Weekly Vulnerabilities Reports > January 31 to February 6, 2022

Overview

408 new vulnerabilities reported during this period, including 22 critical vulnerabilities and 135 high severity vulnerabilities. This weekly summary report vulnerabilities in 497 products from 156 vendors including Google, Tenda, Fedoraproject, Tendacn, and Debian. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Command Injection", "SQL Injection", and "NULL Pointer Dereference".

  • 345 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 131 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 309 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 57 reported vulnerabilities.
  • Dlink has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

22 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-06 CVE-2022-22832 Servisnet Improper Privilege Management vulnerability in Servisnet Tessa 0.0.2

An issue was discovered in Servisnet Tessa 0.0.2.

10.0
2022-02-06 CVE-2022-24552 Starwindsoftware Command Injection vulnerability in Starwindsoftware NAS and SAN

A flaw was found in the REST API in StarWind Stack.

10.0
2022-02-04 CVE-2022-0365 Riconmobile OS Command Injection vulnerability in Riconmobile S9922L Firmware and S9922Xl Firmware

The affected product is vulnerable to an authenticated OS command injection, which may allow an attacker to inject and execute arbitrary shell commands as the Admin (root) user.

10.0
2022-02-04 CVE-2021-29393 Globalnorthstar OS Command Injection vulnerability in Globalnorthstar Northstar Club Management 6.3

Remote Code Execution in cominput.jsp and comoutput.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to inject and execute arbitrary system commands via the unsanitized user-controlled "command" and "commandvalues" parameters.

10.0
2022-02-04 CVE-2022-24260 Voipmonitor SQL Injection vulnerability in Voipmonitor

A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.

10.0
2022-02-04 CVE-2021-44880 Dlink Command Injection vulnerability in Dlink Dir-878 Firmware and Dir-882 Firmware

D-Link devices DIR_878 DIR_878_FW1.30B08_Hotfix_02 and DIR_882 DIR_882_FW1.30B06_Hotfix_02 were discovered to contain a command injection vulnerability in the system function.

10.0
2022-02-04 CVE-2021-44881 Dlink Command Injection vulnerability in Dlink Dir-882 Firmware 1.10B04/1.20B06/1.30B06

D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function.

10.0
2022-02-04 CVE-2021-44882 Dlink Command Injection vulnerability in Dlink Dir-878 Firmware

D-Link device DIR_878_FW1.30B08_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function.

10.0
2022-02-04 CVE-2021-45733 Totolink Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function NTPSyncWithHost.

10.0
2022-02-04 CVE-2021-45738 Totolink Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile.

10.0
2022-02-04 CVE-2021-45742 Totolink Command Injection vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a command injection vulnerability in the "Main" function.

10.0
2022-02-02 CVE-2022-21724 Postgresql
Fedoraproject
Quarkus
Debian
Improper Initialization vulnerability in multiple products

pgjdbc is the offical PostgreSQL JDBC Driver.

9.8
2022-02-04 CVE-2022-22727 Schneider Electric Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert

A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user?s local machine when the user clicks a specially crafted link.

9.3
2022-02-01 CVE-2021-42638 Printerlogic Command Injection vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below do not sanitize user input resulting in pre-auth remote code execution.

9.3
2022-01-31 CVE-2021-42631 Printerlogic Deserialization of Untrusted Data vulnerability in Printerlogic Virtual Appliance and web Stack

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution.

9.3
2022-01-31 CVE-2021-42635 Printerlogic Use of Hard-coded Credentials vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcoded APP_KEY value, leading to pre-auth remote code execution.

9.3
2022-02-03 CVE-2022-23357 Mozilo Path Traversal vulnerability in Mozilo Mozilocms 2.0

mozilo2.0 was discovered to be vulnerable to directory traversal attacks via the parameter curent_dir.

9.1
2022-02-06 CVE-2021-39280 Korenix Unspecified vulnerability in Korenix products

Certain Korenix JetWave devices allow authenticated users to execute arbitrary code as root via /syscmd.asp.

9.0
2022-02-06 CVE-2022-24551 Starwindsoftware Improper Authentication vulnerability in Starwindsoftware NAS and SAN

A flaw was found in StarWind Stack.

9.0
2022-02-02 CVE-2022-22509 Phoenixcontact Improper Privilege Management vulnerability in Phoenixcontact products

In Phoenix Contact FL SWITCH Series 2xxx in version 3.00 an incorrect privilege assignment allows an low privileged user to enable full access to the device configuration.

9.0
2022-02-02 CVE-2021-41018 Fortinet OS Command Injection vulnerability in Fortinet Fortiweb

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.

9.0
2022-02-02 CVE-2021-41016 Fortinet OS Command Injection vulnerability in Fortinet Fortiextender Firmware

A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7.0.1 and below, 4.2.3 and below, 4.1.7 and below allows an authenticated attacker to execute privileged shell commands via CLI commands including special characters

9.0

135 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-04 CVE-2021-40401 Gerbv Project
Fedoraproject
Use After Free vulnerability in multiple products

A use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and Gerbv forked 2.7.1.

8.6
2022-02-02 CVE-2021-42753 Fortinet Path Traversal vulnerability in Fortinet Fortiweb

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem.

8.5
2022-02-04 CVE-2021-21968 Sealevel Improper Input Validation vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

A file write vulnerability exists in the OTA update task functionality of Sealevel Systems, Inc.

8.3
2022-02-04 CVE-2022-22723 Schneider Electric Classic Buffer Overflow vulnerability in Schneider-Electric Easergy P5 Firmware

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network.

8.3
2022-02-04 CVE-2022-22725 Schneider Electric Classic Buffer Overflow vulnerability in Schneider-Electric Easergy P3 Firmware

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network.

8.3
2022-02-04 CVE-2021-21969 Sealevel Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

An out-of-bounds write vulnerability exists in the HandleSeaCloudMessage functionality of Sealevel Systems, Inc.

8.1
2022-02-04 CVE-2021-21970 Sealevel Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

An out-of-bounds write vulnerability exists in the HandleSeaCloudMessage functionality of Sealevel Systems, Inc.

8.1
2022-02-04 CVE-2013-20003 Silabs Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Silabs products

Z-Wave devices from Sierra Designs (circa 2013) and Silicon Labs (using S0 security) may use a known, shared network key of all zeros, allowing an attacker within radio range to spoof Z-Wave traffic.

7.9
2022-02-04 CVE-2022-0481 Mruby NULL Pointer Dereference vulnerability in Mruby

NULL Pointer Dereference in Homebrew mruby prior to 3.2.

7.8
2022-02-04 CVE-2021-44246 Totolink Out-of-bounds Write vulnerability in Totolink A3100R Firmware, A720R Firmware and A830R Firmware

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg.

7.8
2022-02-04 CVE-2021-45734 Totolink Out-of-bounds Write vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules.

7.8
2022-02-04 CVE-2021-45736 Totolink Out-of-bounds Write vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg.

7.8
2022-02-04 CVE-2021-45737 Totolink Out-of-bounds Write vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function.

7.8
2022-02-04 CVE-2021-45739 Totolink Out-of-bounds Write vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function.

7.8
2022-02-04 CVE-2021-45741 Totolink Out-of-bounds Write vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg.

7.8
2022-02-04 CVE-2021-45988 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDnsForward.

7.8
2022-02-04 CVE-2021-45989 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function guestWifiRuleRefresh.

7.8
2022-02-04 CVE-2021-45991 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddVpnUsers.

7.8
2022-02-04 CVE-2021-45992 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetQvlanList.

7.8
2022-02-04 CVE-2021-45993 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formIPMacBindModify.

7.8
2022-02-04 CVE-2021-45994 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formDelDhcpRule.

7.8
2022-02-04 CVE-2021-45995 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetStaticRoute.

7.8
2022-02-04 CVE-2021-45996 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetPortMapping.

7.8
2022-02-04 CVE-2021-45997 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetPortMapping.

7.8
2022-02-04 CVE-2022-24142 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetFirewallCfg.

7.8
2022-02-04 CVE-2022-24143 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware and AX3 Firmware

Tenda AX3 v16.03.12.10_CN and AX12 22.03.01.2_CN was discovered to contain a stack overflow in the function form_fast_setting_wifi_set.

7.8
2022-02-04 CVE-2022-24145 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formWifiBasicSet.

7.8
2022-02-04 CVE-2022-24146 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetQosBand.

7.8
2022-02-04 CVE-2022-24147 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromAdvSetMacMtuWan.

7.8
2022-02-04 CVE-2022-24149 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetWirelessRepeat.

7.8
2022-02-04 CVE-2022-24151 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetWifiGusetBasic.

7.8
2022-02-04 CVE-2022-24152 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetRouteStatic.

7.8
2022-02-04 CVE-2022-24153 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formAddMacfilterRule.

7.8
2022-02-04 CVE-2022-24154 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetRebootTimer.

7.8
2022-02-04 CVE-2022-24155 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function setSchedWifi.

7.8
2022-02-04 CVE-2022-24156 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetVirtualSer.

7.8
2022-02-04 CVE-2022-24157 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetMacFilterCfg.

7.8
2022-02-04 CVE-2022-24158 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetIpMacBind.

7.8
2022-02-04 CVE-2022-24159 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetPPTPServer.

7.8
2022-02-04 CVE-2022-24160 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetDeviceName.

7.8
2022-02-04 CVE-2022-24161 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function GetParentControlInfo.

7.8
2022-02-04 CVE-2022-24162 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function saveParentControlInfo.

7.8
2022-02-04 CVE-2022-24163 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetSysTime.

7.8
2022-02-04 CVE-2022-24164 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetVirtualSer.

7.8
2022-02-04 CVE-2022-24166 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetSysTime.

7.8
2022-02-04 CVE-2022-24169 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formIPMacBindAdd.

7.8
2022-02-04 CVE-2022-24172 Tendacn Out-of-bounds Write vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDhcpBindRule.

7.8
2022-02-02 CVE-2022-0443 VIM
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use After Free in GitHub repository vim/vim prior to 8.2.

7.8
2022-02-01 CVE-2022-0417 VIM
Fedoraproject
Debian
Heap-based Buffer Overflow vulnerability in multiple products

Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.

7.8
2022-01-31 CVE-2022-24264 Cuppacms SQL Injection vulnerability in Cuppacms 1.0

Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.

7.8
2022-01-31 CVE-2022-24265 Cuppacms SQL Injection vulnerability in Cuppacms 1.0

Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.

7.8
2022-01-31 CVE-2022-24266 Cuppacms SQL Injection vulnerability in Cuppacms 1.0

Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.

7.8
2022-01-31 CVE-2021-27971 Alpsalpine Unspecified vulnerability in Alpsalpine Touchpad Driver 10.3201.101.215

Alps Alpine Touchpad Driver 10.3201.101.215 is vulnerable to DLL Injection.

7.8
2022-01-31 CVE-2021-34805 Land Software Path Traversal vulnerability in Land-Software Faust Iserver

An issue was discovered in FAUST iServer before 9.0.019.019.7.

7.8
2022-02-06 CVE-2013-20004 Starwindsoftware Resource Exhaustion vulnerability in Starwindsoftware Iscsi SAN

A flaw was found in StarWind iSCSI target.

7.5
2022-02-06 CVE-2021-41816 Ruby Lang
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes.

7.5
2022-02-06 CVE-2022-22831 Servisnet Improper Authentication vulnerability in Servisnet Tessa 0.0.2

An issue was discovered in Servisnet Tessa 0.0.2.

7.5
2022-02-05 CVE-2021-38172 Debian Classic Buffer Overflow vulnerability in Debian Perm 0.4.0

perM 0.4.0 has a Buffer Overflow related to strncpy.

7.5
2022-02-04 CVE-2021-21960 Sealevel Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

A stack-based buffer overflow vulnerability exists in both the LLMNR functionality of Sealevel Systems, Inc.

7.5
2022-02-04 CVE-2021-21961 Sealevel Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

A stack-based buffer overflow vulnerability exists in the NBNS functionality of Sealevel Systems, Inc.

7.5
2022-02-04 CVE-2021-36152 Apache Unspecified vulnerability in Apache Gobblin

Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service.

7.5
2022-02-04 CVE-2021-44779 GWA Autoresponder Project SQL Injection vulnerability in [Gwa] Autoresponder Project [Gwa] Autoresponder 2.3

Unauthenticated SQL Injection (SQLi) vulnerability discovered in [GWA] AutoResponder WordPress plugin (versions <= 2.3), vulnerable at (&listid).

7.5
2022-02-04 CVE-2022-22987 Advantech Use of Hard-coded Credentials vulnerability in Advantech Adam-3600 Firmware 2.6.2

The affected product has a hardcoded private key available inside the project folder, which may allow an attacker to achieve Web Server login and perform further actions.

7.5
2022-02-04 CVE-2022-23379 Emlog SQL Injection vulnerability in Emlog 6.0.0

Emlog v6.0 was discovered to contain a SQL injection vulnerability via the $TagID parameter of getblogidsfromtagid().

7.5
2022-02-04 CVE-2022-23587 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

7.5
2022-02-04 CVE-2022-23611 Itunesrpc Remastered Project OS Command Injection vulnerability in Itunesrpc-Remastered Project Itunesrpc-Remastered

iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility.

7.5
2022-02-04 CVE-2022-23614 Symfony
Fedoraproject
Debian
Injection vulnerability in multiple products

Twig is an open source template language for PHP.

7.5
2022-02-04 CVE-2022-23329 Ujcms Unrestricted Upload of File with Dangerous Type vulnerability in Ujcms Jspxcms 10.2.0

A vulnerability in ${"freemarker.template.utility.Execute"?new() of UJCMS Jspxcms v10.2.0 allows attackers to execute arbitrary commands via uploading malicious files.

7.5
2022-02-04 CVE-2021-23470 Putil Merge Project Unspecified vulnerability in Putil-Merge Project Putil-Merge

This affects the package putil-merge before 3.8.0.

7.5
2022-02-04 CVE-2021-23497 SET Project Unspecified vulnerability in SET Project SET 1.0.0/1.0.1

This affects the package @strikeentco/set before 1.0.2.

7.5
2022-02-04 CVE-2021-23507 Skratchdot Unspecified vulnerability in Skratchdot Object-Path-Set

The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it.

7.5
2022-02-04 CVE-2021-29396 Globalnorthstar Incorrect Permission Assignment for Critical Resource vulnerability in Globalnorthstar Northstar Club Management 6.3

Systemic Insecure Permissions in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to use various functionalities without authentication.

7.5
2022-02-04 CVE-2022-24259 Voipmonitor Improper Authentication vulnerability in Voipmonitor

An incorrect check in the component cdr.php of Voipmonitor GUI before v24.96 allows unauthenticated attackers to escalate privileges via a crafted request.

7.5
2022-02-04 CVE-2021-44978 Idreamsoft Code Injection vulnerability in Idreamsoft Icms

iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution.

7.5
2022-02-04 CVE-2021-44247 Totolink Command Injection vulnerability in Totolink A3100R Firmware, A720R Firmware and A830R Firmware

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg.

7.5
2022-02-04 CVE-2021-45740 Totolink Out-of-bounds Write vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function.

7.5
2022-02-04 CVE-2021-45986 Tendacn OS Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo.

7.5
2022-02-04 CVE-2021-45987 Tendacn OS Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools.

7.5
2022-02-04 CVE-2021-45990 Tendacn Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function uploadPicture.

7.5
2022-02-04 CVE-2021-45998 Dlink Command Injection vulnerability in Dlink Dir-882 Firmware 1.10B04/1.30B06

D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to contain a command injection vulnerability in the LocalIPAddress parameter.

7.5
2022-02-04 CVE-2021-46226 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function wget_test.asp.

7.5
2022-02-04 CVE-2021-46227 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function proxy_client.asp.

7.5
2022-02-04 CVE-2021-46228 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function httpd_debug.asp.

7.5
2022-02-04 CVE-2021-46229 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function usb_paswd.asp.

7.5
2022-02-04 CVE-2021-46230 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function upgrade_filter.

7.5
2022-02-04 CVE-2021-46231 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function urlrd_opt.asp.

7.5
2022-02-04 CVE-2021-46232 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function version_upgrade.asp.

7.5
2022-02-04 CVE-2021-46233 Dlink Command Injection vulnerability in Dlink Di-7200Gv2 Firmware

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function msp_info.htm.

7.5
2022-02-04 CVE-2021-46452 Dlink Command Injection vulnerability in Dlink Dir-823 PRO Firmware

D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetNetworkTomographySettings.

7.5
2022-02-04 CVE-2021-46453 Dlink Command Injection vulnerability in Dlink Dir-823 PRO Firmware

D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetStaticRouteSettings.

7.5
2022-02-04 CVE-2021-46454 Dlink Command Injection vulnerability in Dlink Dir-823 PRO Firmware

D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetWLanApcliSettings.

7.5
2022-02-04 CVE-2021-46455 Dlink Command Injection vulnerability in Dlink Dir-823 PRO Firmware

D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetStationSettings.

7.5
2022-02-04 CVE-2021-46456 Dlink Command Injection vulnerability in Dlink Dir-823 PRO Firmware

D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetWLanACLSettings.

7.5
2022-02-04 CVE-2021-46457 Dlink Command Injection vulnerability in Dlink Dir-823 PRO Firmware

D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function ChgSambaUserSettings.

7.5
2022-02-04 CVE-2022-24144 Tenda Command Injection vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function WanParameterSetting.

7.5
2022-02-04 CVE-2022-24148 Tenda Command Injection vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function mDMZSetCfg.

7.5
2022-02-04 CVE-2022-24150 Tenda Command Injection vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function formSetSafeWanWebMan.

7.5
2022-02-04 CVE-2022-24165 Tendacn Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetQvlanList.

7.5
2022-02-04 CVE-2022-24167 Tendacn Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetDMZ.

7.5
2022-02-04 CVE-2022-24168 Tendacn Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpGroup.

7.5
2022-02-04 CVE-2022-24170 Tendacn Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpSecTunnel.

7.5
2022-02-04 CVE-2022-24171 Tendacn Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetPppoeServer.

7.5
2022-02-03 CVE-2022-24307 Joinmastodon Incorrect Authorization vulnerability in Joinmastodon Mastodon

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities.

7.5
2022-02-03 CVE-2022-23833 Djangoproject
Fedoraproject
Debian
Infinite Loop vulnerability in multiple products

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2.

7.5
2022-02-02 CVE-2021-42637 Printerlogic Server-Side Request Forgery (SSRF) vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use user-controlled input to craft a URL, resulting in a Server Side Request Forgery (SSRF) vulnerability.

7.5
2022-02-02 CVE-2022-24300 Minetest
Debian
Injection vulnerability in multiple products

Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection.

7.5
2022-02-01 CVE-2021-46093 Elitecms Incorrect Default Permissions vulnerability in Elitecms Elite CMS 1.0

eliteCMS v1.0 is vulnerable to Insecure Permissions via manage_uploads.php.

7.5
2022-02-01 CVE-2022-24219 Elitecms SQL Injection vulnerability in Elitecms Elite CMS 1.0

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_page.php.

7.5
2022-02-01 CVE-2022-24220 Elitecms SQL Injection vulnerability in Elitecms Elite CMS 1.0

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_post.php.

7.5
2022-02-01 CVE-2022-24221 Elitecms SQL Injection vulnerability in Elitecms Elite CMS 1.0

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/functions/functions.php.

7.5
2022-02-01 CVE-2022-24222 Elitecms SQL Injection vulnerability in Elitecms Elite CMS 1.0

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_user.php.

7.5
2022-02-01 CVE-2022-24223 Thedigitalcraft SQL Injection vulnerability in Thedigitalcraft Atomcms 2.0

AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php.

7.5
2022-02-01 CVE-2021-43509 Simple Client Management System Project SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.

7.5
2022-02-01 CVE-2021-43510 Simple Client Management System Project SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.

7.5
2022-02-01 CVE-2021-24762 Getperfectsurvey SQL Injection vulnerability in Getperfectsurvey Perfect Survey

The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.

7.5
2022-02-01 CVE-2022-0320 Wpdeveloper Path Traversal vulnerability in Wpdeveloper Essential Addons for Elementor

The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.

7.5
2022-02-01 CVE-2022-0401 W ZIP Project Path Traversal vulnerability in W-Zip Project W-Zip

Path Traversal in NPM w-zip prior to 1.0.12.

7.5
2022-02-01 CVE-2021-46669 Mariadb
Fedoraproject
Debian
Use After Free vulnerability in multiple products

MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used.

7.5
2022-01-31 CVE-2022-24263 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 4.0

Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.

7.5
2022-01-31 CVE-2021-31617 Stormshield Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Stormshield Network Security

In ASQ in Stormshield Network Security (SNS) 1.0.0 through 2.7.8, 2.8.0 through 2.16.0, 3.0.0 through 3.7.20, 3.8.0 through 3.11.8, and 4.0.1 through 4.2.2, mishandling of memory management can lead to remote code execution.

7.5
2022-01-31 CVE-2021-23520 Juce Path Traversal vulnerability in Juce

The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp.

7.5
2022-02-04 CVE-2021-21964 Sealevel Missing Authentication for Critical Function vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc.

7.4
2022-02-04 CVE-2021-4154 Linux
Redhat
Netapp
Use After Free vulnerability in multiple products

A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser.

7.2
2022-02-03 CVE-2021-33627 Insyde
Siemens
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An issue was discovered in Insyde InsydeH2O 5.x, affecting FwBlockServiceSmm.

7.2
2022-02-03 CVE-2021-41837 Insyde
Siemens
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O.

7.2
2022-02-03 CVE-2021-41838 Insyde
Siemens
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An issue was discovered in SdHostDriver in the kernel 5.0 through 5.5 in Insyde InsydeH2O.

7.2
2022-02-03 CVE-2021-41840 Insyde Allocation of Resources Without Limits or Throttling vulnerability in Insyde Insydeh2O

An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O.

7.2
2022-02-03 CVE-2021-41841 Insyde Inclusion of Functionality from Untrusted Control Sphere vulnerability in Insyde Insydeh2O

An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O.

7.2
2022-02-03 CVE-2021-42059 Insyde
Siemens
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.08.41, Kernel 5.1 before 05.16.41, Kernel 5.2 before 05.26.41, Kernel 5.3 before 05.35.41, and Kernel 5.4 before 05.42.20.

7.2
2022-02-03 CVE-2021-42060 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O Kernel 5.0 through 05.08.41, Kernel 5.1 through 05.16.41, Kernel 5.2 before 05.23.22, and Kernel 5.3 before 05.32.22.

7.2
2022-02-03 CVE-2021-42554 Insyde
Siemens
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in Insyde InsydeH2O with Kernel 5.0 before 05.08.42, Kernel 5.1 before 05.16.42, Kernel 5.2 before 05.26.42, Kernel 5.3 before 05.35.42, Kernel 5.4 before 05.42.51, and Kernel 5.5 before 05.50.51.

7.2
2022-02-03 CVE-2021-43323 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in UsbCoreDxe in Insyde InsydeH2O with kernel 5.5 before 05.51.45, 5.4 before 05.43.45, 5.3 before 05.35.45, 5.2 before 05.26.45, 5.1 before 05.16.45, and 5.0 before 05.08.45.

7.2
2022-02-03 CVE-2021-43615 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in HddPassword in Insyde InsydeH2O with kernel 5.1 before 05.16.23, 5.2 before 05.26.23, 5.3 before 05.35.23, 5.4 before 05.43.22, and 5.5 before 05.51.22.

7.2
2022-02-03 CVE-2022-24031 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in NvmExpressDxe in Insyde InsydeH2O with kernel 5.1 through 5.5.

7.2
2022-02-03 CVE-2022-24069 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.0 before 05.08.41, 5.1 before 05.16.29, 5.2 before 05.26.29, 5.3 before 05.35.29, 5.4 before 05.43.29, and 5.5 before 05.51.29.

7.2

218 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-03 CVE-2021-33625 Insyde
Netapp
Siemens
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword.

6.9
2022-02-03 CVE-2022-24030 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 through 5.5.

6.9
2022-02-03 CVE-2020-5953 Insyde
Siemens
A vulnerability exists in System Management Interrupt (SWSMI) handler of InsydeH2O UEFI Firmware code located in SWSMI handler that dereferences gRT (EFI_RUNTIME_SERVICES) pointer to call a GetVariable service, which is located outside of SMRAM.
6.9
2022-02-03 CVE-2021-43522 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 2021-11-08, 5.2 through 2021-11-08, and 5.3 through 2021-11-08.

6.9
2022-02-04 CVE-2020-7534 Schneider Electric Cross-Site Request Forgery (CSRF) vulnerability in Schneider-Electric products

A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user is logged in.

6.8
2022-02-04 CVE-2021-21959 Sealevel Improper Certificate Validation vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc.

6.8
2022-02-04 CVE-2021-21962 Sealevel Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

A heap-based buffer overflow vulnerability exists in the OTA Update u-download functionality of Sealevel Systems, Inc.

6.8
2022-02-04 CVE-2021-28503 Arista Improper Authentication vulnerability in Arista EOS

The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

6.8
2022-02-04 CVE-2021-40420 Foxit Use After Free vulnerability in Foxit PDF Reader 11.1.0.52543

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543.

6.8
2022-02-04 CVE-2022-0484 Mirantis Improper Input Validation vulnerability in Mirantis Container Cloud Lens Extension

Lack of validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster.

6.8
2022-02-04 CVE-2022-22150 Foxit Improper Handling of Exceptional Conditions vulnerability in Foxit PDF Reader 11.1.0.52543

A memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543.

6.8
2022-02-04 CVE-2022-23946 Kicad
Fedoraproject
Debian
Stack-based Buffer Overflow vulnerability in multiple products

A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon GCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010.

6.8
2022-02-04 CVE-2022-23947 Kicad
Fedoraproject
Debian
Stack-based Buffer Overflow vulnerability in multiple products

A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon DCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010.

6.8
2022-02-04 CVE-2021-46398 Filebrowser Cross-Site Request Forgery (CSRF) vulnerability in Filebrowser

A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim.

6.8
2022-02-03 CVE-2021-45268 Backdropcms Cross-Site Request Forgery (CSRF) vulnerability in Backdropcms Backdrop 1.20.0

** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file.

6.8
2022-02-02 CVE-2021-39044 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Financial Transaction Manager 3.2.4

IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2022-02-02 CVE-2021-39070 IBM Unspecified vulnerability in IBM products

IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the advanced access control authentication service enabled could allow an attacker to authenticate as any user on the system.

6.8
2022-02-01 CVE-2021-24763 Getperfectsurvey Cross-Site Request Forgery (CSRF) vulnerability in Getperfectsurvey Perfect Survey

The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings.

6.8
2022-02-01 CVE-2021-24814 Welaunch Cross-site Scripting vulnerability in Welaunch Wordpress Gdpr&Ccpa

The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type.

6.8
2022-02-01 CVE-2022-23601 Sensiolabs Cross-Site Request Forgery (CSRF) vulnerability in Sensiolabs Symfony

Symfony is a PHP framework for web and console applications and a set of reusable PHP components.

6.8
2022-02-04 CVE-2021-22284 ABB Incorrect Permission Assignment for Critical Resource vulnerability in ABB OPC Server for AC 800M

Incorrect Permission Assignment for Critical Resource vulnerability in OPC Server for AC 800M allows an attacker to execute arbitrary code in the node running the AC800M OPC Server.

6.5
2022-02-04 CVE-2022-22689 Broadcom Improper Neutralization of Formula Elements in a CSV File vulnerability in Broadcom CA Harvest Software Change Manager

CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.

6.5
2022-02-04 CVE-2022-23558 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23559 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23560 Google Out-of-bounds Write vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23561 Google Out-of-bounds Write vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23562 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23566 Google Out-of-bounds Write vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23573 Google Use of Uninitialized Resource vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23574 Google Out-of-bounds Write vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-04 CVE-2022-23330 Jpress Unspecified vulnerability in Jpress 4.2.0

A remote code execution (RCE) vulnerability in HelloWorldAddonController.java of jpress v4.2.0 allows attackers to execute arbitrary code via a crafted JAR package.

6.5
2022-02-04 CVE-2022-24262 Voipmonitor Unrestricted Upload of File with Dangerous Type vulnerability in Voipmonitor

The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.

6.5
2022-02-03 CVE-2022-21740 Google Out-of-bounds Write vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-03 CVE-2022-21726 Google Out-of-bounds Read vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-03 CVE-2022-21727 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

6.5
2022-02-03 CVE-2022-23873 Victor CMS Project SQL Injection vulnerability in Victor CMS Project Victor CMS 1.0

Victor CMS v1.0 was discovered to contain a SQL injection vulnerability that allows attackers to inject arbitrary commands via 'user_firstname' parameter.

6.5
2022-02-02 CVE-2021-36193 Fortinet Out-of-bounds Write vulnerability in Fortinet Fortiweb

Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands.

6.5
2022-02-02 CVE-2021-39066 IBM Session Fixation vulnerability in IBM Financial Transaction Manager 3.2.4

IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

6.5
2022-02-02 CVE-2022-0366 Capsule8 Improper Authentication vulnerability in Capsule8

An authenticated and authorized agent user could potentially gain administrative access via an SQLi vulnerability to Capsule8 Console between versions 4.6.0 and 4.9.1.

6.5
2022-02-02 CVE-2021-43073 Fortinet OS Command Injection vulnerability in Fortinet Fortiweb

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.

6.5
2022-02-01 CVE-2022-24198 Itextpdf Out-of-bounds Read vulnerability in Itextpdf Itext 7.1.17

** DISPUTED ** iText v7.1.17 was discovered to contain an out-of-bounds exception via the component ARCFOUREncryption.encryptARCFOUR, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

6.5
2022-02-01 CVE-2021-24761 Bestwebsoft Path Traversal vulnerability in Bestwebsoft Error LOG Viewer

The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server.

6.5
2022-02-01 CVE-2021-24919 Wickedplugins SQL Injection vulnerability in Wickedplugins Wicked Folders

The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user.

6.5
2022-02-01 CVE-2021-25097 Creativityjuice Incorrect Authorization vulnerability in Creativityjuice Labtools 1.0

The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication

6.5
2022-01-31 CVE-2021-28962 Stormshield Unspecified vulnerability in Stormshield Network Security

Stormshield Network Security (SNS) before 4.2.2 allows a read-only administrator to gain privileges via CLI commands.

6.5
2022-01-31 CVE-2021-44255 Motioneye Project
Motioneyeos Project
Missing Authentication for Critical Function vulnerability in multiple products

Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.

6.5
2022-02-04 CVE-2021-21965 Sealevel Improper Authentication vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

A denial of service vulnerability exists in the SeaMax remote configuration functionality of Sealevel Systems, Inc.

6.4
2022-02-04 CVE-2022-23609 Itunesrpc Remastered Project Path Traversal vulnerability in Itunesrpc-Remastered Project Itunesrpc-Remastered

iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility.

6.4
2022-02-04 CVE-2022-24129 Shibboleth Server-Side Request Forgery (SSRF) vulnerability in Shibboleth Oidc OP

The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter.

6.4
2022-02-02 CVE-2021-42640 Printerlogic Exposure of Resource to Wrong Sphere vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to reassign drivers for any printer.

6.4
2022-02-02 CVE-2021-24043 Whatsapp Out-of-bounds Read vulnerability in Whatsapp and Whatsapp Business

A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.

6.4
2022-02-02 CVE-2022-24301 Minetest
Debian
Incorrect Default Permissions vulnerability in multiple products

In Minetest before 5.4.0, players can add or subtract items from a different player's inventory.

6.4
2022-02-01 CVE-2022-24218 Elitecms Unspecified vulnerability in Elitecms Elite CMS 1.0

An issue in /admin/delete_image.php of eliteCMS v1.0 allows attackers to delete arbitrary files.

6.4
2022-02-03 CVE-2022-22818 Djangoproject
Fedoraproject
Debian
Cross-site Scripting vulnerability in multiple products

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context.

6.1
2022-02-04 CVE-2021-45408 Seeddms Open Redirect vulnerability in Seeddms 6.0.15

Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, which llows remote malicious users to redirect users to malicious sites using the "referuri" parameter.

5.8
2022-02-02 CVE-2022-21817 Nvidia Exposure of Resource to Wrong Sphere vulnerability in Nvidia Omniverse Launcher

NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire access tokens allowing them to access resources in other security domains, which may lead to code execution, escalation of privileges, and impact to confidentiality and integrity.

5.8
2022-02-02 CVE-2020-26208 Jhead Project Out-of-bounds Write vulnerability in Jhead Project Jhead

JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras.

5.8
2022-01-31 CVE-2021-45079 Strongswan
Debian
Fedoraproject
Canonical
NULL Pointer Dereference vulnerability in multiple products

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

5.8
2022-02-04 CVE-2020-12966 AMD Information Exposure vulnerability in AMD products

AMD EPYC™ Processors contain an information disclosure vulnerability in the Secure Encrypted Virtualization with Encrypted State (SEV-ES) and Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP).

5.5
2022-02-04 CVE-2021-32036 Mongodb Allocation of Resources Without Limits or Throttling vulnerability in Mongodb

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention.

5.5
2022-02-04 CVE-2022-0264 Linux Improper Handling of Exceptional Conditions vulnerability in Linux Kernel

A vulnerability was found in the Linux kernel's eBPF verifier when handling internal data structures.

5.5
2022-02-04 CVE-2022-23592 Google Out-of-bounds Read vulnerability in Google Tensorflow 2.7.0/2.7.1

Tensorflow is an Open Source Machine Learning Framework.

5.5
2022-02-04 CVE-2021-43145 Zammad Unspecified vulnerability in Zammad 5.0.1

With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts.

5.5
2022-02-03 CVE-2022-21728 Google Out-of-bounds Read vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.5
2022-02-03 CVE-2022-21730 Google Out-of-bounds Read vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.5
2022-02-01 CVE-2022-23602 NIM Lang Improper Authentication vulnerability in Nim-Lang Docutils and Nimforum

Nimforum is a lightweight alternative to Discourse written in Nim.

5.5
2022-02-04 CVE-2022-22722 Schneider Electric Use of Hard-coded Credentials vulnerability in Schneider-Electric Easergy P5 Firmware

A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure.

5.4
2022-01-31 CVE-2020-36056 Beetel Cross-site Scripting vulnerability in Beetel 777Vr1 Firmware 01.00.0955

Beetel 777VR1-DI Hardware Version REV.1.01 Firmware Version V01.00.09_55 was discovered to contain a cross-site scripting (XSS) vulnerability via the Ping diagnostic option.

5.4
2022-02-04 CVE-2021-46671 Atftp Project
Debian
Out-of-bounds Read vulnerability in multiple products

options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client.

5.3
2022-02-01 CVE-2022-23597 Element Use After Free vulnerability in Element Desktop

Element Desktop is a Matrix client for desktop platforms with Element Web at its core.

5.1
2022-02-06 CVE-2022-22833 Servisnet Unspecified vulnerability in Servisnet Tessa 0.0.2

An issue was discovered in Servisnet Tessa 0.0.2.

5.0
2022-02-06 CVE-2007-20001 Starwindsoftware Resource Exhaustion vulnerability in Starwindsoftware Iscsi SAN

A flaw was found in StarWind iSCSI target.

5.0
2022-02-06 CVE-2022-23206 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Traffic Control

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

5.0
2022-02-04 CVE-2020-12965 AMD Injection vulnerability in AMD products

When combined with specific software sequences, AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits potentially resulting in data leakage.

5.0
2022-02-04 CVE-2021-22285 ABB Improper Handling of Exceptional Conditions vulnerability in ABB Pni800 Firmware and Spiet800 Firmware

Improper Handling of Exceptional Conditions, Improper Check for Unusual or Exceptional Conditions vulnerability in the ABB SPIET800 and PNI800 module that allows an attacker to cause the denial of service or make the module unresponsive.

5.0
2022-02-04 CVE-2021-22286 ABB Improper Input Validation vulnerability in ABB Pni800 Firmware and Spiet800 Firmware

Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 module allows an attacker to cause the denial of service or make the module unresponsive.

5.0
2022-02-04 CVE-2021-22288 ABB Improper Input Validation vulnerability in ABB Pni800 Firmware and Spiet800 Firmware

Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 module allows an attacker to cause the denial of service or make the module unresponsive.

5.0
2022-02-04 CVE-2021-38960 IBM Information Exposure vulnerability in IBM products

IBM OPENBMC OP920, OP930, and OP940 could allow an unauthenticated user to obtain sensitive information.

5.0
2022-02-04 CVE-2022-22724 Schneider Electric Resource Exhaustion vulnerability in Schneider-Electric products

A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC.

5.0
2022-02-04 CVE-2022-23579 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-04 CVE-2022-23580 Google Resource Exhaustion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-04 CVE-2022-23581 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-04 CVE-2022-23590 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-04 CVE-2022-23591 Google Resource Exhaustion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-04 CVE-2022-23593 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Tensorflow 2.7.0/2.7.1

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-04 CVE-2022-23913 Apache
Netapp
Resource Exhaustion vulnerability in multiple products

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

5.0
2022-02-04 CVE-2021-29395 Globalnorthstar Path Traversal vulnerability in Globalnorthstar Northstar Club Management 6.3

Directory travesal in /northstar/filemanager/download.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to download arbitrary files, including JSP source code, across the filesystem of the host of the web application.

5.0
2022-02-04 CVE-2021-29397 Globalnorthstar Cleartext Transmission of Sensitive Information vulnerability in Globalnorthstar Northstar Club Management 6.3

Cleartext Transmission of Sensitive Information in /northstar/Admin/login.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote local user to intercept users credentials transmitted in cleartext over HTTP.

5.0
2022-02-04 CVE-2021-29398 Globalnorthstar Path Traversal vulnerability in Globalnorthstar Northstar Club Management 6.3

Directory traversal in /northstar/Common/NorthFileManager/fileManagerObjects.jsp Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to browse and list the directories across the entire filesystem of the host of the web application.

5.0
2022-02-04 CVE-2021-44977 Idreamsoft Path Traversal vulnerability in Idreamsoft Icms

In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files.

5.0
2022-02-04 CVE-2021-44886 Zammad Exposure of Resource to Wrong Sphere vulnerability in Zammad 5.0.2

In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons.

5.0
2022-02-04 CVE-2021-46320 Openzeppelin Improper Initialization vulnerability in Openzeppelin

In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call.

5.0
2022-02-04 CVE-2021-45735 Totolink Cleartext Transmission of Sensitive Information vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing attackers to intercept user credentials via packet capture software.

5.0
2022-02-03 CVE-2022-21741 Google Divide By Zero vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-03 CVE-2021-44866 Projectworlds SQL Injection vulnerability in Projectworlds Online Movie Ticket Booking System 1.0

An issue was discovered in Online-Movie-Ticket-Booking-System 1.0.

5.0
2022-02-03 CVE-2022-21733 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

5.0
2022-02-03 CVE-2022-24121 Unifiedoffice SQL Injection vulnerability in Unifiedoffice Total Connect NOW

SQL Injection vulnerability discovered in Unified Office Total Connect Now that would allow an attacker to extract sensitive information through a cookie parameter.

5.0
2022-02-02 CVE-2021-39021 IBM Information Exposure Through Discrepancy vulnerability in IBM Guardium Data Encryption 5.0.0.2

IBM Guardium Data Encryption (GDE) 5.0.0.2 behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which could facilitate username enumeration.

5.0
2022-02-02 CVE-2021-42633 Printerlogic SQL Injection vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to SQL Injection, which may allow an attacker to access additional audit records.

5.0
2022-02-02 CVE-2021-42641 Printerlogic Exposure of Resource to Wrong Sphere vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the username and email address of all users.

5.0
2022-02-02 CVE-2021-42642 Printerlogic Cleartext Storage of Sensitive Information vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer.

5.0
2022-02-02 CVE-2022-22510 Codesys NULL Pointer Dereference vulnerability in Codesys Profinet 4.2.0.0

Codesys Profinet in version V4.2.0.0 is prone to null pointer dereference that allows a denial of service (DoS) attack of an unauthenticated user via SNMP.

5.0
2022-02-01 CVE-2021-44746 NEC Exposure of Resource to Wrong Sphere vulnerability in NEC products

UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior, UNIVERGE DT 930 V2.4.0.0 and prior, IP Phone Manager V8.9.1 and prior, Data Maintenance Tool for DT900 Series V5.3.0.0 and prior, Data Maintenance Tool for DT800 Series V4.2.0.0 and prior allows a remote attacker who can access to the internal network, the configuration information may be obtained.

5.0
2022-02-01 CVE-2021-24775 Bplugins Exposure of Resource to Wrong Sphere vulnerability in Bplugins Document Embedder

The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.

5.0
2022-02-01 CVE-2021-25093 Link Library Project Missing Authorization vulnerability in Link Library Project Link Library

The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request

5.0
2022-02-01 CVE-2021-41040 Eclipse Out-of-bounds Read vulnerability in Eclipse Wakaama 1.0

In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data.

5.0
2022-02-01 CVE-2021-43859 Xstream Project
Fedoraproject
Debian
Oracle
Resource Exhaustion vulnerability in multiple products

XStream is an open source java library to serialize objects to XML and back again.

5.0
2022-02-01 CVE-2022-23596 Junrar Project Infinite Loop vulnerability in Junrar Project Junrar

Junrar is an open source java RAR archive library.

5.0
2022-02-01 CVE-2022-23774 Docker Unspecified vulnerability in Docker Desktop

Docker Desktop before 4.4.4 on Windows allows attackers to move arbitrary files.

5.0
2022-01-31 CVE-2022-21659 Flask Appbuilder Project Information Exposure Through Discrepancy vulnerability in Flask-Appbuilder Project Flask-Appbuilder

Flask-AppBuilder is an application development framework, built on top of the Flask web framework.

5.0
2022-01-31 CVE-2021-46459 Victor CMS Project SQL Injection vulnerability in Victor CMS Project Victor CMS 1.0

Victor CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component admin/users.php?source=add_user.

5.0
2022-01-31 CVE-2021-46458 Victor CMS Project SQL Injection vulnerability in Victor CMS Project Victor CMS 1.0

Victor CMS v1.0 was discovered to contain a SQL injection vulnerability in the component admin/posts.php?source=add_post.

5.0
2022-01-31 CVE-2020-36064 Online Course Registration Project Use of Hard-coded Credentials vulnerability in Online Course Registration Project Online Course Registration 1.0

Online Course Registration v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised.

5.0
2022-01-31 CVE-2021-46101 Gitforwindows Unspecified vulnerability in Gitforwindows GIT

In Git for windows through 2.34.1 when using git pull to update the local warehouse, git.cmd can be run directly.

5.0
2022-02-04 CVE-2018-25029 Silabs Unspecified vulnerability in Silabs products

The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic.

4.8
2022-01-31 CVE-2022-23872 Emlog Cross-site Scripting vulnerability in Emlog 1.1.1

Emlog pro v1.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /admin/configure.php via the parameter footer_info.

4.8
2022-02-04 CVE-2021-29218 HPE Unquoted Search Path or Element vulnerability in HPE products

A local unquoted search path security vulnerability has been identified in HPE Agentless Management Service for Windows version(s): Prior to 1.44.0.0, 10.96.0.0.

4.6
2022-02-04 CVE-2021-29219 HPE Classic Buffer Overflow vulnerability in HPE products

A potential local buffer overflow vulnerability has been identified in HPE FlexNetwork 5130 EL Switch Series version: Prior to 5130_EI_7.10.R3507P02.

4.6
2022-02-04 CVE-2021-44204 Acronis Unspecified vulnerability in Acronis products

Local privilege escalation via named pipe due to improper access control checks.

4.6
2022-02-04 CVE-2022-24113 Acronis Incorrect Default Permissions vulnerability in Acronis products

Local privilege escalation due to excessive permissions assigned to child processes.

4.6
2022-02-04 CVE-2022-24115 Acronis Improper Verification of Cryptographic Signature vulnerability in Acronis Cyber Protect Home Office and True Image

Local privilege escalation due to unrestricted loading of unsigned libraries.

4.6
2022-02-04 CVE-2021-44903 MSI Unspecified vulnerability in MSI Center PRO 2.0.16.0

Micro-Star International (MSI) Center Pro <= 2.0.16.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the atidgllk.sys, atillk64.sys, MODAPI.sys, NTIOLib.sys, NTIOLib_X64.sys, WinRing0.sys, WinRing0x64.sys drivers components.

4.6
2022-02-04 CVE-2021-44899 MSI Unspecified vulnerability in MSI Center 1.0.31.0

Micro-Star International (MSI) Center <= 1.0.31.0 is vulnerable to multiple Privilege Escalation vulnerabilities in the atidgllk.sys, atillk64.sys, MODAPI.sys, NTIOLib.sys, NTIOLib_X64.sys, WinRing0.sys, WinRing0x64.sys drivers components.

4.6
2022-02-04 CVE-2021-44900 MSI Unspecified vulnerability in MSI APP Player 4.280.1.6309

Micro-Star International (MSI) App Player <= 4.280.1.6309 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the NTIOLib_X64.sys and BstkDrv_msi2.sys drivers components.

4.6
2022-02-04 CVE-2021-44901 MSI Unspecified vulnerability in MSI Dragon Center

Micro-Star International (MSI) Dragon Center <= 2.0.116.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the atidgllk.sys, atillk64.sys, MODAPI.sys, NTIOLib.sys, NTIOLib_X64.sys, WinRing0.sys, WinRing0x64.sys drivers components.

4.6
2022-02-03 CVE-2021-41839 Insyde NULL Pointer Dereference vulnerability in Insyde Insydeh2O

An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O.

4.6
2022-02-03 CVE-2021-42113 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in StorageSecurityCommandDxe in Insyde InsydeH2O with Kernel 5.1 before 05.14.28, Kernel 5.2 before 05.24.28, and Kernel 5.3 before 05.32.25.

4.6
2022-01-31 CVE-2021-23521 Juce Link Following vulnerability in Juce

This affects the package juce-framework/JUCE before 6.1.5.

4.6
2022-02-04 CVE-2020-12891 AMD Uncontrolled Search Path Element vulnerability in AMD Radeon PRO Software and Radeon Software

AMD Radeon Software may be vulnerable to DLL Hijacking through path variable.

4.4
2022-02-04 CVE-2021-44205 Acronis Uncontrolled Search Path Element vulnerability in Acronis Cyber Protect Home Office and True Image

Local privilege escalation due to DLL hijacking vulnerability.

4.4
2022-02-04 CVE-2021-44206 Acronis Uncontrolled Search Path Element vulnerability in Acronis Cyber Protect Home Office and True Image

Local privilege escalation due to DLL hijacking vulnerability in Acronis Media Builder service.

4.4
2022-02-04 CVE-2022-24114 Acronis Race Condition vulnerability in Acronis Cyber Protect Home Office and True Image

Local privilege escalation due to race condition on application startup.

4.4
2022-02-05 CVE-2022-0501 Beanstalk Console Project Cross-site Scripting vulnerability in Beanstalk Console Project Beanstalk Console

Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstalk_console prior to 1.7.12.

4.3
2022-02-05 CVE-2022-0437 Karma Project Cross-site Scripting vulnerability in Karma Project Karma

Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.

4.3
2022-02-04 CVE-2021-21963 Sealevel Missing Encryption of Sensitive Data vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

An information disclosure vulnerability exists in the Web Server functionality of Sealevel Systems, Inc.

4.3
2022-02-04 CVE-2021-21971 Sealevel Out-of-bounds Write vulnerability in Sealevel Seaconnect 370W Firmware 1.3.34

An out-of-bounds write vulnerability exists in the URL_decode functionality of Sealevel Systems, Inc.

4.3
2022-02-04 CVE-2021-32732 Xwiki Cross-Site Request Forgery (CSRF) vulnerability in Xwiki

### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page.

4.3
2022-02-04 CVE-2021-40403 Gerbv Project
Fedoraproject
Missing Initialization of Resource vulnerability in multiple products

An information disclosure vulnerability exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0.

4.3
2022-02-04 CVE-2021-4043 Gpac NULL Pointer Dereference vulnerability in Gpac

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0.

4.3
2022-02-04 CVE-2022-0218 Codemiq Cross-site Scripting vulnerability in Codemiq Wordpress Email Template Designer

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9.

4.3
2022-02-04 CVE-2022-0380 Fotobook Project Cross-site Scripting vulnerability in Fotobook Project Fotobook

The Fotobook WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping and the use of $_SERVER['PHP_SELF'] found in the ~/options-fotobook.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 3.2.3.

4.3
2022-02-04 CVE-2022-0381 Embed Swagger Project Cross-site Scripting vulnerability in Embed Swagger Project Embed Swagger 1.0.0

The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the ~/swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0.

4.3
2022-02-04 CVE-2022-23980 YET Another Stars Rating Project Cross-site Scripting vulnerability in YET Another Stars Rating Project YET Another Stars Rating

Cross-Site Scripting (XSS) vulnerability discovered in Yasr – Yet Another Stars Rating WordPress plugin (versions <= 2.9.9), vulnerable at parameter 'source'.

4.3
2022-02-04 CVE-2021-45429 Virustotal Classic Buffer Overflow vulnerability in Virustotal Yara

A Buffer Overflow vulnerablity exists in VirusTotal YARA git commit: 605b2edf07ed8eb9a2c61ba22eb2e7c362f47ba7 via yr_set_configuration in yara/libyara/libyara.c, which could cause a Denial of Service.

4.3
2022-02-04 CVE-2022-24249 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A Null Pointer Dereference vulnerability exists in GPAC 1.1.0 via the xtra_box_write function in /box_code_base.c, which causes a Denial of Service.

4.3
2022-02-04 CVE-2021-43635 Codex Project Cross-site Scripting vulnerability in Codex Project Codex

A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file.

4.3
2022-02-02 CVE-2022-0432 Joinmastodon Unspecified vulnerability in Joinmastodon Mastodon

Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

4.3
2022-02-02 CVE-2021-42639 Printerlogic Cross-site Scripting vulnerability in Printerlogic web Stack 19.1.1.13

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to multiple reflected cross site scripting vulnerabilities.

4.3
2022-02-02 CVE-2021-43062 Fortinet Cross-site Scripting vulnerability in Fortinet Fortimail

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service.

4.3
2022-02-01 CVE-2022-24196 Itextpdf Allocation of Resources Without Limits or Throttling vulnerability in Itextpdf Itext

iText v7.1.17 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

4.3
2022-02-01 CVE-2022-24197 Itextpdf Out-of-bounds Write vulnerability in Itextpdf Itext

iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

4.3
2022-02-01 CVE-2021-38560 Ivanti Cross-site Scripting vulnerability in Ivanti Service Manager 2021.1

Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx.

4.3
2022-02-01 CVE-2021-24648 Metagauss Cross-site Scripting vulnerability in Metagauss Registrationmagic

The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cross-Site Scripting

4.3
2022-02-01 CVE-2021-24764 Getperfectsurvey Cross-site Scripting vulnerability in Getperfectsurvey Perfect Survey

The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and escape multiple parameters (id and filters[session_id] of single_statistics page, type and message of importexport page) before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues

4.3
2022-02-01 CVE-2021-24765 Getperfectsurvey Cross-site Scripting vulnerability in Getperfectsurvey Perfect Survey

The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue

4.3
2022-02-01 CVE-2021-24926 Domaincheckplugin Cross-site Scripting vulnerability in Domaincheckplugin Domain Check

The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue

4.3
2022-02-01 CVE-2021-24934 Yellowpencil Cross-site Scripting vulnerability in Yellowpencil Visual CSS Style Editor

The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue

4.3
2022-02-01 CVE-2021-24937 Asset Cleanup Cross-site Scripting vulnerability in Asset Cleanup: Page Speed Booster Project Asset Cleanup: Page Speed Booster

The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue

4.3
2022-02-01 CVE-2021-24975 Nextscripts Cross-site Scripting vulnerability in Nextscripts Social Networks Auto Poster

The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue

4.3
2022-02-01 CVE-2021-24983 Asset Cleanup Cross-site Scripting vulnerability in Asset Cleanup: Page Speed Booster Project Asset Cleanup: Page Speed Booster

The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not sanitise and escape POSted parameters sent to the wpassetcleanup_fetch_active_plugins_icons AJAX action (available to admin users), leading to a Reflected Cross-Site Scripting issue

4.3
2022-02-01 CVE-2021-25063 Cf7Skins Cross-site Scripting vulnerability in Cf7Skins Contact Form 7 Skins 2.5.0

The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-02-01 CVE-2021-25072 Nextscripts Cross-Site Request Forgery (CSRF) vulnerability in Nextscripts Social Networks Auto Poster

The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack

4.3
2022-02-01 CVE-2021-25085 Pluginus Cross-site Scripting vulnerability in Pluginus Woocommerce products Filter

The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-02-01 CVE-2021-25089 Updraftplus Cross-site Scripting vulnerability in Updraftplus

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting

4.3
2022-02-01 CVE-2021-25091 Link Library Project Cross-site Scripting vulnerability in Link Library Project Link Library

The Link Library WordPress plugin before 7.2.9 does not sanitise and escape the settingscopy parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-02-01 CVE-2021-25092 Link Library Project Cross-Site Request Forgery (CSRF) vulnerability in Link Library Project Link Library

The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack

4.3
2022-02-01 CVE-2021-43848 Dena Use of Uninitialized Resource vulnerability in Dena H2O

h2o is an open source http server.

4.3
2022-02-01 CVE-2021-45416 Rosariosis Cross-site Scripting vulnerability in Rosariosis 8.2.1

Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.

4.3
2022-02-01 CVE-2022-0220 Welaunch Cross-site Scripting vulnerability in Welaunch Wordpress Gdpr&Ccpa

The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type.

4.3
2022-02-01 CVE-2022-21687 Github Improper Input Validation vulnerability in Github Gh-Ost

gh-ost is a triggerless online schema migration solution for MySQL.

4.3
2022-02-01 CVE-2022-0419 Radare
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.0.

4.3
2022-02-01 CVE-2022-23603 Itunesrpc Remastered Project Cross-site Scripting vulnerability in Itunesrpc-Remastered Project Itunesrpc-Remastered

iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music.

4.3
2022-02-01 CVE-2022-23607 Twistedmatrix
Debian
Information Exposure vulnerability in multiple products

treq is an HTTP library inspired by requests but written on top of Twisted's Agents.

4.3
2022-01-31 CVE-2022-0414 Dolibarr Business Logic Errors vulnerability in Dolibarr Erp/Crm

Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0.

4.3
2022-02-04 CVE-2021-38130 Microfocus Exposure of Resource to Wrong Sphere vulnerability in Microfocus Voltage Securemail

A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1.

4.0
2022-02-04 CVE-2022-0227 Silverstripe Business Logic Errors vulnerability in Silverstripe

Business Logic Errors in GitHub repository silverstripe/silverstripe-framework prior to 4.10.1.

4.0
2022-02-04 CVE-2022-22726 Schneider Electric Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert

A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account.

4.0
2022-02-04 CVE-2022-22939 Vmware Information Exposure Through Log Files vulnerability in VMWare Cloud Foundation

VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager.

4.0
2022-02-04 CVE-2022-23557 Google Divide By Zero vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23564 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23565 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23570 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23571 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23572 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23575 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23576 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23577 Google NULL Pointer Dereference vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23578 Google Memory Leak vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23582 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23583 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23584 Google Use After Free vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23585 Google Memory Leak vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23586 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23588 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23589 Google NULL Pointer Dereference vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-23595 Google NULL Pointer Dereference vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-04 CVE-2022-24348 Linuxfoundation Path Traversal vulnerability in Linuxfoundation Argo-Cd

Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go.

4.0
2022-02-04 CVE-2021-29394 Globalnorthstar Incorrect Authorization vulnerability in Globalnorthstar Northstar Club Management 6.3

Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote authenticated users to change the password of any targeted user accounts via lack of proper authorization in the user-controlled "userID" parameter of the HTTP POST request.

4.0
2022-02-04 CVE-2021-44983 Taogogo Files or Directories Accessible to External Parties vulnerability in Taogogo Taocms 3.0.1

In taocms 3.0.1 after logging in to the background, there is an Arbitrary file download vulnerability at the File Management column.

4.0
2022-02-04 CVE-2022-23316 Taogogo Files or Directories Accessible to External Parties vulnerability in Taogogo Taocms 3.0.2

An issue was discovered in taoCMS v3.0.2.

4.0
2022-02-03 CVE-2022-21737 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21738 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21739 Google NULL Pointer Dereference vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21725 Google Divide By Zero vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21729 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21734 Google Type Confusion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21735 Google Divide By Zero vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-23569 Google Reachable Assertion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21731 Google Type Confusion vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21732 Google Allocation of Resources Without Limits or Throttling vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-21736 Google NULL Pointer Dereference vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-23567 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-03 CVE-2022-23568 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

4.0
2022-02-01 CVE-2021-44451 Apache Insufficiently Protected Credentials vulnerability in Apache Superset

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users.

4.0
2022-02-01 CVE-2021-24868 Bplugins Exposure of Resource to Wrong Sphere vulnerability in Bplugins Document Embedder

The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts.

4.0
2022-02-01 CVE-2021-41571 Apache Improper Input Validation vulnerability in Apache Pulsar

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user.

4.0
2022-01-31 CVE-2021-40042 Huawei Release of Invalid Pointer or Reference vulnerability in Huawei products

There is a release of invalid pointer vulnerability in some Huawei products, successful exploit may cause the process and service abnormal.

4.0
2022-01-31 CVE-2022-23409 Ethercreative Path Traversal vulnerability in Ethercreative Logs

The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.

4.0

33 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-04 CVE-2022-23805 Trendmicro Out-of-bounds Read vulnerability in Trendmicro Worry-Free Business Security 10.0

A security out-of-bounds read information disclosure vulnerability in Trend Micro Worry-Free Business Security Server could allow a local attacker to send garbage data to a specific named pipe and crash the server.

3.6
2022-02-06 CVE-2022-0502 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

3.5
2022-02-04 CVE-2021-43841 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki is a generic wiki platform offering runtime services for applications built on top of it.

3.5
2022-02-04 CVE-2022-0472 Laracom Project Unrestricted Upload of File with Dangerous Type vulnerability in Laracom Project Laracom

Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9.

3.5
2022-02-04 CVE-2022-22804 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload.

3.5
2022-02-04 CVE-2022-23600 Fleetdm Improper Authentication vulnerability in Fleetdm Fleet

fleet is an open source device management, built on osquery.

3.5
2022-02-03 CVE-2022-23871 Gibbonedu Cross-site Scripting vulnerability in Gibbonedu Gibbon 22.0.01

Multiple cross-site scripting (XSS) vulnerabilities in the component outcomes_addProcess.php of Gibbon CMS v22.0.01 allow attackers to execute arbitrary web scripts or HTML via a crafted payload insterted into the name, category, description parameters.

3.5
2022-02-01 CVE-2021-24686 SVG Support Project Cross-site Scripting vulnerability in SVG Support Project SVG Support

The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

3.5
2022-02-01 CVE-2021-24707 ND Learning Project Cross-site Scripting vulnerability in Nd-Learning Project Nd-Learning

The Learning Courses WordPress plugin before 5.0 does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-02-01 CVE-2021-24900 Wpmanageninja Cross-site Scripting vulnerability in Wpmanageninja Ninja Tables

The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-02-01 CVE-2021-24944 Cusmin Cross-site Scripting vulnerability in Cusmin Absolutely Glamorous Custom Admin

The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

3.5
2022-02-01 CVE-2021-46253 Anchorcms Cross-site Scripting vulnerability in Anchorcms Anchor CMS 0.12.7

A cross-site scripting (XSS) vulnerability in the Create Post function of Anchor CMS v0.12.7 allows attackers to execute arbitrary web scripts or HTML.

3.5
2022-02-01 CVE-2020-8562 Kubernetes Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Kubernetes

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers.

3.5
2022-01-31 CVE-2021-44114 Stock Management System Project Cross-site Scripting vulnerability in Stock Management System Project Stock Management System 1.0

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Stock Management System in PHP/OOP 1.0, which allows remote malicious users to execute arbitrary remote code execution via create user function.

3.5
2022-02-04 CVE-2022-23563 Google Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Tensorflow

Tensorflow is an Open Source Machine Learning Framework.

3.3
2022-02-02 CVE-2021-36177 Fortinet Unspecified vulnerability in Fortinet Fortiauthenticator

An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.

3.3
2022-01-31 CVE-2022-24130 Invisible Island
Debian
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

2.6
2022-02-04 CVE-2021-36151 Apache Information Exposure vulnerability in Apache Gobblin

In Apache Gobblin, the Hadoop token is written to a temp file that is visible to all local users on Unix-like systems.

2.1
2022-02-04 CVE-2022-0317 Google Improper Input Validation vulnerability in Google Go-Attestation

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency.

2.1
2022-02-04 CVE-2022-0487 Linux
Redhat
Debian
Use After Free vulnerability in multiple products

A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel.

2.1
2022-02-04 CVE-2022-23594 Google Out-of-bounds Write vulnerability in Google Tensorflow 2.7.0

Tensorflow is an Open Source Machine Learning Framework.

2.1
2022-02-04 CVE-2022-23605 Wire Improper Cross-boundary Removal of Sensitive Data vulnerability in Wire Wire-Webapp

Wire webapp is a web client for the wire messaging protocol.

2.1
2022-02-01 CVE-2021-46661 Mariadb
Fedoraproject
MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).
2.1
2022-02-01 CVE-2021-46662 Mariadb Unspecified vulnerability in Mariadb

MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery.

2.1
2022-02-01 CVE-2021-46663 Mariadb
Fedoraproject
MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.
2.1
2022-02-01 CVE-2021-46664 Mariadb
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.

2.1
2022-02-01 CVE-2021-46665 Mariadb
Fedoraproject
MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations.
2.1
2022-02-01 CVE-2021-46666 Mariadb Reachable Assertion vulnerability in Mariadb

MariaDB before 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause.

2.1
2022-02-01 CVE-2021-46667 Mariadb
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an application crash.

2.1
2022-02-01 CVE-2021-46668 Mariadb
Fedoraproject
Resource Exhaustion vulnerability in multiple products

MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.

2.1
2022-01-31 CVE-2021-40033 Huawei Unspecified vulnerability in Huawei products

There is an information exposure vulnerability on several Huawei Products.

2.1
2022-01-31 CVE-2022-0286 Linux NULL Pointer Dereference vulnerability in Linux Kernel

A flaw was found in the Linux kernel.

2.1
2022-02-04 CVE-2022-24448 Linux
Debian
Missing Initialization of Resource vulnerability in multiple products

An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5.

1.9