0484 | Mirantis | Improper Input Validation vulnerability in Mirantis Container Cloud Lens Extension Lack of validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. | 6.8 |
2022-02-04 | CVE-2022-22150 | Foxit | Improper Handling of Exceptional Conditions vulnerability in Foxit PDF Reader 11.1.0.52543 A memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543. | 6.8 |
2022-02-04 | CVE-2021-46398 | Filebrowser | Cross-Site Request Forgery (CSRF) vulnerability in Filebrowser A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. | 6.8 |
2022-02-02 | CVE-2021-39044 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Financial Transaction Manager 3.2.4 IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 6.8 |
2022-02-02 | CVE-2021-39070 | IBM | Unspecified vulnerability in IBM products IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the advanced access control authentication service enabled could allow an attacker to authenticate as any user on the system. | 6.8 |
2022-02-01 | CVE-2021-24763 | Getperfectsurvey | Cross-Site Request Forgery (CSRF) vulnerability in Getperfectsurvey Perfect Survey The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. | 6.8 |
2022-02-01 | CVE-2021-24814 | Welaunch | Cross-site Scripting vulnerability in Welaunch Wordpress Gdpr&Ccpa The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. | 6.8 |
2022-02-01 | CVE-2022-23601 | Sensiolabs | Cross-Site Request Forgery (CSRF) vulnerability in Sensiolabs Symfony Symfony is a PHP framework for web and console applications and a set of reusable PHP components. | 6.8 |
2022-02-04 | CVE-2021-22284 | ABB | Incorrect Permission Assignment for Critical Resource vulnerability in ABB OPC Server for AC 800M Incorrect Permission Assignment for Critical Resource vulnerability in OPC Server for AC 800M allows an attacker to execute arbitrary code in the node running the AC800M OPC Server. | 6.5 |
2022-02-04 | CVE-2021-38130 | Microfocus | Unspecified vulnerability in Microfocus Voltage Securemail A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1. | 6.5 |
2022-02-04 | CVE-2022-22689 | Broadcom | Improper Neutralization of Formula Elements in a CSV File vulnerability in Broadcom CA Harvest Software Change Manager CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands. | 6.5 |
2022-02-04 | CVE-2022-23558 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23559 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23560 | Out-of-bounds Write vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23561 | Out-of-bounds Write vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23562 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23566 | Out-of-bounds Write vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23572 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23573 | Use of Uninitialized Resource vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23574 | Out-of-bounds Write vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23580 | Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23583 | Type Confusion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-04 | CVE-2022-23330 | Jpress | Unspecified vulnerability in Jpress 4.2.0 A remote code execution (RCE) vulnerability in HelloWorldAddonController.java of jpress v4.2.0 allows attackers to execute arbitrary code via a crafted JAR package. | 6.5 |
2022-02-04 | CVE-2022-24262 | Voipmonitor | Unrestricted Upload of File with Dangerous Type vulnerability in Voipmonitor The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root. | 6.5 |
2022-02-03 | CVE-2022-21740 | Out-of-bounds Write vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-03 | CVE-2022-21726 | Out-of-bounds Read vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-03 | CVE-2022-21727 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.5 | |
2022-02-03 | CVE-2022-23873 | Victor CMS Project | SQL Injection vulnerability in Victor CMS Project Victor CMS 1.0 Victor CMS v1.0 was discovered to contain a SQL injection vulnerability that allows attackers to inject arbitrary commands via 'user_firstname' parameter. | 6.5 |
2022-02-02 | CVE-2021-36193 | Fortinet | Out-of-bounds Write vulnerability in Fortinet Fortiweb Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands. | 6.5 |
2022-02-02 | CVE-2021-39066 | IBM | Session Fixation vulnerability in IBM Financial Transaction Manager 3.2.4 IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. | 6.5 |
2022-02-02 | CVE-2021-43073 | Fortinet | OS Command Injection vulnerability in Fortinet Fortiweb A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. | 6.5 |
2022-02-01 | CVE-2022-24196 | Itextpdf | Allocation of Resources Without Limits or Throttling vulnerability in Itextpdf Itext iText v7.1.17, up to (exluding)": 7.1.18 and 7.2.2 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. | 6.5 |
2022-02-01 | CVE-2022-24197 | Itextpdf | Out-of-bounds Write vulnerability in Itextpdf Itext iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. | 6.5 |
2022-02-01 | CVE-2022-24198 | Itextpdf | Out-of-bounds Read vulnerability in Itextpdf Itext 7.1.17 iText v7.1.17 was discovered to contain an out-of-bounds exception via the component ARCFOUREncryption.encryptARCFOUR, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. | 6.5 |
2022-02-01 | CVE-2021-24761 | Bestwebsoft | Path Traversal vulnerability in Bestwebsoft Error LOG Viewer The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. | 6.5 |
2022-02-01 | CVE-2021-24919 | Wickedplugins | SQL Injection vulnerability in Wickedplugins Wicked Folders The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. | 6.5 |
2022-02-01 | CVE-2021-25092 | Ylefebvre | Cross-Site Request Forgery (CSRF) vulnerability in Ylefebvre Link Library The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack | 6.5 |
2022-02-01 | CVE-2021-25097 | Creativityjuice | Incorrect Authorization vulnerability in Creativityjuice Labtools 1.0 The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication | 6.5 |
2022-02-01 | CVE-2021-41571 | Apache | Incorrect Authorization vulnerability in Apache Pulsar In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. | 6.5 |
2022-02-01 | CVE-2022-23607 | Twistedmatrix Debian | Forced Browsing vulnerability in multiple products treq is an HTTP library inspired by requests but written on top of Twisted's Agents. | 6.5 |
2022-01-31 | CVE-2021-44255 | Motioneye Project Motioneyeos Project | Missing Authentication for Critical Function vulnerability in multiple products Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server. | 6.5 |
2022-02-04 | CVE-2021-21965 | Sealevel | Improper Authentication vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 A denial of service vulnerability exists in the SeaMax remote configuration functionality of Sealevel Systems, Inc. | 6.4 |
2022-02-04 | CVE-2022-23609 | Itunesrpc Remastered Project | Path Traversal vulnerability in Itunesrpc-Remastered Project Itunesrpc-Remastered iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. | 6.4 |
2022-02-04 | CVE-2022-24129 | Shibboleth | Server-Side Request Forgery (SSRF) vulnerability in Shibboleth Oidc OP The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. | 6.4 |
2022-02-02 | CVE-2021-42640 | Printerlogic | Exposure of Resource to Wrong Sphere vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to reassign drivers for any printer. | 6.4 |
2022-02-02 | CVE-2021-24043 | Out-of-bounds Read vulnerability in Whatsapp and Whatsapp Business A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call. | 6.4 | |
2022-02-02 | CVE-2022-24301 | Minetest Debian | Incorrect Default Permissions vulnerability in multiple products In Minetest before 5.4.0, players can add or subtract items from a different player's inventory. | 6.4 |
2022-02-01 | CVE-2022-24218 | Elitecms | Unspecified vulnerability in Elitecms Elite CMS 1.0 An issue in /admin/delete_image.php of eliteCMS v1.0 allows attackers to delete arbitrary files. | 6.4 |
2022-02-04 | CVE-2021-40403 | Gerbv Project Fedoraproject Debian | Missing Initialization of a Variable vulnerability in multiple products An information disclosure vulnerability exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0. | 6.3 |
2022-02-04 | CVE-2022-23563 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 6.3 | |
2022-02-03 | CVE-2022-22818 | Djangoproject Fedoraproject Debian | Cross-site Scripting vulnerability in multiple products The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. | 6.1 |
2022-02-01 | CVE-2021-25091 | Ylefebvre | Cross-site Scripting vulnerability in Ylefebvre Link Library The Link Library WordPress plugin before 7.2.9 does not sanitise and escape the settingscopy parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-02-01 | CVE-2022-0220 | Welaunch | Improper Encoding or Escaping of Output vulnerability in Welaunch Wordpress Gdpr&Ccpa The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. | 6.1 |
2022-02-01 | CVE-2022-23603 | Itunesrpc Remastered Project | Improper Encoding or Escaping of Output vulnerability in Itunesrpc-Remastered Project Itunesrpc-Remastered iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. | 6.1 |
2022-02-04 | CVE-2021-45408 | Seeddms | Open Redirect vulnerability in Seeddms 6.0.15 Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, which llows remote malicious users to redirect users to malicious sites using the "referuri" parameter. | 5.8 |
2022-02-02 | CVE-2020-26208 | Jhead Project | Out-of-bounds Write vulnerability in Jhead Project Jhead JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. | 5.8 |
2022-02-04 | CVE-2020-12966 | AMD | Information Exposure vulnerability in AMD products AMD EPYC™ Processors contain an information disclosure vulnerability in the Secure Encrypted Virtualization with Encrypted State (SEV-ES) and Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). | 5.5 |
2022-02-04 | CVE-2021-4043 | Gpac Debian | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0. | 5.5 |
2022-02-04 | CVE-2022-0264 | Linux | Improper Handling of Exceptional Conditions vulnerability in Linux Kernel A vulnerability was found in the Linux kernel's eBPF verifier when handling internal data structures. | 5.5 |
2022-02-04 | CVE-2022-23592 | Out-of-bounds Read vulnerability in Google Tensorflow 2.7.0/2.7.1 Tensorflow is an Open Source Machine Learning Framework. | 5.5 | |
2022-02-04 | CVE-2021-45429 | Virustotal | Classic Buffer Overflow vulnerability in Virustotal Yara A Buffer Overflow vulnerablity exists in VirusTotal YARA git commit: 605b2edf07ed8eb9a2c61ba22eb2e7c362f47ba7 via yr_set_configuration in yara/libyara/libyara.c, which could cause a Denial of Service. | 5.5 |
2022-02-04 | CVE-2022-24249 | Gpac | NULL Pointer Dereference vulnerability in Gpac A Null Pointer Dereference vulnerability exists in GPAC 1.1.0 via the xtra_box_write function in /box_code_base.c, which causes a Denial of Service. | 5.5 |
2022-02-04 | CVE-2021-43145 | Zammad | Unspecified vulnerability in Zammad 5.0.1 With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts. | 5.5 |
2022-02-03 | CVE-2022-21728 | Out-of-bounds Read vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 5.5 | |
2022-02-03 | CVE-2022-21730 | Out-of-bounds Read vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 5.5 | |
2022-02-01 | CVE-2022-0419 | Radare Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.0. | 5.5 |
2022-02-01 | CVE-2021-46661 | Mariadb Fedoraproject | MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE). | 5.5 |
2022-02-01 | CVE-2021-46663 | Mariadb Fedoraproject | MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements. | 5.5 |
2022-02-01 | CVE-2021-46664 | Mariadb Fedoraproject | NULL Pointer Dereference vulnerability in multiple products MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr. | 5.5 |
2022-02-01 | CVE-2021-46665 | Mariadb Fedoraproject | MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations. | 5.5 |
2022-02-01 | CVE-2021-46667 | Mariadb Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an application crash. | 5.5 |
2022-02-01 | CVE-2021-46668 | Mariadb Fedoraproject | Resource Exhaustion vulnerability in multiple products MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures. | 5.5 |
2022-01-31 | CVE-2022-0286 | Linux Oracle | NULL Pointer Dereference vulnerability in multiple products A flaw was found in the Linux kernel. | 5.5 |
2022-01-31 | CVE-2022-24130 | Invisible Island Debian Fedoraproject | Classic Buffer Overflow vulnerability in multiple products xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text. | 5.5 |
2022-02-04 | CVE-2022-22722 | Schneider Electric | Use of Hard-coded Credentials vulnerability in Schneider-Electric Easergy P5 Firmware A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure. | 5.4 |
2022-01-31 | CVE-2020-36056 | Beetel | Cross-site Scripting vulnerability in Beetel 777Vr1 Firmware 01.00.0955 Beetel 777VR1-DI Hardware Version REV.1.01 Firmware Version V01.00.09_55 was discovered to contain a cross-site scripting (XSS) vulnerability via the Ping diagnostic option. | 5.4 |
2022-02-04 | CVE-2021-46671 | Atftp Project Debian | Out-of-bounds Read vulnerability in multiple products options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client. | 5.3 |
2022-02-04 | CVE-2021-44886 | Zammad | Unspecified vulnerability in Zammad 5.0.2 In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. | 5.3 |
2022-02-01 | CVE-2021-44746 | NEC | Unspecified vulnerability in NEC products UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior, UNIVERGE DT 930 V2.4.0.0 and prior, IP Phone Manager V8.9.1 and prior, Data Maintenance Tool for DT900 Series V5.3.0.0 and prior, Data Maintenance Tool for DT800 Series V4.2.0.0 and prior allows a remote attacker who can access to the internal network, the configuration information may be obtained. | 5.3 |
2022-02-01 | CVE-2022-23597 | Element | Use After Free vulnerability in Element Desktop Element Desktop is a Matrix client for desktop platforms with Element Web at its core. | 5.1 |
2022-02-06 | CVE-2022-22833 | Servisnet | Unspecified vulnerability in Servisnet Tessa 0.0.2 An issue was discovered in Servisnet Tessa 0.0.2. | 5.0 |
2022-02-06 | CVE-2007-20001 | Starwindsoftware | Resource Exhaustion vulnerability in Starwindsoftware Iscsi SAN A flaw was found in StarWind iSCSI target. | 5.0 |
2022-02-06 | CVE-2022-23206 | Apache | Server-Side Request Forgery (SSRF) vulnerability in Apache Traffic Control In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach. | 5.0 |
2022-02-04 | CVE-2021-22286 | ABB | Improper Input Validation vulnerability in ABB Pni800 Firmware and Spiet800 Firmware Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 module allows an attacker to cause the denial of service or make the module unresponsive. | 5.0 |
2022-02-04 | CVE-2021-22288 | ABB | Improper Input Validation vulnerability in ABB Pni800 Firmware and Spiet800 Firmware Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 module allows an attacker to cause the denial of service or make the module unresponsive. | 5.0 |
2022-02-04 | CVE-2021-38960 | IBM | Information Exposure vulnerability in IBM products IBM OPENBMC OP920, OP930, and OP940 could allow an unauthenticated user to obtain sensitive information. | 5.0 |
2022-02-04 | CVE-2022-22724 | Schneider Electric | Resource Exhaustion vulnerability in Schneider-Electric products A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. | 5.0 |
2022-02-04 | CVE-2022-23579 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 5.0 | |
2022-02-04 | CVE-2022-23581 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 5.0 | |
2022-02-04 | CVE-2022-23590 | Improper Check for Unusual or Exceptional Conditions vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 5.0 | |
2022-02-04 | CVE-2022-23593 | Improper Check for Unusual or Exceptional Conditions vulnerability in Google Tensorflow 2.7.0/2.7.1 Tensorflow is an Open Source Machine Learning Framework. | 5.0 | |
2022-02-04 | CVE-2021-29395 | Globalnorthstar | Path Traversal vulnerability in Globalnorthstar Northstar Club Management 6.3 Directory travesal in /northstar/filemanager/download.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to download arbitrary files, including JSP source code, across the filesystem of the host of the web application. | 5.0 |
2022-02-04 | CVE-2021-29397 | Globalnorthstar | Cleartext Transmission of Sensitive Information vulnerability in Globalnorthstar Northstar Club Management 6.3 Cleartext Transmission of Sensitive Information in /northstar/Admin/login.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote local user to intercept users credentials transmitted in cleartext over HTTP. | 5.0 |
2022-02-04 | CVE-2021-29398 | Globalnorthstar | Path Traversal vulnerability in Globalnorthstar Northstar Club Management 6.3 Directory traversal in /northstar/Common/NorthFileManager/fileManagerObjects.jsp Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to browse and list the directories across the entire filesystem of the host of the web application. | 5.0 |
2022-02-04 | CVE-2021-44977 | Idreamsoft | Path Traversal vulnerability in Idreamsoft Icms In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. | 5.0 |
2022-02-04 | CVE-2021-46320 | Openzeppelin | Improper Initialization vulnerability in Openzeppelin In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. | 5.0 |
2022-02-04 | CVE-2021-45735 | Totolink | Cleartext Transmission of Sensitive Information vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102 TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing attackers to intercept user credentials via packet capture software. | 5.0 |
2022-02-03 | CVE-2022-21741 | Divide By Zero vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 5.0 | |
2022-02-03 | CVE-2021-44866 | Projectworlds | SQL Injection vulnerability in Projectworlds Online Movie Ticket Booking System 1.0 An issue was discovered in Online-Movie-Ticket-Booking-System 1.0. | 5.0 |
2022-02-03 | CVE-2022-21733 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 5.0 | |
2022-02-03 | CVE-2022-24121 | Unifiedoffice | SQL Injection vulnerability in Unifiedoffice Total Connect NOW SQL Injection vulnerability discovered in Unified Office Total Connect Now that would allow an attacker to extract sensitive information through a cookie parameter. | 5.0 |
2022-02-02 | CVE-2021-39021 | IBM | Information Exposure Through Discrepancy vulnerability in IBM Guardium Data Encryption 5.0.0.2 IBM Guardium Data Encryption (GDE) 5.0.0.2 behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which could facilitate username enumeration. | 5.0 |
2022-02-02 | CVE-2021-42633 | Printerlogic | SQL Injection vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to SQL Injection, which may allow an attacker to access additional audit records. | 5.0 |
2022-02-02 | CVE-2021-42641 | Printerlogic | Exposure of Resource to Wrong Sphere vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the username and email address of all users. | 5.0 |
2022-02-02 | CVE-2021-42642 | Printerlogic | Cleartext Storage of Sensitive Information vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer. | 5.0 |
2022-02-02 | CVE-2022-22510 | Codesys | NULL Pointer Dereference vulnerability in Codesys Profinet 4.2.0.0 Codesys Profinet in version V4.2.0.0 is prone to null pointer dereference that allows a denial of service (DoS) attack of an unauthenticated user via SNMP. | 5.0 |
2022-02-01 | CVE-2021-24775 | Bplugins | Exposure of Resource to Wrong Sphere vulnerability in Bplugins Document Embedder The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts. | 5.0 |
2022-02-01 | CVE-2021-41040 | Eclipse | Out-of-bounds Read vulnerability in Eclipse Wakaama 1.0 In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data. | 5.0 |
2022-02-01 | CVE-2022-23596 | Junrar Project | Infinite Loop vulnerability in Junrar Project Junrar Junrar is an open source java RAR archive library. | 5.0 |
2022-02-01 | CVE-2022-23774 | Docker | Unspecified vulnerability in Docker Desktop Docker Desktop before 4.4.4 on Windows allows attackers to move arbitrary files. | 5.0 |
2022-01-31 | CVE-2022-21659 | Flask Appbuilder Project | Information Exposure Through Discrepancy vulnerability in Flask-Appbuilder Project Flask-Appbuilder Flask-AppBuilder is an application development framework, built on top of the Flask web framework. | 5.0 |
2022-01-31 | CVE-2021-46459 | Victor CMS Project | SQL Injection vulnerability in Victor CMS Project Victor CMS 1.0 Victor CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component admin/users.php?source=add_user. | 5.0 |
2022-01-31 | CVE-2021-46458 | Victor CMS Project | SQL Injection vulnerability in Victor CMS Project Victor CMS 1.0 Victor CMS v1.0 was discovered to contain a SQL injection vulnerability in the component admin/posts.php?source=add_post. | 5.0 |
2022-01-31 | CVE-2020-36064 | Online Course Registration Project | Use of Hard-coded Credentials vulnerability in Online Course Registration Project Online Course Registration 1.0 Online Course Registration v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised. | 5.0 |
2022-01-31 | CVE-2021-46101 | Gitforwindows | Unspecified vulnerability in Gitforwindows GIT In Git for windows through 2.34.1 when using git pull to update the local warehouse, git.cmd can be run directly. | 5.0 |
2022-02-04 | CVE-2018-25029 | Silabs | Unspecified vulnerability in Silabs products The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic. | 4.8 |
2022-02-01 | CVE-2021-24686 | Benbodhi | Cross-site Scripting vulnerability in Benbodhi SVG Support The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-01-31 | CVE-2022-23872 | Emlog | Cross-site Scripting vulnerability in Emlog 1.1.1 Emlog pro v1.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /admin/configure.php via the parameter footer_info. | 4.8 |
2022-01-31 | CVE-2021-44114 | Stock Management System Project | Cross-site Scripting vulnerability in Stock Management System Project Stock Management System 1.0 Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Stock Management System in PHP/OOP 1.0, which allows remote malicious users to execute arbitrary remote code execution via create user function. | 4.8 |
2022-02-04 | CVE-2021-29218 | HPE | Unquoted Search Path or Element vulnerability in HPE products A local unquoted search path security vulnerability has been identified in HPE Agentless Management Service for Windows version(s): Prior to 1.44.0.0, 10.96.0.0. | 4.6 |
2022-02-04 | CVE-2021-29219 | HPE | Classic Buffer Overflow vulnerability in HPE products A potential local buffer overflow vulnerability has been identified in HPE FlexNetwork 5130 EL Switch Series version: Prior to 5130_EI_7.10.R3507P02. | 4.6 |
2022-02-04 | CVE-2021-44204 | Acronis | Unspecified vulnerability in Acronis products Local privilege escalation via named pipe due to improper access control checks. | 4.6 |
2022-02-04 | CVE-2022-24113 | Acronis | Incorrect Default Permissions vulnerability in Acronis products Local privilege escalation due to excessive permissions assigned to child processes. | 4.6 |
2022-02-04 | CVE-2022-24115 | Acronis | Improper Verification of Cryptographic Signature vulnerability in Acronis Cyber Protect Home Office and True Image Local privilege escalation due to unrestricted loading of unsigned libraries. | 4.6 |
2022-02-04 | CVE-2021-44903 | MSI | Unspecified vulnerability in MSI Center PRO 2.0.16.0 Micro-Star International (MSI) Center Pro <= 2.0.16.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the atidgllk.sys, atillk64.sys, MODAPI.sys, NTIOLib.sys, NTIOLib_X64.sys, WinRing0.sys, WinRing0x64.sys drivers components. | 4.6 |
2022-02-04 | CVE-2021-44899 | MSI | Unspecified vulnerability in MSI Center 1.0.31.0 Micro-Star International (MSI) Center <= 1.0.31.0 is vulnerable to multiple Privilege Escalation vulnerabilities in the atidgllk.sys, atillk64.sys, MODAPI.sys, NTIOLib.sys, NTIOLib_X64.sys, WinRing0.sys, WinRing0x64.sys drivers components. | 4.6 |
2022-02-04 | CVE-2021-44900 | MSI | Unspecified vulnerability in MSI APP Player 4.280.1.6309 Micro-Star International (MSI) App Player <= 4.280.1.6309 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the NTIOLib_X64.sys and BstkDrv_msi2.sys drivers components. | 4.6 |
2022-02-04 | CVE-2021-44901 | MSI | Unspecified vulnerability in MSI Dragon Center Micro-Star International (MSI) Dragon Center <= 2.0.116.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the atidgllk.sys, atillk64.sys, MODAPI.sys, NTIOLib.sys, NTIOLib_X64.sys, WinRing0.sys, WinRing0x64.sys drivers components. | 4.6 |
2022-02-03 | CVE-2021-42113 | Insyde | Unspecified vulnerability in Insyde Insydeh2O An issue was discovered in StorageSecurityCommandDxe in Insyde InsydeH2O with Kernel 5.1 before 05.14.28, Kernel 5.2 before 05.24.28, and Kernel 5.3 before 05.32.25. | 4.6 |
2022-01-31 | CVE-2021-23521 | Juce | Link Following vulnerability in Juce This affects the package juce-framework/JUCE before 6.1.5. | 4.6 |
2022-02-04 | CVE-2020-12891 | AMD | Uncontrolled Search Path Element vulnerability in AMD Radeon PRO Software and Radeon Software AMD Radeon Software may be vulnerable to DLL Hijacking through path variable. | 4.4 |
2022-02-04 | CVE-2021-44205 | Acronis | Uncontrolled Search Path Element vulnerability in Acronis Cyber Protect Home Office and True Image Local privilege escalation due to DLL hijacking vulnerability. | 4.4 |
2022-02-04 | CVE-2021-44206 | Acronis | Uncontrolled Search Path Element vulnerability in Acronis Cyber Protect Home Office and True Image Local privilege escalation due to DLL hijacking vulnerability in Acronis Media Builder service. | 4.4 |
2022-02-04 | CVE-2022-24114 | Acronis | Race Condition vulnerability in Acronis Cyber Protect Home Office and True Image Local privilege escalation due to race condition on application startup. | 4.4 |
2022-02-05 | CVE-2022-0501 | Beanstalk Console Project | Cross-site Scripting vulnerability in Beanstalk Console Project Beanstalk Console Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstalk_console prior to 1.7.12. | 4.3 |
2022-02-05 | CVE-2022-0437 | Karma Project | Cross-site Scripting vulnerability in Karma Project Karma Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14. | 4.3 |
2022-02-04 | CVE-2021-21963 | Sealevel | Missing Encryption of Sensitive Data vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 An information disclosure vulnerability exists in the Web Server functionality of Sealevel Systems, Inc. | 4.3 |
2022-02-04 | CVE-2021-21971 | Sealevel | Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34 An out-of-bounds write vulnerability exists in the URL_decode functionality of Sealevel Systems, Inc. | 4.3 |
2022-02-04 | CVE-2021-32732 | Xwiki | Cross-Site Request Forgery (CSRF) vulnerability in Xwiki ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. | 4.3 |
2022-02-04 | CVE-2022-0218 | Codemiq | Cross-site Scripting vulnerability in Codemiq Wordpress Email Template Designer The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. | 4.3 |
2022-02-04 | CVE-2022-0380 | Fotobook Project | Cross-site Scripting vulnerability in Fotobook Project Fotobook The Fotobook WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping and the use of $_SERVER['PHP_SELF'] found in the ~/options-fotobook.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 3.2.3. | 4.3 |
2022-02-04 | CVE-2022-0381 | Embed Swagger Project | Cross-site Scripting vulnerability in Embed Swagger Project Embed Swagger 1.0.0 The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the ~/swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0. | 4.3 |
2022-02-04 | CVE-2022-23980 | YET Another Stars Rating Project | Cross-site Scripting vulnerability in YET Another Stars Rating Project YET Another Stars Rating Cross-Site Scripting (XSS) vulnerability discovered in Yasr – Yet Another Stars Rating WordPress plugin (versions <= 2.9.9), vulnerable at parameter 'source'. | 4.3 |
2022-02-04 | CVE-2021-43635 | Codex Project | Cross-site Scripting vulnerability in Codex Project Codex A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file. | 4.3 |
2022-02-02 | CVE-2022-0432 | Joinmastodon | Unspecified vulnerability in Joinmastodon Mastodon Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | 4.3 |
2022-02-02 | CVE-2021-42639 | Printerlogic | Cross-site Scripting vulnerability in Printerlogic web Stack 19.1.1.13 PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to multiple reflected cross site scripting vulnerabilities. | 4.3 |
2022-02-02 | CVE-2021-43062 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortimail A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service. | 4.3 |
2022-02-01 | CVE-2021-38560 | Ivanti | Cross-site Scripting vulnerability in Ivanti Service Manager 2021.1 Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx. | 4.3 |
2022-02-01 | CVE-2021-24648 | Metagauss | Cross-site Scripting vulnerability in Metagauss Registrationmagic The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-02-01 | CVE-2021-24764 | Getperfectsurvey | Cross-site Scripting vulnerability in Getperfectsurvey Perfect Survey The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and escape multiple parameters (id and filters[session_id] of single_statistics page, type and message of importexport page) before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues | 4.3 |
2022-02-01 | CVE-2021-24765 | Getperfectsurvey | Cross-site Scripting vulnerability in Getperfectsurvey Perfect Survey The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue | 4.3 |
2022-02-01 | CVE-2021-24926 | Domaincheckplugin | Cross-site Scripting vulnerability in Domaincheckplugin Domain Check The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-02-01 | CVE-2021-24934 | Yellowpencil | Cross-site Scripting vulnerability in Yellowpencil Visual CSS Style Editor The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-02-01 | CVE-2021-24937 | Asset Cleanup | Cross-site Scripting vulnerability in Asset Cleanup: Page Speed Booster Project Asset Cleanup: Page Speed Booster The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-02-01 | CVE-2021-24975 | Nextscripts | Cross-site Scripting vulnerability in Nextscripts Social Networks Auto Poster The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue | 4.3 |
2022-02-01 | CVE-2021-24983 | Asset Cleanup | Cross-site Scripting vulnerability in Asset Cleanup: Page Speed Booster Project Asset Cleanup: Page Speed Booster The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not sanitise and escape POSted parameters sent to the wpassetcleanup_fetch_active_plugins_icons AJAX action (available to admin users), leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-02-01 | CVE-2021-25063 | Cf7Skins | Cross-site Scripting vulnerability in Cf7Skins Contact Form 7 Skins 2.5.0 The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-02-01 | CVE-2021-25072 | Nextscripts | Cross-Site Request Forgery (CSRF) vulnerability in Nextscripts Social Networks Auto Poster The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack | 4.3 |
2022-02-01 | CVE-2021-25085 | Pluginus | Cross-site Scripting vulnerability in Pluginus Woocommerce products Filter The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-02-01 | CVE-2021-25089 | Updraftplus | Cross-site Scripting vulnerability in Updraftplus The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-02-01 | CVE-2021-43848 | Dena | Use of Uninitialized Resource vulnerability in Dena H2O h2o is an open source http server. | 4.3 |
2022-02-01 | CVE-2021-45416 | Rosariosis | Cross-site Scripting vulnerability in Rosariosis 8.2.1 Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script. | 4.3 |
2022-02-01 | CVE-2022-21687 | Github | Improper Input Validation vulnerability in Github Gh-Ost gh-ost is a triggerless online schema migration solution for MySQL. | 4.3 |
2022-01-31 | CVE-2022-0414 | Dolibarr | Improper Validation of Specified Quantity in Input vulnerability in Dolibarr Erp/Crm Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0. | 4.3 |
2022-02-04 | CVE-2022-22726 | Schneider Electric | Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. | 4.0 |
2022-02-04 | CVE-2022-22939 | Vmware | Information Exposure Through Log Files vulnerability in VMWare Cloud Foundation VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager. | 4.0 |
2022-02-04 | CVE-2022-23557 | Divide By Zero vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23564 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23565 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23570 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23571 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23575 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23576 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23577 | NULL Pointer Dereference vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23578 | Memory Leak vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23582 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23584 | Use After Free vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23585 | Memory Leak vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23586 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23588 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23589 | NULL Pointer Dereference vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2022-23595 | NULL Pointer Dereference vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-04 | CVE-2021-29394 | Globalnorthstar | Incorrect Authorization vulnerability in Globalnorthstar Northstar Club Management 6.3 Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote authenticated users to change the password of any targeted user accounts via lack of proper authorization in the user-controlled "userID" parameter of the HTTP POST request. | 4.0 |
2022-02-04 | CVE-2021-44983 | Taogogo | Files or Directories Accessible to External Parties vulnerability in Taogogo Taocms 3.0.1 In taocms 3.0.1 after logging in to the background, there is an Arbitrary file download vulnerability at the File Management column. | 4.0 |
2022-02-04 | CVE-2022-23316 | Taogogo | Files or Directories Accessible to External Parties vulnerability in Taogogo Taocms 3.0.2 An issue was discovered in taoCMS v3.0.2. | 4.0 |
2022-02-03 | CVE-2022-21737 | Improper Check for Unusual or Exceptional Conditions vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21738 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21739 | NULL Pointer Dereference vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21725 | Divide By Zero vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21729 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21734 | Type Confusion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21735 | Divide By Zero vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-23569 | Reachable Assertion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21731 | Type Confusion vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21732 | Allocation of Resources Without Limits or Throttling vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-21736 | NULL Pointer Dereference vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-23567 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-03 | CVE-2022-23568 | Integer Overflow or Wraparound vulnerability in Google Tensorflow Tensorflow is an Open Source Machine Learning Framework. | 4.0 | |
2022-02-01 | CVE-2021-44451 | Apache | Insufficiently Protected Credentials vulnerability in Apache Superset Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. | 4.0 |
2022-02-01 | CVE-2021-24868 | Bplugins | Exposure of Resource to Wrong Sphere vulnerability in Bplugins Document Embedder The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts. | 4.0 |
2022-01-31 | CVE-2021-40042 | Huawei | Release of Invalid Pointer or Reference vulnerability in Huawei products There is a release of invalid pointer vulnerability in some Huawei products, successful exploit may cause the process and service abnormal. | 4.0 |
2022-01-31 | CVE-2022-23409 | Ethercreative | Path Traversal vulnerability in Ethercreative Logs The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php. | 4.0 |
22 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-04 | CVE-2022-23805 | Trendmicro | Out-of-bounds Read vulnerability in Trendmicro Worry-Free Business Security 10.0 A security out-of-bounds read information disclosure vulnerability in Trend Micro Worry-Free Business Security Server could allow a local attacker to send garbage data to a specific named pipe and crash the server. | 3.6 |
2022-02-06 | CVE-2022-0502 | Livehelperchat | Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | 3.5 |
2022-02-04 | CVE-2021-43841 | Xwiki | Cross-site Scripting vulnerability in Xwiki XWiki is a generic wiki platform offering runtime services for applications built on top of it. | 3.5 |
2022-02-04 | CVE-2022-0472 | Laracom Project | Unrestricted Upload of File with Dangerous Type vulnerability in Laracom Project Laracom Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9. | 3.5 |
2022-02-04 | CVE-2022-22804 | Schneider Electric | Cross-site Scripting vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. | 3.5 |
2022-02-04 | CVE-2022-23600 | Fleetdm | Improper Authentication vulnerability in Fleetdm Fleet fleet is an open source device management, built on osquery. | 3.5 |
2022-02-03 | CVE-2022-23871 | Gibbonedu | Cross-site Scripting vulnerability in Gibbonedu Gibbon 22.0.01 Multiple cross-site scripting (XSS) vulnerabilities in the component outcomes_addProcess.php of Gibbon CMS v22.0.01 allow attackers to execute arbitrary web scripts or HTML via a crafted payload insterted into the name, category, description parameters. | 3.5 |
2022-02-01 | CVE-2021-24707 | ND Learning Project | Cross-site Scripting vulnerability in Nd-Learning Project Nd-Learning The Learning Courses WordPress plugin before 5.0 does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-02-01 | CVE-2021-24900 | Wpmanageninja | Cross-site Scripting vulnerability in Wpmanageninja Ninja Tables The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-02-01 | CVE-2021-24944 | Cusmin | Cross-site Scripting vulnerability in Cusmin Absolutely Glamorous Custom Admin The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2022-02-01 | CVE-2021-46253 | Anchorcms | Cross-site Scripting vulnerability in Anchorcms Anchor CMS 0.12.7 A cross-site scripting (XSS) vulnerability in the Create Post function of Anchor CMS v0.12.7 allows attackers to execute arbitrary web scripts or HTML. | 3.5 |
2022-02-01 | CVE-2020-8562 | Kubernetes | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Kubernetes As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. | 3.5 |
2022-02-04 | CVE-2022-24448 | Linux Debian | Use of Uninitialized Resource vulnerability in multiple products An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. | 3.3 |
2022-02-02 | CVE-2021-36177 | Fortinet | Unspecified vulnerability in Fortinet Fortiauthenticator An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database. | 3.3 |
2022-02-04 | CVE-2021-36151 | Apache | Information Exposure vulnerability in Apache Gobblin In Apache Gobblin, the Hadoop token is written to a temp file that is visible to all local users on Unix-like systems. | 2.1 |
2022-02-04 | CVE-2022-0317 | Improper Input Validation vulnerability in Google Go-Attestation An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. | 2.1 | |
2022-02-04 | CVE-2022-0487 | Linux Redhat Debian | Use After Free vulnerability in multiple products A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. | 2.1 |
2022-02-04 | CVE-2022-23594 | Out-of-bounds Write vulnerability in Google Tensorflow 2.7.0 Tensorflow is an Open Source Machine Learning Framework. | 2.1 | |
2022-02-04 | CVE-2022-23605 | Wire | Improper Cross-boundary Removal of Sensitive Data vulnerability in Wire Wire-Webapp Wire webapp is a web client for the wire messaging protocol. | 2.1 |
2022-02-01 | CVE-2021-46662 | Mariadb | Unspecified vulnerability in Mariadb MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery. | 2.1 |
2022-02-01 | CVE-2021-46666 | Mariadb | Reachable Assertion vulnerability in Mariadb MariaDB before 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause. | 2.1 |
2022-01-31 | CVE-2021-40033 | Huawei | Unspecified vulnerability in Huawei products There is an information exposure vulnerability on several Huawei Products. | 2.1 |